Credit Union Connection

View Original

TransUnion: Data Breach Severity Up 31% Q1 2024, Unveils Personalized ID Theft Assessment

Company’s enhanced identity threat intelligence technology recognized at FinovateSpring conference

The severity of data breach risks rose to the highest level in two years during the first quarter of 2024, increasing 31% from the same period last year. TransUnion (NYSE: TRU) unveiled its analysis of data breach trends today at the 2024 FinovateSpring conference where the company’s new identity threat intelligence offerings within its TruEmpowerTM solution line were featured as one of the most exciting technologies with real-world applications.

TruEmpower’s enhanced BreachIQ capabilities use a proprietary AI algorithm for personalized identity risk assessment. The technology analyzes an individual’s comprehensive data breach history, generates a personalized dynamic risk score, and recommends clear and concise actions to protect against identity crime. 

Personalized identity risk assessments are of particular importance as TransUnion’s proprietary Breach Risk Score (BRS) revealed the severity of data breaches climbed to 4.6 in Q1 2024, up from 3.5 in Q1 2023. The BRS is compiled by assigning a risk score for each data breach — driven by an AI algorithm analyzing more than 1,300 breach elements and their risks. Watch the video with our Founder Sarah Snell Cooke, who sat down with TransUnion Senior Principal for Innovation Jim Van Dyke to discuss the new personalized identity theft threat assessment.

TransUnion’s algorithmic analysis showed the increased data breach risks were primarily due to the high level of Social Security number exposures — which occurred in 78% of all publicly reported breaches during the first quarter of 2024. That’s a significant rise from the same period in 2023 when Social Security numbers were exposed in 51% of breaches. This, coupled with high credit and debit card data exposures in 2024, increased the BRS to record levels. 

“Our consumer research shows upwards of three in four Americans consistently express concerns over having their identities stolen. Yet, when surveyed, most admit not taking any action at all,” said Mike Doherty, senior vice president and head of TransUnion’s TruEmpower consumer solutions. “This inaction has long vexed financial institutions that generally bear the brunt of fraud-related losses. People are actually very motivated to take action — they just need a trusted source and personalized guidance for what to do.”

The need for personalized data breach analysis comes amid an alarming rise in data breaches. In the first quarter of 2024, the Identity Theft Resource Center (ITRC) reported a 90% increase in data compromises compared to the first quarter of 2023. TransUnion’s ongoing fraud research shows more than 20 million Americans have personal information, such as driver’s license numbers, credit card information and Social Security numbers, exposed in data breaches each quarter. In 2022, consumers experienced $10.3 billion in losses related to cybercrimes and data incidents.

TruEmpower’s enhanced BreachIQ identity threat intelligence technology was demoed at FinovateSpring where it was a finalist for an award regarding its innovative nature. Building upon TransUnion’s tradition of credit reporting and education — a key to monitoring identity security — it helps demystify what to do after a data breach. BreachIQ displays a dynamic score based on a large pool of data about a consumer’s individual identity vulnerabilities, data exposure from breaches and the fraud mitigation steps they self-report inside the tool. The dynamic score then adjusts, showing improvements as consumers take preventative actions.

The result is a significant change in consumer behavior. While most consumers impacted by data breaches report feeling confused or overwhelmed about what to do (and subsequently take no action), data shows most breach victims who engage with TruEmpower’s enhanced BreachIQ take action to improve their identity threat scores.

Identity safety is a top financial goal of consumers. They want to understand and counter the identity threats they face. Yet, doing so requires much more personalization than they’ve been able to access. They now have clear insights and guidance at their fingertips,” concluded Jim Van Dyke, senior principal of innovation in TransUnion’s Consumer Interactive business.

Read the full transcript below:

Disclosure: Transcript is automatically generated

Sarah Cooke: Welcome everybody to today's credit union connection. I am here today with TransUnion’s Jim Van Dyke, welcome.

Jim Van Dyke: Thank you, Sarah, great to be here.

Sarah Cooke: Yeah, it's great to have you. Tell us a little bit about your background, because that's really going to help set up what we're talking about today.

Jim Van Dyke: Sure, I’ve worked in digital commerce and digital finance or FinTech for my entire career, which is a long time, and got my start in FinTech actually, launching web banking to credit unions around 1995.

Sarah Cooke: That was before FinTech was even a term, right?

