Credit Card Data Breaches Cost Big Bucks

Javelin Strategy & Research estimates that credit and debit card issuers spent $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches.

In 2009, an estimated 39 million debit cards and 33.3 million credit cards were reissued due to data breaches, for a total of 72.2 million. An estimated 20% of those affected by the breaches had more than one card replaced. I had my MasterCard replaced twice.

Javelin’s survey shows that 26%, or one out of four U.S. consumers received a data breach notification last year from a company or agency holding their personal data, including credit and debit card or checking account information.

What is very interesting is of those notified (which is required by law in most states), 11.5% were victims of identity fraud compared with only 2.4% who weren’t notified.

I’ll say this again and then explain what I think this means. They say a consumer who has been notified that his credit or debit card number was compromised is five times more likely to become a victim of identity fraud than a person who doesn’t get such a notice.

The report’s reasoning behind this is that data breaches lead to fraud. Okay, yes, I’ll agree that data breaches do lead to fraud, and my belief is that the people who were notified simply took a closer look at their statements and recognized unauthorized charges. If they weren’t notified they are no less susceptible to fraud, they are just blissfully unaware they are paying for an identity thief’s Las Vegas bender, and the fraud goes undetected.

DigitalTransactions explains, “Data breaches are one obvious pathway to fraud, but a breach alone doesn’t mean an affected consumer will become an identity-fraud victim. Banks often give free credit-report monitoring services to customers whose data may have been compromised.”

The flaw here is that credit monitoring only makes the consumer aware of new account fraud, when a Social Security number is used to open a new account. Credit monitoring has nothing to do with credit card fraud in which an existing account is compromised. Furthermore, in my experience credit monitoring is hardly ever provided when a credit card number has been compromised. Credit monitoring doesn’t help when an existing account is taken over.

“There’s a disconnect,” Javelin tells Digital Transactions News. Consumers “should pay attention to your credit reports after you’re notified, because you’re more vulnerable.”

Yes, it’s true that if you are notified that your Social Security number has been compromised, you are more vulnerable to fraud, but not more vulnerable to fraudulent charges on an existing credit card, since the bank will replace a card that is known to have been compromised. And monitoring a credit report does nothing to prevent credit card takeover fraud.

The only way to combat credit card account takeover fraud is to pay close attention to credit card statements, while credit reports and credit monitoring are essential to prevent or detect new account fraud.

I recommend checking your credit card and bank statements every day, or at least once a week, from a secure PC.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on MSNBC. (Disclosures)