The role of fraud management in data breach response plans

June 6, 2016
Fraud and security departments need to work hand-in-hand following a breach

Fraud and data breaches are often two sides of the same coin. Both can have a significant impact on business operations and have the potential for reputational damage to companies. With most security professionals coming to terms with the fact that it’s not a matter of if, but instead when their organization will suffer a security incident, many have focused more attention on planning for how they would manage and mitigate the impact of a data breach. Despite the fact that companies today are generally better prepared, there is one area that is often under-represented in response plans: fraud management.

As data breaches are a growing threat, it is important for companies to realize that identity fraud is interconnected, and companies should structure their response plans accordingly. A spike in fraud cases after a breach can be very costly to companies both in immediate charge backs, as well as increased pressure on customer support channels needed to resolve these cases.

Connecting Data Breaches and Fraud

The first step to addressing this issue is understanding the many ways these two dynamics are linked. Given that the majority of security incidents and breaches are financially motivated, the attackers behind them are most likely to use whatever information they were able to obtain to commit fraud in a number of ways.

  • Fraud Following a Breach: Following a breach, companies should expect to see an increase in fraudulent activity. In fact, according to the Ponemon study, "Consumer Study on Aftermath of a Mega Data Breach," 25 percent of consumers stated that they had fraudulent charges on a credit card as a result of losing personal information through a data breach. Another popular tactic is using stolen usernames and passwords to take over online accounts and drain their resources.  
  • Fraud Due to An Unrelated Breach: A data breach at one company can provide information that allows attackers to commit fraud at other organizations. This is in part due to the fact that consumers continually use the same usernames and passwords for multiple logins and different websites. They may also use data from multiple identity breaches to build more complete profiles on individuals, which can be used for identity theft.

An increase in fraud can also serve as a warning system that an organization has experienced a major security incident that has yet to be detected by the security team. This trend is especially true for payment card breaches where the payment card issuers will notice a fraud pattern on accounts, which suggests a breach at a company and inform them of the suspected issue. Also, when companies lose usernames and passwords, there are typically spikes in attempted logins that could tip an organization off to a potential breach.

Unfortunately, this intelligence isn’t always shared. If the fraud and security departments at companies are not in sync, it creates the possibility that this critical information will be delayed in getting to the appropriate people, greatly impeding the response process.

How Should Companies Prepare?

The most important step for companies is to integrate response teams, ensuring that the fraud and security departments work together to develop an appropriate process ahead of time and incorporate this integration into their incident response plan. Ideally, this process includes appointing someone from the fraud team to be a key part of the incident response team. This person will be in charge of adjusting fraud protection strategies during the breach, as well as reporting any increase in fraudulent activity while the company investigates the incident.

To further prepare, security incident response teams should monitor news of major data breaches in order to anticipate times where the potential for fraud at their organizations may increase. For example, if a mega breach occurs at another company and several million usernames and passwords are lost, alerting the fraud team could help get ahead of and mitigate potential account takeovers at the organization.

Implementing the Right Fraud Technologies

Companies must also place an emphasis on developing strong fraud prevention practices. Data breaches show firsthand that a huge burden is placed on fraud prevention when fundamental identity data is compromised. Knowing that fraud is likely to increase after a breach, organizations must make sure to continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data.

There are several fraud technology investments that companies can make to more effectively combat fraud on their platform. Applying comprehensive, data-driven intelligence as a way to combat identity fraud and the use of stolen identity data is a must for companies.

As a best practice, companies should consider investing in tools and technologies capable of providing:  

  • Layered authentication strategy
  • Device intelligence and risk assessment
  • Credit and non-credit data and risk attributes
  • Multifactor authentication, using one-time passcodes via SMS messaging
  • Identity risk scores
  • Dynamic knowledge-based authentication questions
  • Traditional PII validation and verification
  • Biometrics and remote document verification
  • Out-of-band alerts, communications and confirmations
  • Contextual account, transaction and channel purview

The Path Forward

As fraud and data breaches continue to grow together, it is vital for companies to recognize the devastating effects that mismanagement of either one of these issues can have on their organization. In response to any type of security attack, companies must align their fraud and security departments to ensure they are fully prepared to protect themselves and their compromised data.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group