The Checkout

Is Identity Theft Decreasing?

I was somewhat relieved when I saw a headline the other day proclaiming that a comprehensive study had shown identity theft was in steady decline. After all, no matter how careful you are about shredding, installing firewalls on your home computer or using different passwords, in the end there's little you can do to stop rings of overseas hackers or the loss of a government or company laptop that happens to have the personal information of millions of people on it.

Alas, the study in question, a telephone survey of 5,000 people by Javelin Strategy & Research, and sponsored by Visa, Wells Fargo and CheckFree, has some potential flaws that undermine some of its major conclusions.

To sum up those conclusions:

* 500,000 fewer people said they were victims of identity theft, with 3.7 percent of people saying they were victims in the previous 12 months, compared with 4.7 in 2003.

* Losses due to identity theft fraud are down in the U.S. by an estimated 12 percent compared with last year to $49.3 billion, from $55.7 billion.

* Young adults are at greatest risk of identity fraud because they're less likely to take precautions such as shredding mail or other documents with personal info.

* Lower-income Americans are least likely to be victims of identity fraud, with only 2.8 percent reporting cases, while Americans with incomes of $150,000 per year are the "most likely" to be victimized with 7.3 percent reporting abuses.

Now this last item had me scratching my head. How can a group of people be the "most likely" to be anything if only 7.3 percent of them say so?

There are other issues like this with the report, which in full disclosure, I must say I didn't review in its entirety because it costs $2500 a pop. However, others have taken it to task, just as they did a previous Javelin study that found roughly half of identity theft victims personally knew the perpetrators. The most thorough and convincing dissection of the study and Javelin's other work was done by Chris Hoofnagle of the Electronic Privacy Information Center.

Here are some bones Chris has to pick with Javelin:

* The new study doesn't take into account "synthetic identity fraud" where identities are created using pieces of many people's personal info. According to ID Analytics, in 2003, 88 percent of fraudulent new accounts were opened using synthetic identities. Only 26 percent of identity fraud losses were attributed to straight up, traditional identity theft.

* Identity theft is not necessarily a crime committed by people you know. Hoofnagle cites a study of 1,037 verified instances of identity theft, which found that 47 percent of imposters stole information from individuals by stealing mail and trash, purse snatching, and stealing information from friends and relatives, while 51 percent of impostors obtained information by stealing it from businesses. Even the Federal Trade Commission took issue with a Wall Street Journal story titled "Culprit is likely friend or relative" that relied on Javelin research, saying it was misleading because 74 percent of people surveyed said they didn't know who had stolen their identity.

* Finally, Chris takes issue with Javelin extrapolating the responses of a minority to the entire population.

Why does any of this matter? The concern among privacy watchdogs seems to be that the report will be taken as proof that businesses are doing an adequate job of protecting consumers' personal info and that the onus is on consumers to do a better job of protecting themselves. Their biggest point is that businesses remain the major source of personal consumer info for identity thieves and no amount of shredding and paid monitoring services can make up for the need to hold companies accountable for data breaches. It's an argument they're likely to make with House Financial Services Committee Chairman Barney Frank (D-Mass.), who is talking about exempting companies from disclosing data breaches so long as they secure data with encryption or other technology.

What do you say? Should businesses be required do more to protect their customers' personal information?

By Annys Shin |  February 6, 2007; 10:00 AM ET Privacy
Previous: Payday Lending & the Military: Part 2 | Next: Teaching Your Kids About Money


Please email us to report offensive comments.

Businesses AND consumers need to do more to protect consumers information.

One thing Annys didn't mention is "Social Engineering" and the way it is used to gain access to your personal information. This is the number one reason people fall victim to identity theft.
This is a consumer problem, not a business problem.

Giving up information on yourself to someone who sounds legitimate is a problem that needs to be addressed now. HP was cited for using a common social engineering tactic called "pretexting" to gather personal information on the companies' board of directors. Social engineers use this no unsuspecting consumers everyday to get what they want.

I recommend reading the book The Art Of Deception, written by one of the most notorious hackers/social engineers in the world. Then maybe consumers will understand that the first line of security in identity theft is the consumer themselves.

Posted by: Radioactive Sushi | February 6, 2007 11:52 AM

"How can a group of people be the "most likely" to be anything if only 7.3 percent of them say so?"

