Many news feeds are covering nextgov.com‘s story that victims of last year’s TRICARE data breach are reporting fraudulent credit card charges and bank transactions. Seeing how SAIC, the company responsible for the data breach, had failed to use encryption software to secure sensitive data, this is not surprising.
The argument just doesn’t make sense, however: the breached data did not contain financial information.
I firmly believe that SAIC acted irresponsibly but I can’t agree that the subsequent fraud is tied to their dismissive attitude when it comes to data security.
TRICARE Victims Have Higher Rate of Fraud Activity? Maybe Not.
First, a quick summary. In September of last year, TRICARE announced a data breach, the largest recorded in US history: 4.9 million current and former US military members were affected due to the theft of a data tape. The tape was stolen from a SAIC employee’s car while it was parked in a garage. People sued.
Ok, moving on.
After reading a number of articles, I couldn’t see how the plaintiffs’ lawyers could be pointing fingers to SAIC et al. for the subsequent fraud development. So, I went to get it straight from the horse’s mouth. According to the amendment,
On or about September 29, 2011, TRICARE publicly admitted that on September 12, 2011, data containing the most highly sensitive personal and intimate information pertaining to 4.9 million of its members was unlawfully disclosed (“Security Breach” or “disclosure”). This wrongly disclosed confidential information included Social Security numbers, addresses, dates of birth, phone numbers, and personal health data including private medical records, provider information, laboratory test results, and prescription information (“Confidential Information”). [Exhibit A, paragraph 4]
You’ll notice that the words “bank account numbers” and “credit card numbers” cannot be seen. That’s because SAIC/TRICARE has always claimed that financial information was not included in the stolen data. The plaintiffs’ lawyers don’t appear to be countering this essential fact. And yet, the plaintiffs’ lawyers have somehow made (a tenuous) connection between the breach and the attempts at fraud:
As a direct result of the Security Breach, Plaintiffs Ms. Morelli, Mrs. Keller, Mr. Hernandez, and Mr. Biggerman (along with countless other Class members) have been the victims of fraud and identity theft and been harmed thereby. Others, including Mr. Biggerman and Mr. Moskowitz, were subjected to a significant increase in unwanted solicitations from telemarketers who suddenly obtained their confidential personal identification information, including contact information, soon after the disclosure. Still others, including Mrs. Gaffney, have dealt with credit card cancellations. [Exhibit A, paragraph 10. My emphases]
The amendment by the lawyers note that the risk “can be quantified”:
The Javelin Report reveals that individuals whose information is subject to a reported data breach, like Plaintiffs, are approximately four times more likely than the general public to be (sic) suffer fraud or identity theft. Unfortunately, it appears that victims of the Security Breach have suffered identity theft at a rate that is even higher than that suffered by people who were victimized by other data breaches. The high rate of identity theft among victims of the disclosure is striking, especially given (i) the fact that Defendants possess much of the relevant data, (ii) the likelihood that significant identity theft and fraud has not yet been discovered or reported, and (iii) the possibility that criminals who may have obtained the victims? confidential information have not yet used that information, but will do so at a later date [Exhibit A, paragraph 11. My emphases]
What is this “high rate” they speak of? I don’t know because figures are not given. But, finding out that the rate is higher than “four times more likely” should not be surprising. Why? Because the 2011 Javelin report notes that:
Javelin Strategy & Research, in its latest report about identity theft [2011 survey], says … Those who suffer data breaches are 9.5 times more likely to be victims of identity fraud than are other consumers. [rutlandherald.com]
The correct rate to be applied is 9.5 times, not 4 times. So, is 9.5 times the “rate that is higher” that is quoted by the plaintiffs’ lawyers? If so, the comparison is moot.
Why Only 6 People Named?
Something else that strikes me as odd: the number of people named. Specifically, six people have been named as being directly affected by fraudulent actions stemming from the TRICARE breach. Lawyers allege that there are “countless others” but a hard figure isn’t provided. Heck, not even a soft figure (“we were approached by hundreds of people”) is provided.
Where are the rest? I mean, based on my calculations, there should be close to 200,000 people making the same claim:
4.9 million – TRICARE members affected
11.6 million – Americans were affected by ID fraud in 2011, according to Javelin
313 million – US population as of right now, according to the US census (since the number doesn’t change in units of 1 million, it should closely reflect last year’s US population)
A simple calculation shows that, assuming the TRICARE population reflects the US population, 180,000 TRICARE members were victims of ID fraud. Of those, only six stepped forward? That seems unlikely.
Consider, too, that if we exclude people whose ages are 18 or under (generally not included in fraud reports), the US population is reduced by nearly a quarter, decreasing from 313 million to 235 million. This increases the number of people who were affected by ID fraud to 240,000.
Again, where’s the rest?
What Do Credit Cards Have To Do With Anything?
Last but not least, let’s turn to the credit cards that were used fraudulently. Sorry to be so direct and brusque, but…so, what? There was no financial data on the lost tapes.
Can Social Security numbers be used to obtain credit cards? Yes. But, that would mean a new card ended up in a thief’s hands. The credit card fraud instances quoted in the amendments are clearly not such cases. If anything, it sounds like someone obtained the card number, expiration date, etc. and possibly cloned a card.
Also, there are 4.9 million data breach victims that encompass current and former service members spread across the entire US. Could the timing not be a coincidence? Especially when we’re talking about a handful of people stepping forward and making the accusations?
SAIC did a great disservice to all by not properly securing their data. And, perhaps they deserve the headaches that come from it….
Carry on, I guess.
Related Articles and Sites: