Someone did. The first monitoring report showed crooks opened accounts in his name at Macy’s and Kohl’s department stores, where they racked up more than $7,000 in charges. “My heart basically sank,” he said. Over the next seven months the New York City resident spent hours on the phone, most of a day in a police station filing a report, and countless time sending documents to banks and credit reporting agencies to clear his credit history.
He’s hardly alone. The Target hack during last year’s Black Friday shopping weekend was just one in a wave of data breaches that have exposed more than 100 million customer records at U.S. retailers, banks and Internet companies. The latest high-profile hack, at Sony Pictures Entertainment, resulted in Social Security numbers and other personal details of nearly 50,000 current and former Sony employees and film actors being stolen and posted online for anyone to see. While cases are difficult to trace, analysts at Javelin Strategy & Research estimate that one in three Americans affected by a data breach ultimately became the victim of fraud last year – up from one in nine in 2010.
Although banks often absorb bogus charges, it’s up to victims to clean up their credit histories and recover stolen funds. On top of lost time, money and emotional energy, victims face the frustration of rarely seeing anyone pay for the crimes. Identity theft cases are rarely prosecuted, said Avivah Litan, an analyst who studies fraud and identity theft for the research firm Gartner. Local police have limited resources, and criminals are often overseas, “so unless it’s part of a bigger pattern, they’re not going to spend much time pursuing it.” Kim said a police detective who took his complaint later told him the accounts were opened by someone in California, but Kim never heard any more about the investigation.
In the past year, Target and other major retailers have said they’re increasing security. President Obama has urged banks and stores to speed up adoption of “chip-and-pin” payment cards, which are harder to hack. But reports of data breaches continue. And as Federal Trade Commission member Terrell McSweeney said recently, “Disturbingly, the news has seemed to desensitize many people to the real risks created each time an event occurs.”
Kim can’t be certain Target was the source of the fraud he experienced, he acknowledged. Experts say crooks often steal or buy consumer information from more than one source, and use it to compile a complete dossier on potential victims. That’s likely the way hackers last year impersonated the rich and famous to get credit reports on Paris Hilton, Michelle Obama and even Gen. Keith Alexander, then-head of the National Security Agency.
Alexander told a public forum this fall that when he tried to file his taxes, he learned someone else had already claimed a $9,000 refund in his name. Fraudsters also used his identity to apply for about 20 credit cards. The FBI eventually caught a suspect, he said; the FBI declined comment.
Meticulous by nature, Kim documented every conversation with an investigator or company representative. He was fortunate, he added, that his employer let him use the phone and fax machine where he works. “If I worked at a stricter company, it would have been a nightmare,” he said. But Kim was never reimbursed for sending affidavits and other documents by certified mail to various banks and agencies.
While identity theft is certainly a global problem, experts say it’s difficult to measure worldwide losses. However, a Department of Justice study estimates identity theft of all kinds was responsible for U.S. financial losses of $24.7 billion in 2012 – nearly double the $14 billion lost from all other property crimes such as burglary and theft. According to Javelin surveys in the U.S., when an existing credit card is exposed and then used for fraud, the average loss is $1,251. When a social security number is exposed, then used to open new accounts, the average loss is $2,330.
Banks take the biggest financial hit, but identity theft victims’ out-of-pocket losses can range from an average of $63 for misuse of credit cards to $289 for fraud involving social security numbers. Of course that doesn’t quantify lost time and stress.