There's nothing contradictory in this statement; it just says that some groups have higher probabilities than others; it does not purport to say that any group IS likely, just that some are MORE likely.

Posted by: Anonymous | February 6, 2007 1:43 PM

It is truly a shame that the financial services, credit monitoring and other related industries seek to address the problem of identity theft by convincing us it is our fault. If they spent that money upgrading the security of their information databases, lobbying for better protections on doctors offices and other businesses that hold personal information, and implementing better credit screening and fraud monitoring, the problem would be solved. Indeed, if the federal government would devote real prosecution resources to the problem...

Guess I'm just too stupid since I am a consumer. Better go by a big screen LCD on instant credit and watch all their tv ads instead.

Posted by: Here we go again | February 6, 2007 4:01 PM

The REAL problem are the institutions that mine our data and do not guard it- whether they are government or civilian. Within a year my personal info was compromised 3 times! Once from the VA, once from Bank of America when they lost a ton of service members info for the govt travel cards we all had to have, and another because someone hacked the personnel database! The government makes it so hard to dispute with these agencies, and with themselves. See my rant about the credit bureau that still listed me as living in my college dorm and employed on campus despite multiple moves and significant increases in income.
Today I found out my tax filing was rejected because the social security administration put a bogus birthday on my record back in 1986 for no reason. I went into the office with my certified birth certificate, my passport, and my military ID and they told me it would take 60 days because they had to send all the info off for verification to vital statistics who had to send them a certified copy. The guy could not explain the change, my original b-day is still there he said, but this unexplicible change in 1986 trumped it and he could not change it in the system. Meanwhile, I can not get my refund- despite having always gotten it in the past, having obtained a Top Secret clearance, despite having done any number of things that require a correct birthday on file... They just do not properly take care of our records! When I finally got done with the run-around speak the guy behind the counter gave me along with a copy of the paper he was going to mail, I noticed he misspelled my name. I told him and he asked me how to spell it, despite me having legibly printed it at least 3 times on all the forms he had just read and inputed into the computer. It takes an act of congress to fix the simplest and most obvious of errors, but no such protection or safeguards exist to prevent the errors or exploitation of our personal information.

Posted by: Chris | February 6, 2007 4:35 PM

Annys, yes, I guess the results depend on who is paying for the report.. Another company MPI offered their data collected from their actual clients and the released data actually painted a way grimmer picture. Please see the release below:

MyPublicInfo Releases Latest Data on Identity Security Breaches
Tuesday January 16, 12:01 pm ET

Data Survey of 26,000 Subscribers to Innovative Identity Scoring Engine Yields Shocking Results

ARLINGTON, VA--(MARKET WIRE)--Jan 16, 2007 -- MyPublicInfo, Inc. (, the leading expert in identity scoring and an innovative provider of identity theft protection services and monitoring solutions for consumers, today released data on potential identity theft threats. Subscribers of IdentitySweep, MyPublicInfo's cutting-edge identity protection and identity scoring technology, found many instances of their personal information openly available on the Web, such as home addresses, phone numbers, and personal e-mail accounts. Many subscribers were horrified to find their entire credit card numbers and Social Security numbers viewable online. MyPublicInfo, Inc. conducted research on data from 26,000 subscribers. A staggering 72% had their full address disclosed online, while 49% found their name and phone number on the Internet. 30% of IdentitySweep subscribers found their e-mail addresses in one or several locations online. 1.5% discovered that their credit card number was exposed, and 9% of the surveyed groups were horrified to find their Social Security number had some evidence of possible manipulation or misuse.

"The outcome of this survey confirms our worst fears. We believe that consumers need to proactively manage their identity to avert identity crimes and crises," explained identity scoring expert Dr. Harold Kraft, CEO and founder of MyPublicInfo. "We knew there was a gap in consumer identity protection that needed to be addressed. Electronic identity theft scams have attained a very high level of sophistication that cannot be cured by pulling a credit report once or twice a year. With IdentitySweep, our clients have their backs covered online, 24/7."

