Exploring Identity Theft Statistics in the Age of Data Breaches

The internet has created a culture of oversharing. Social media, online shopping, and similar online services have made us reckless with the amount of personal information we make public. 

Companies leaking massive amounts of personally identifiable information (PII) in large-scale data breaches have caused significant problems, as identity theft statistics show. The deep web black market for stolen data is thriving. Social Security numbers, names, bank accounts, and other sensitive info can be bought for next to nothing.

Identity theft is the misuse of personally identifiable information. 

It usually includes at least one of these three incidents:

• Misuse of an existing financial account, also known as account takeover (ATO)
• Opening a new financial account with the victim’s credentials
• Use of stolen information for other, non-financial purposes, such as Social Security identity theft.

Numbers of Identity Theft Cases

How many Americans are victims of identity theft each year? There were 14.4 million identity fraud victims in 2018 in the US.

(Javelin)

The overall number of victims is falling, however. In 2017, it’s estimated there were 16.7 million victims of identity theft, statistics published by Javelin show.

91% of consumers worldwide have made an online purchase.

(Experian)

This is one of the main reasons the identity theft numbers are in the millions. Sharing payment information is the precursor to most identity theft incidents.

40% of consumers worldwide have been a victim of online identity theft.

(Experian)

The highest occurrence is in the US, while the safest region in the world is Europe, according to identity theft statistics from 2019.

66% of US consumers fell prey to fraudsters in 2018. That’s roughly one in 17 Americans.

(Javelin)

In 2017, this percentage was 6.64%, or around one in 15 Americans.

The decline identity theft is linked to the increase in EMV credit card use. 

Contactless cards make it difficult to make duplicate counterfeits, which is the easiest way for fraudsters to use stolen information.

However, the statistics of identity theft show a rise in new account and account takeover frauds.

There were 679,000 cases of account takeover (ATO) in the US in 2018, almost twice as many as in 2017.

(Javelin)

When a fraudster hijacks an already existent account, that’s called an account takeover (ATO).

Statistics about identity theft indicate the number of ATO incidents almost doubled from 2017 (380,000) to 2018 (679,000).

The Federal Trade Commission, the US government’s consumer protection agency, received 444,602 reports of identity theft in 2018.

(Consumer Sentinel)

This number is not, however, a good indicator of how many people are affected by identity theft. That’s because the majority of victims don’t report the crime to the relevant authorities. 

Here’s a chart that shows how many reports of identity theft the FTC received by type in 2018.

What Kinds of Information Get Stolen?

In 2018, loyalty and reward-point fraud rose 103% compared to the previous year.

(Experian)

Peddling frequent flyer miles, gift cards, and hotel arrangements is a rising trend on the dark web. 

People tend to check the loyalty points they’ve accumulated only when they want to use them. That makes them a perfect target for fraudsters who sell them on the dark web for a fraction of their face value.

The information is usually harvested via phishing campaigns.

Retirement account fraud rose 180% in 2018 compared to 2017.

(Experian)

Companies tend to overlook the 401(k) and IRA accounts they set up for their employees. Attacks on these types of accounts usually go unnoticed until it’s too late.

Medical identity theft statistics show that around 65% of victims have to pay more than $13,000 to recover from having their medical identity compromised.

(Ponemon)

In a country that charges obscene amounts for even the simplest of medical procedures, medical identity theft is a crime that is bound to thrive.

Fraudsters use stolen Social Security numbers to access medical services and prescriptions in the name of the victim. As insurance companies don’t inform the victims, they usually become aware of this cybercrime through a suspicious report in their explanation of benefits.

The EoB is a document insurance companies send to their clients to inform them of services that have been paid in their name. These can arrive at the victim’s doorstep three or more months after their name has been used.

Medical identity theft rates vary strongly according to location, with Florida residents the most likely to be targeted. The state’s elderly population may be the cause of that.

The IRS received 242,000 reports of tax identity theft in 2017.

(CDCPA)

A criminal uses a stolen Social Security number and uses it to commit tax refund identity theft - an all-too-common scenario.

Tax identity theft statistics show that this type of fraud is still prevalent, given the number of SSNs that get breached and sold on the deep web market.

The Cost of Identity Theft

47% of identity theft victims can’t get any sort of credit, even after the attack has been mitigated.

(Identity Hawk)

This is one of the long-term consequences of identity theft - it’s almost impossible to clear your name. Credit issuers have a hard time forgetting consumer carelessness, even if it’s not your fault.

12% of victims endure financial loss as a result of identity theft.

(Bureau of Justice)

Insurance or credit card companies help with the immediate loss of funds most of the time. Of those who pay $1 or more as a result of identity theft, 49% pay less than $100, stats about identity theft show.

New account fraud cost consumers $3.4 billion in 2018.

(Javelin)

Fraudsters use stolen information to create new bank accounts and apply for loans, mortgages, credit cards, and other financial services.

In 2017, this type of fraud cost consumers $3 billion.

Fraudulent transactions are reached $25.6 billion in 2020.