Jim Van Dyke: You know, e-commerce and FinTech weren’t terms back then. So yeah, it was very early days. You had to pretty much figure everything out that's taken for granted today and fun times and along the way, you know, as new things rolled out on top of what was then called home banking. You know, we learned a lot about what creates value for members and customers, and how that turns into the ability to have these solutions pay for themselves, for credit unions. Like, we especially learned that engagement is often much more powerful in terms of paying the way for these solutions rather than just cost avoidance, or in the case of what I'm about to talk to you, fraud avoidance. Those are important, but how it affects the relationship with members is much more powerful. So I've done this for a long time, and a couple of other things that I've done along the way are launching a research company. The name was Javelin strategy and research. So I founded and ran that organization for 14 years, and I sold it to a New York equity firm, and it still serves the largest banks today and advises you about digital banking and fraud, especially member or customer facing elements. After I sold javelin, I became an expert witness on the nation's top data breaches. So Equifax, Yahoo, Anthem, all the ones that set records in terms of class action judgments. I was the primary expert witness, and while doing that work as a researcher, bringing very much a quant background into things, I realized that I was making a lot of money for trial attorneys, but very little of it was going to consumers, and that troubled me greatly. And I realized that the method that I created for the court, which was essentially a research based method using federal trade commission and Department of Justice research methods to understand how any data compromise elevates a particular pattern of risk for a consumer. So, I'll unpack that for a minute. Then I'll wrap up the long answer to your question about background. You know, if you've been in, for example, the T Mobile breach, that's your most recent breach, and the most recent breach I was in was Anthem's big one, or OPM or something else, you and I have a different pattern of fraud risk along with a different level of fraud risk. And the logic is pretty simple, but we turned it into a 1300 element algorithm in my product. So it's true AI expert systems. I mean, you can understand the logic from a common sense perspective and how this built on the expert witness work, that if your SSN was exposed in a recent breach, you know, we all know what SSNs are useful for. If you're a cyber criminal, that would be like new credit account fraud or IRS refund fraud. But combined, those types of fraud risks represent less than 30% of all US identity fraud. So if I was in a breach that didn't expose my SSN, but it exposed my payment card digits along with three or four digit secret code, common sense informs us that I'm at risk of online payment of card fraud. So if you break that into a very specific algorithm, you say based on what was exposed for individual victims, what is their particular pattern of risk and what action should they take. So again, long answer to your question, I turned that into an algorithm that became a member or customer facing product because we want to stop making it so hard for consumers to figure out what they should do to reduce their unique level and pattern of identity fraud risk.

Sarah Cooke: Right, and that's exactly what we're talking about today, your personalized identity risk. I know I didn't say that correctly. Talk a little bit about that because it was featured at Finovate Spring, just last month.

Jim Van Dyke: That's right, and we previously won the Finovate Best of Show award for it. And so yeah, the product, because everybody's been breached, and everyone will continue to be breached, and many of those breaches are findable, so we take everyone's breach history and we run that through our expert systems algorithm. This happens very fast. So when we pull that data, it says, because every breach is on the public record, it feeds into our algorithm so we can identify what that unique pattern of identity theft or fraud risk is and then prescribe actions. And our research tells us quite clearly that consumers are not lazy, they're not hypocritical. They're not unwilling to help, to partner with credit unions to help fight identity theft and fraud, most of which is likely to occur at their primary FI. They just need to have it made simple for them. So the product we showed pulled on that unique data breach history again, that happens in seconds. So we identify a level just like a credit score, and that's why TransUnion bought this product that was originally my second startup. It's not called Breach Clarity. It's now called breach IQ, and it creates an identity safety score, zero to 100 other than that, it's like a credit score, you know, where higher is better, and we tell consumers what their top identity fraud risks are. So for you, using my previous example, it's new credit fraud and it's IRS fraud, then we are only going to tell you, this is what we showed in Finovate, that you need to freeze your credit. And of course, that's a good idea for a lot of people, but for some people, it's essential. And when there are 50, five zero, different actions you should take, narrowing that down to a short list is really important. It's like if you saw your doctor and you said, “What can I do to be more healthy?” And he gives you a list of 50 things. You go, “which one should be first?” They go, “I don't know, you're not going to do anything.” That's why consumers aren't taking action today. So at Finovate, we showed how breach history converts to an identity safety score zero to 100 scale, a prioritized set of fraud risks and a prioritized set of actions all in a UX that sits right behind the login of a credit union or a bank.

Sarah Cooke: Okay, so within the mobile or digital banking experience, awesome. But it's right there, there's no going to hunt for it either. So, I mean, one of the things that I read about the product is that it uses this AI algorithm to personalize the identity risk assessment. So was something like this even possible before AI?

Jim Van Dyke: No, no, it wasn't. And because when, just to give you a factual answer for that, you know, when I worked on my first data breach expert in this case, it was the anthem data breach, and it took me over 100 hours to compute with great accuracy. You know, the kind that could hold up to cross examination in a legal setting which is grueling. If you know anybody listening has ever seen you know that kind of grueling testimony, you know, it’s as stressed out as I've ever been. And one of those was 14 hours, where you have to show not just spend a lot of time, like the 100 plus hours I calculated and saying, if you're in that big anthem data breach, what's your risk pattern? Well, I had to show that that came from a certain set of logic that is based on research. And obviously, there's no way a consumer will do that on their own. They don't have the background, they don't have the time. But I was hired to do that, and that's when I said, Well, I'm following the structured method that then, when I went on to be the main expert witness in Yahoo or other other cases, like a dozen of them, I applied the same process, but with a different set of variables, different breached identity credentials. So that's again, another long way of saying, yeah, there's no way a member will do that on their own. It's hypothetically possible, but we all know it never would be possible. So that's the beauty of AI. You could do that in milliseconds now.