IdentitySweep protects consumer identities in three innovative ways:

1. IdentitySweep includes a leading-edge identity fraud detection technology that scans billions of public records for suspicious activity associated with identity fraud, including attempts to create a synthetic identity, such as combining one person's name with another person's Social Security number. The service analyzes the suspicious activity to provide an identity score, similar to a "risk score," that indicates how much and for how long a consumer's identity has been compromised.

2. IdentitySweep searches Internet newsgroups, search engines, blogs and hundreds of thousands of chat rooms and Web sites looking for personal and financial information. It instantly notifies consumers by e-mail of any suspicious activity related to their personal information before the consumer is victimized. This technology works much faster than a typical credit fraud and credit report monitoring services, which can only alert a consumer after they become a victim.

3. IdentitySweep scans the online directories that list a consumer's information and requests removal of that information to prevent abuse by telemarketers and identity thieves.

For more information on IdentitySweep, please visit

About MyPublicInfo

MyPublicInfo, Inc. was founded in Arlington, Virginia in 2004 and is the leading provider of consumer identity scoring and identity management services. MyPublicInfo sells the most comprehensive consumer products available through and, partner web sites, and other marketing channels. For more information or orders, please go to

# # #

Posted by: Xenia von Wedel | February 6, 2007 6:24 PM

Your reasoning is fraught with error. First, your citation of the research stat simply shows that you lack familiarity with the most basic of statistical methods. Second, on the comment "The most thorough and convincing dissection of the study and Javelin's other work was done by Chris Hoofnagle" (!), Hoofnagle quotes data from a technology vendor whose own study was not as rigorous as the one you choose to dismiss, and who has a bias to sell their own products. Your source goes on to then make the same mistake you do: that of failing to comprehend the most rudimentary, time-tested research methods while making statements replete with support such as "seems to be..." and other "he-said, she-said" lines of thinking.

Come now Annys, surely this is not the best reasoning that the Washington Post has to offer!

Posted by: Anonymous | February 6, 2007 6:56 PM

Sounds like Chris is a bit bitter for having some problems that mostly relate to human error and not identity theft.

The Government Bank of America credit card information was not a case of "Chris's" identity being stolen. It was a credit card number with his name on it being used, but it was not tied to his credit. It was a government credit card, paid by the government and has nothing to do with or does not affect his personal credit. I know, because I have one and I manage the program where I work.

Second, many of his complaints see to stem from information validation not identity theft. Sound more like a comedy of errors that he it trying to blame on identity theft.

For the record Chris, identity theft is when someone assumes your identity to use it for their personal gain. Not typos or bad inputted information.

Posted by: Frank | February 7, 2007 8:07 AM

Frank, I NEVER said I had a case of identity theft so do not patronize me! Instead, learn to read. I am troubled that you manage the gov't card system where you are, which in fact DOES reflect on a user's credit if you bothered to read the fine print. I will never forget having paid the balance on my govt card, not getting a statement, then getting a letter saying they were reporting me. I was saying that mishandling of information, and failure to protect it can result in an increased risk of identity theft. If you had bothered to read the first two sentences of what I posted rather than being so eager to launch some kind of lame attack, you would know that. Yes, I have experienced what you term a comedy of errors- but as most studies seem to indicate, human error and lapses in judgement such as taking the laptop with everyone's private info home, are huge threats that would be simply avoided if only common sense would prevail... Unfortunately, Frank, in a world where people who manage govt travel cards jump to conclusions without bothering to read, that is unlikely to happen. Have a nice day you patronizing person, you. ROFLMAO.

Posted by: Chris | February 7, 2007 8:25 AM

For the record. LMAO!

Posted by: Chris | February 7, 2007 8:29 AM

Need a tissue Chris? Sounds like a lot of crying going on to me. Let's blame everybody else for your problems. It easier that way, huh?

Posted by: Frank | February 7, 2007 8:54 AM

Decreasing? Hardly, and what's worse is that it's still a fledging industry!

Put that together with the fact that there are still many people who should know better that don't safeguard data; and the undeveloped potential is enormous.

Posted by: DC | February 7, 2007 2:31 PM

I was startled to read in the Washington Post a group (any group for anything) is 7.3% more or less likely to do something that it should be ignored. Who made up that law? Ms. Shinn showed a huge amount of ignorance in that one sentance.

Posted by: Ed | February 8, 2007 3:54 PM

The comments to this entry are closed.


© 2010 The Washington Post Company