Consumers’ personally identifiable information (PII) is a commodity in criminal marketplaces. Detailed consumer data can be used by cybercriminals in nefarious schemes, such as phishing attempts, romance or social-engineering scams, or through more direct actions like hacking corporate servers. Each quarter, data breaches put millions of Americans at increased risk of identity theft and fraud daily.1 Further, the scope of breach activity makes it a leading indicator of fraud.
As exposed PII enters the criminal ecosystem, a few factors can determine the likelihood notable fraud trends will emerge:
Other data breach factors can be used to provide insight into likely types of identity fraud schemes and where victims may be found. Exposed banking credentials may be used in account takeover attempts, while consumers’ medical histories are likely to be used in medical identity theft. Additionally, many breaches occur at a local level and increase the risk of fraud in communities where breached organizations operate.
It's important to note identity theft is not bound to the industry where the information was stolen. Data stolen from a local tax group may aid criminals in submitting false tax returns, but could also be used for unemployment insurance fraud or pension account takeover. Each piece of exposed consumer data is another ‘proof point’ for fraudsters when assuming false identities to bypass controls.
The stolen identities of unsuspecting constituents impact organizations across the country and provide fraudsters a starting point to steal payments and benefits from well-intended government programs. In Q4 2022 alone, TransUnion found data breaches exposed more than 22 million identities — including Social Security numbers, driver’s license numbers, medical identifiers and other sensitive information with a likelihood to be used in schemes targeting the public sector.2 In fact, public agencies have faced a surge of fraud attempts since the government response to the coronavirus pandemic and subsequent exposure of vulnerabilities in identity proofing.3
Bad actors are increasingly looking to exploit perceived weaknesses in government programs to generate cash flow. Fraudulent tax returns, fulfillment of prescription drugs from falsified medical information, access to subsidy and grant programs, and many other avenues exist for criminals to target entities in the public sector. Data breaches are particularly attractive catalysts for fraud because they potentially allow criminals access to these programs through stolen identities at scale.
In addition to fraud activity directly targeted to government agencies, fraudsters also leverage exposed PII in schemes to evade regulators, or conceal other illegal activities from law enforcement or investigators. For example, compromised identities can be used by fraudsters to pass Know Your Customer (KYC) or anti-money laundering checks, and provide them a platform to access the US financial system behind a ‘clean’ identity. Exposed PII can also be leveraged by criminals looking to pass state background checks or falsify employment records.
Consumers are clearly concerned about the prevalence of cyberthreats,4 but they may not know all the ways criminals can leverage stolen information. For many consumers, there’s often no sign their identities have been used in such a way until it is too late. Many people regularly monitor credit and bank account activity — especially after becoming aware their information was involved in a data breach. Few avenues exist for consumers to regularly check how their identities are being used in connection with government services, such as making sure disability payments aren’t being claimed in their names.
Data breach exposure has a direct impact on government agencies’ abilities to serve constituents, deliver benefits effectively, and reduce fraud, waste and abuse. Understanding potential risks like data breaches, identity theft and more can be a first step toward better protecting against future fraudulent activity. And as cybercriminals are more determined than ever to compromise government systems and processes, agencies need fraud protection and identity solutions that strike the right balance of transparency and security.
Discover more insights on predicting government fraud risk due to data breach trends. Download TransUnion’s here.
1, 2 Using data from Sontiq, a TransUnion company, TransUnion found 22 million Americans were affected by data breaches in Q4 2022 that may be used in fraud targeting the public sector
3 In the first 3 quarters of 2022, the FTC collected more than 130k reports of fraud related to government benefits and documents, tax, and employment – compared to just 69k in all of 2019. See Identity Theft Reports | Tableau Public
4 TransUnion Consumer Pulse Q4 2022 US