(Juniper Research)

The cost of identity theft is trending upward as criminals get their hands on increasingly sensitive data.

Victims spend an average of $1,000 and 330 hours on remedying an identity theft.

(Identity Hawk)

A quarter of victims spend upwards of six months battling the credit unions, while 23% are still doing so after a full year.

A stolen identity - consisting of a name, Social Security number, and date of birth - can be sold for as little as $0.10 on the dark web.

(Symantec)

The demand is high for personal information, so you can only imagine what the supply is given the prices are so low.

A complete fake identity - equipped with name, address, phone, SSN, and email - costs as little as $30.

Here’s a price list internet security company Symantec published in its latest cybercrime report:

Victims of identity theft often suffer damaged relationships with friends and family; 36% of victims report they get into arguments with family members more often, and 55% feel they can’t trust their friends anymore.

(ITRC Aftermath report)

Having your identity stolen is an ordeal to say the least. Your bank account and credit score ratings are far from the only things that suffer. A traumatic event like this can also affect your relationship with family and friends.

In an ITRC survey of identity theft victims, 45% of respondents said they didn’t get enough support from their family, while 65% said the same about their friends.

How Does Identity Theft Happen?

The biggest enablers of identity theft are companies that leak sensitive information. There were a total of 1,244 data breaches in 2018.

(ITRC)

According to the Identity Theft Research Center, 446,515,334 individual sensitive records were breached in 2018.

The number of breaches went down by 23% compared to 2017, but the number of compromised records with personally identifiable information (PII) skyrocketed by 126%.

These are conservative estimates, with breaches without a determinable record count omitted.

The precursor to a large number of identity theft cases are data breaches. The ITRC classifies data breaches into the following categories:

• Social Security number
• Driver’s license number
• Medical records
• Financial records (credit/debit card information)
• User names, emails, passwords, and other authentication data, without a link to the victim’s actual identity

The ITRC regards the last item on the list as non-sensitive data and counts it separately. In addition to the 446 million PII records, 1.68 billion non-sensitive records were breached in 2018, according to statistics on identity theft.

The average time it takes for a fraudulent new account to be discovered is 54.2 days.

(Experian)

A lot of funds can be embezzled - sometimes along with irreparable loss of face to the victim - in two months. Keep tabs on your bank accounts; you don’t want to wake up one morning, check your balance, scream “Someone stole my identity!” then realize you’re three months late.

Being vigilant is the cornerstone of having good protection against identity fraud. 

In September 2018, the Marriott hotel chain reported on a data breach that had exposed 383 million sensitive records, including financial information and passport credentials.

(ITRC)

Marriott’s security system had been compromised for four years before the suspicious activity was discovered, which is an unsettling thought for guests. By that time, attackers had mined the system for hundreds of millions of records, 2018 identity theft statistics show.

Victims of Identity Theft Statistics

The consumer paradox: 74% of consumers say security is their top priority when dealing with funds online, but 72% say they would gladly provide more personal information if it meant they could enjoy a less-complicated payment procedure.

(Experian)

The more information the consumer provides, the smoother the transaction becomes. At the same time, the probability of that information getting misused also rises. 

Consumers would like to have the best of both worlds, which is currently simply impossible, judging by the latest identity theft statistics from 2018.

Physical biometrics instill the biggest sense of security in consumers, with 74% of them saying they feel more confident in businesses that use them.

(Experian)

Passwords, CAPTCHA codes, and biometrics are called “friction-inducing” authentication procedures. They slow down the process and create a barrier meant to thwart criminals.

Having to input a fingerprint has the biggest impact on the consumer’s perception of safety.

However, advanced types of identity authentication are never seen by the user. Data aggregation, behavioral biometrics, passive device information - these can all yield much better results than friction-inducing measures, which consumers have grown to expect, according to ID theft stats.

61% of consumers said they trust online banking and insurance service providers “completely” or “a lot.”

(Experian)

The smallest number of respondents said they trusted social media sites/apps: only 24%. The same percentage said they “do not trust social media sites/apps” at all, identity fraud statistics show.

75% of companies worldwide are starting to comply with the GDPR in their handling of private consumer information.

(Experian)

In 2018, the Cambridge Analytica scandal uncovered major misuse of personal information by several apps on Facebook. Shortly afterward, the EU imposed a set of rules on big data companies, called the General Data Protection Regulation (GDPR).

This set of rules was meant to increase transparency in the way sensitive data is handled, which is one of the key features of a safe and fair relationship between businesses and consumers. Consumers have more control over what they share, which makes it less likely that they get their identity compromised.

Now, companies all over the world are complying with the GDPR.

Businesses in the UK and US increased their anti-identity fraud budget by 75% in 2018.

(Experian)

Worldwide, companies have increased their counter-fraud budgets by an average of 50%. This will ensure that the chances of identity theft drop significantly in the future.

Only 50% of companies say they understand the mechanisms of identity fraud and its impact on their business sufficiently.

46% of identity theft victims say they’re dissatisfied with the way financial institutions and credit unions handle their cases.

