After the Home Depot Inc. admitted its computer systems had been hacked recently, headlines blared analysts’ estimates that some 60 million customers had credit and debit card information stolen. Target Corp. received the same treatment by the media last year when the retailer revealed its own massive data breach compromised the financial information of 40 million people.
But those headline numbers vastly overstate the number of people who will fall victim to fraud. In the case of Target, only about 2 percent were hit with fraudulent charges within the first three weeks after the breach was revealed, although the figure climbed to 10 to 15 percent over the next several months, according to BillGuard, a fraud detection software company in New York.
Yaron Samid, chief executive of BillGuard, expects a similar rate for Home Depot, which would amount to 6 million to 9 million customers. “Only a very, very small percentage of cardholders will see a fraudulent charge in the immediate aftermath of the breach,” he said.
Among the key factors in the low fraud rate are credit card companies and banks, which are ultimate liable for fraudulent charges on cards they issue. When they learn of a data breach, they tend to devote significant resources to stop bogus transactions, said Julie Conroy, a research director at the Boston-based Aite Group, a consulting firm.
The fraud detection technology of large banks and payment card networks like Visa and American Express are so advanced they often detect financial data breaches before the companies that were hacked are aware of it, security analysts said. Smaller banks, with fewer resources and less advanced detection systems, often don’t get warnings soon enough and suffer higher rates of fraud.
After the Target breach, Conroy said, small banks generally sustained bigger losses. “They didn’t have the early visibility that large banks’ sophisticated analytics and large customer base provided,” Conroy said.
Most banks use antifraud software to inspect the huge volume of transactions involving their payment cards. In the days and weeks after a breach is revealed, Samid said, banks that issue credit cards set their monitoring software to be especially sensitive to suspicious transactions — $1,500 ATM withdrawals in Italy, say, or small purchases at a convenience store in a faraway state. Those measures stop about 40 percent of fraud, according to Samid.
But some fraudsters could try to use stolen card data several months after a breach, warned Tom Kellermann, the chief cybersecurity officer at Trend Micro, an Internet security company. The hackers who steal the data typically sell it off in batches to other criminals, instead of using it themselves, Kellermann said.
The initial buyers often resell the stolen card data at a profit, but the price drops as time passes and more cards are canceled or replaced.
Security specialists stress that the low rate of fraud is no reason for customers to let their guard down. BillGuard estimated the fraud resulting from the Home Depot hack could cost banks and merchants as much as $3 billion. Samid, the company’s chief executive, said card users who may be affected should be on the lookout for suspicious transactions — even small ones — that their bank may not catch.
For American consumers, some specialists say data breaches are the new normal. More than 500 data breaches — not just of financial information, but of passwords, e-mail addresses, and personal information — occurred in the United States in the first half of 2014 alone, roughly on par with 2013 and 2012, according to Risk Based Security, a Virginia consulting firm. Worldwide, there were 76 breaches that exposed credit card numbers over that same period.
“Pay attention. That’s all you can do,” said Samid. “It’s the price we pay for living in a connected world.”