The Associated Press
COLUMBUS — The staggering amount of personal information contained on a stolen state computer tape has worried Ohio residents and led Gov. Ted Strickland to call nearly daily briefings since the device was stolen a week ago.
But the sheer amount of information — including the names and Social Security numbers of nearly 400,000 people — means that the state employees, taxpayers and others unlucky enough to be on the tape are actually at a very low risk of having their identities stolen, experts said.
A company that has studied data breaches said personal information is at much greater risk when a particular person or small group of people is targeted — an everyday occurrence with no public announcement to scare away potential thieves.
You are much more at risk if someone goes through your garbage can than if you are part of a large data breach, said Thomas Oscherwitz, vice president of government affairs and chief privacy officer for San-Diego based ID Analytics.
“In that case, you are a targeted victim as opposed to a large population where it will be difficult for a fraudster to go through that list,” Oscherwitz said.
The theft was revealed June 15 and Strickland held briefings all but two days of the following week.
Being part of a large data breach is not a prerequisite for identity theft. It can happen to any individual, said Jay Foley, executive director of the Identity Theft Resource Center.
“It will happen to just about everybody eventually,” Foley said.
ID Analytics, which provides identity-risk management services to some of the country’s largest financial and wireless companies, conducted a study of four data breaches covering about 500,000 consumer identities.
Less than one-tenth of 1 percent, or one in 1,000 identities, was subjected to fraud in the breach the company described as an intentional target by identity thieves. The smaller the data set, the greater the chances that individuals will be victims of identity theft, the company found. ID Analytics said it could not release the specifics of the breaches because they have confidentiality agreements with the organizations supplying the data.
The sample size of the study was small, but the company claims it is the only comprehensive study that has been conducted using information from actual data breaches.
It’s important to differentiate between the types of data breaches when determining risk, Oscherwitz said. Breaches masterminded with intent carry much greater risk than incidental thefts of computers or other devices, or a misplaced data storage device.
The Ohio case has several barriers to identity theft. The backup tape, stolen out of the car of a state intern on June 10, appears to be part of a ring of theft that targeted a radar detector and stereo equipment in three different cars — what Oscherwitz called an incidental theft.