(ITRC Aftermath report)

Victims need to go through a litany of interrogations, questionnaires, forms, and other types of bureaucratic torture to recover their identity. This accounts for a huge part of the trauma involved in identity theft. 

Imagine having to retell the same humiliating and traumatic story to a never-ending line of disinterested interrogators, knowing that your identity thief will probably go unpunished.

The list of institutions that victims need to engage with includes, but is not limited to:

• Credit issuers
• Credit reporting agencies
• Local law enforcement
• Federal trade commission

The reported dissatisfaction with each of these institutions was similar across the board: around 42%. Credit issuers received the worst rating.

93.1% of identity theft victims don’t report the crime to the police.

(Bureau of Justice)

According to identity fraud statistics published by the Bureau of Justice, the majority of victims don’t contact the police. Sixty-eight percent handle it another way, such as reporting the crime to the credit union or bank. 

Even more worryingly, around 12% of victims think the police can’t help at all.

Only 18.7% of victims become aware of identity theft by noticing dubious charges on their accounts.

(Bureau of Justice)

That’s a testament to how little attention we pay to our finances. In 47.6% of cases, financial institutions warn consumers about suspicious activities being done in their name.

The majority of victims (88.4%) contact their credit card company or bank to try to resolve the problem.

In 94% of identity theft cases, the victim knows nothing about the attacker.

(Bureau of Justice)

In cases of multiple offenses, when a new account is opened along with the misuse of an old one, the victim knows something about the attacker 12% of the time.

Identity Theft Victim Demographics

Identity theft statistics by state in 2018.

(Consumer Sentinel)

This map shows where identity theft was most likely to occur in 2018. The number denotes how many cases of identity fraud occurred per 100,000 citizens.

Identity fraud was most prevalent in Georgia, with 229 cases per 100,000 citizens.

Vermont was the safest, with 51 cases of identity theft per 100,000 people.

Females account for a slightly larger percentage (52%) of identity theft victims than males.

(Bureau of Justice)

This difference is due to the fact that, according to identity theft statistics, women are slightly more likely to misuse their bank accounts, while credit card fraud is mostly the same across genders.

Identity thieves were most likely to target people in the 30-39 age bracket in 2018, with 107,367 reported cases.

(Consumer Sentinel)

People under 19 years of age reported just 14,251 cases of identity fraud in 2018.

White people have the biggest risk of becoming identity fraud victims.

(Bureau of Justice)

According to an identity theft report by the Bureau of Justice comprising data from 2016, 19.4 million victims were white, while roughly 6.5 million people were of other races. That means 12% of all white people were victims, while around 8% of people of other races were affected.

More than a million US minors were victims in 2017, according to child identity theft statistics.

(CNBC)

Minors are usually the targets of “synthetic identities,” whereby a fictitious identity is created using bits and pieces of disparate information. 

The fact that children’s Social Security numbers have don’t have existing credit reports means they’re a clean slate, which gives them a lot of value to fraudsters. Inflicted damage is rarely discovered until it’s too late. Two-thirds of children who were compromised in 2017 were under seven years old.

Avoiding Identity Theft

General Tips on Reducing the Probability of Identity Theft

• Protect your data.

  • Be wary of who you share your social security number with.
  • Use a single credit card to make online purchases.
  • Don’t give payment information to third parties like cell phone providers - make the payments yourself.

• Keep good password hygiene.

  • Using the same password across multiple accounts is an obvious mistake a lot of people make. If a criminal learns your password for one account, they will most likely try it elsewhere.
  • Use complex passwords - the most common password in 2017 was “123456789”, followed by “qwerty.”
  • Use password-manager software.
  • Use two-factor authentication wherever possible.

• Keep your devices updated.

  • Be meticulous about updating your operating system.
  • Protect your devices with passwords.
  • If you’re not the only one using your device, turn off the automatic login feature. Social media identity theft is already common enough without you giving criminals an extra advantage.

• Be wary of using public Wi-Fi. Always use a VPN when connecting to one.

• Monitor accounts.

  • Keep a close eye on transactions being made in your name. The sooner you find out that someone has stolen your identity, the easier it will be to manage.

Who to Contact if You Think Your Identity Has Been Compromised

You should notify local authorities, the Federal Trade Commission, and credit rating companies like Equifax of identity theft.

Equifax’s identity theft number is 800-525-6285.

If your e-filed tax return gets rejected because of a reported duplicate SSN, you should fill out Form 14039 - and identity theft affidavit - which you can find at this link. The IRS identity fraud assistance department will guide you through you the process.

What to Keep an Eye on to Protect Yourself Against Identity Theft Concerning Tax Reports

Check the IRS identity theft guidelines and look out for the following warning signs:

• The IRS contacts you about returns you didn’t file.
• The electronic tax system warns you of a duplicate Social Security number when you file your return.
• You receive tax transcripts you did not ask for.
• You receive a notification that a new IRS online account has been created in your name.
• The IRS contacts you about tax-related issues for a year when you didn’t file a tax return.
• The IRS alerts you of receiving wages or other income from an employer you have not done business with.