Greg Schlichter
01/30/2025
Blog
As a government agency leader, priority one is your mission to serve constituents — ensuring fast, convenient service delivery and optimal customer experiences. In fulfilling that mission, you’re also charged with protecting constituent data and reducing fraud, waste and abuse. With the push to enable online access to just about every government program, data breaches pose a growing risk for fraud and cybercrime. They enable criminals to use stolen or fabricated identities to establish legitimate business entities to perpetrate further crimes, submit fraudulent tax returns and steal benefits from legitimate beneficiaries.
Protecting your agency requires the mindset that all constituent identity data may be compromised. To establish trust in digital transactions, it’s important digital identity — the relationships between a constituent’s identity, devices and accounts — be continuously evaluated and verified. This requires an approach that blends fraud detection into digital interactions without causing undue burden or friction. Enabling constituents to apply for business licenses, grants and benefits they need while protecting them and your organization from identity-based fraud is critical to further streamlining operations through digital transformation initiatives.
A data breach is a security incident in which sensitive, protected or confidential information is accessed, stolen or exposed by an unauthorized individual or group. This can include personal information (such as names, addresses and Social Security numbers), financial data, health records or classified government information.
Data breaches can occur through various means, including:
Consumers’ personally identifiable information (PII) is a commodity in criminal marketplaces. Data breaches put millions of Americans at increased risk of identity theft and fraud daily. The scope of breach activity makes it a leading indicator of fraud. As exposed PII enters the criminal ecosystem, a few factors can determine the likelihood notable fraud trends will emerge:
US data breaches increased 15% year over year (YoY) in 2023 to a volume never seen before — driven by a 38% YoY increase in third-party breaches. In addition, the average breach risk severity (the ability of a breach to enable identity fraud based on the information exposed) as measured by TransUnion® TruEmpower™ Breach Risk Score (BRS) increased 11% YoY to 4.1 in 2023, also the highest ever measured.
Data breaches have become increasingly common and costly. The global average cost of a data breach reached $ 4.88 million in 2023, a 10% increase over 2022, according to IBM Cost of Data Breach Report 2024. US data breaches cost an average of $9.36 million, nearly twice the global average.
According to TransUnion, cybercriminals zeroed in on third-party service providers as the largest data breach vector — surpassing primary breaches for the first time in 2023. Not only were there more third-party beaches, but they were also more severe with an average BRS 24% higher than 2022.
The most frequently exposed information in 2023 data breaches is likely to be used in schemes to target public sector agencies:
A single data breach event can have huge fraud impacts for agencies. For example, 2023’s massive MOVEit hack affected more than 1,000 public and private organizations and exposed data on more than 60 million individuals.
These impersonation and fraud attempts can lead to:
o Fraudulent benefit claims
o Benefit payment diversion (e.g., Social Security, SNAP, Child Support)
o Tax refund fraud
o Fraudulent benefit claims (e.g., unemployment, Social Security)
o False tax returns and refund fraud
o Unauthorized access to government services
o Unauthorized transactions or fund transfers
o Creation of fraudulent accounts in the agency's name
o Manipulation of financial records or budget allocations
o Blackmail government employees or officials
o Extort the agency for ransom (as in ransomware attacks)
o Manipulate policy decisions or contracts
o Foreign intelligence gathering
o Compromise of military or diplomatic operations
o Undermining of national security initiatives
o Make citizens more susceptible to impersonation scams
o Reduce willingness to share information, hampering agency operations
o Lead to increased scrutiny and potential budget cuts
o Providing disgruntled employees with sensitive information to misuse
o Creating opportunities for collusion between internal and external bad actors
o Criminals gaining insight into detection methods
o Manipulation of fraud risk scores or watchlists
o Disabling or circumventing fraud prevention measures
Industries from government to banking, travel, ecommerce and more have decades of experience using identity verification to ensure users attempting to create or access accounts or make purchases are authorized to do so.
Verifying constituent identities with confidence starts by looking at constituent-provided personal data and comparing it against authoritative and robust data sources. In instances like benefit applications, tax return or business registrations, credit reporting agencies can help confirm personal details like addresses, phone numbers and Social Security numbers.
But in faceless digital channels, more device data can aide in determining the risk level associated with the device being used to initiate the benefit application or business registration. More diverse sources of public record data can also help identify suspicious and known subjects or high-risk associations between the user and other associates.
A robust fraud solution will better secure trust across the constituent lifecycle from helping mitigate new registration fraud early in the application cycle to reducing the risk of account takeover (ATO). At each point along that journey, a fraud solution that identifies and helps separate safe from risky interactions can be used to effectively reduce fraud, waste and abuse, helping ensure genuine constituents receive the benefits and services they deserve.
When suspicious activity is identified through digital insights or an identity cannot be verified, minimal step-up challenges can be implemented. As an example, you can request knowledge-based authentication (KBA) or authenticate a user’s identity via a one-time passcode (OTP) sent as a text message to a mobile device.
If a user’s identity still cannot be authenticated, document verification is a natural progression to help more securely and confidently validate constituent-provided data — and reduce the risk of fraud from stolen or synthetic identities.
By orchestrating proprietary PII, public record information, device information, fraud solutions can enable trust between business registrars, their states and constituents. The results include: Continued, seamless experiences for good constituents; a reduction in fraudulent registrations and fraud losses; fewer investigative resources and cycles spent fighting fraud; and enhanced, friction-right constituent experiences across channels.
Bad actors are increasingly looking to exploit perceived weaknesses in government programs to generate cash flow. Fraudulent tax returns, fulfillment of prescription drugs from falsified medical information, access to subsidy and grant programs, and many other avenues exist for criminals to target entities in the public sector. Data breaches are particularly attractive catalysts for fraud because they potentially allow criminals access to these programs through stolen identities at scale.
Data breach exposure has a direct impact on government agencies’ abilities to serve constituents, deliver benefits effectively, and reduce fraud, waste and abuse. Understanding potential risks like data breaches, identity theft and more can be a first step toward better protecting against future fraudulent activity. Finding robust identity verification solutions to protect omnichannel constituent experience channels is a critical first step.
Learn more about TransUnion identity and fraud solutions.