Sarah Cooke: Yeah, so how is AI changing the field of fraud prevention, recovery, all that?

Jim Van Dyke: Yeah, yeah. You know, in most of the hype, you know, most of the well deserved type around AI right now is around generative AI, there are several different AI categories, which is why most vendors say, Hey, we're AI, and people can, it's ridiculous, you know, probably, you know, the small minority of vendors are truly AI. But in generative AI, which is really about creating content, publishable content, that's where most of the investment money is, and most of the real traction is today. We're not Gen AI. We're about getting expert systems making decisions that theoretically could be made by people, but you know, you remember never would. And so most AI that's applicable by credit unions today would either be in generative AI for content, like on a website or something, or it's used by some fraud prevention vendors in a behind the scenes nature and TransUnion does this as well, but that's for products that are used by the heads of fraud mitigation in a credit union for their own use. And that's all well and good, but I mean the problem with our massive ongoing identity fraud problem that will continue to be an ongoing problem because crimes of impersonation are the best way to take money from a bank or a credit union or card issue or whatever. Credit Unions are mainly fighting this problem through their enterprise fraud mitigation full time staff, and that's good. You should keep doing that, but with almost all of these losses happening through the member or in the name of the member, you have to partner with a member. And if you don't, Bank of America will figure out a way to do it first, or Wells Fargo, and they'll get a tighter relationship with their customer before you do.

Sarah Cooke: Yeah, and that, of course, can damage trust pretty significantly, even if it's not on you, even if it is on Target or Home Depot or whoever the breach, you know, corporate victim is, but it always comes back to that card issuer. So then also, on the flip side, criminals are getting like great tools as well. I was reading that. Let me see that note on the data point here that fraud is at the highest level in two years and and first quarter 24 or first quarter 23 is 31% increase. What are some of the new trends and tools that you're seeing that these guys are using to make it faster, better, cheaper?

Jim Van Dyke: Yeah, yeah. I'm glad you already asked about AI, because generative AI is being used by criminals right in these scam attempts. And every case of identity theft or fraud, again, which is the main way financial institutions are defrauded is through identity fraud that it's it's what I call a two crime, crime, meaning there are two separate events that maybe the same criminal or maybe two separate criminals working in a partnership conducted, the first one is compromising the data, and the second one is misusing the data that's been compromised. And it's really important to realize that it's generally a two step process, and where scams, you know, so the data might be breached or otherwise compromised. You know, could be a phishing attempt or something else, but these attempts at fooling the consumer into thinking that they're making a smart or a prudent effort at something you know, under the guise of a fake emergency or whatever else you know. The advice that used to make sense for members is, you know, look for the misspelling or the funky graphics or whatever. And with generative AI being so usable and the tools being so widely available by criminals, you know, we can no longer rely on that as the first point of advice for consumers. We actually have to be careful with that, because, you know, the inverse of that advice to consumers is, if you can't find a mistake, it's probably trustworthy. Well, that's now horrible advice, right? So we and I got an email from my financial institution the other day advising me inside the email to click on a link. Now, it's just awful advice. And people, so people are still doing that. So, yeah, criminals have embraced AI. They're, they're faster at innovation than even the fastest fi will be at innovation. And therefore we need to deploy solutions that partner with the member.

Sarah Cooke: And that's, you know, getting right back to that personalized identity risk assessment. So there is particular importance right now because of the severity of data breaches too, because I think TransUnion, from what I understand, kind of takes that data in aggregate and looks at it as well. And so what are you finding in aggregate that's happening?

Jim Van Dyke: So there's two unique things we do that came from my startup. Now a part of TransUnion, are again applying expert systems AI. We both scored the breach or the data compromise event, just like an earthquake or hurricane or whatever you know we're and in that case, in the case of breaches, every single publicly reported us breach, every breach that gets reported to a state attorney's general, which are dozens every day in the United States, we give a score to and in that case, a higher score is worse. So if there are a few 10s, there aren't many. East sides are 10s. Most breaches are ones or twos or threes. Thankfully, we're generally it's login information, but we saw in the first quarter, a skyrocketing amount of breaches involving SSNs. So we apply our AI to that instantaneously, so we can and it can help credit unions and others identify which particular breaches not only raise risk more but what they should do, what kinds of action they should take in anticipating fraud. And sometimes the breaches are regional, like it might be, just maybe can can members who are paying a water bill for a certain city and that municipal district or that local hospital was breached. So then we score the consumers identity, which represents all the data compromises, not just one, but all the data compromise events they've been in. So we apply that, and that's their identity safety score that I liken to a credit score earlier. And so we believe that rather than treating all breaches the same or every consumer's identity risk, that we should harness AI to start personalizing those to make action more simple.

Sarah Cooke: And you know, it's a great point you made earlier, too, about getting an email from your bank or your credit. I can't remember which I got. You know, I've gotten emails that I don't realize. I think they are fraud and actually are real. And so, yeah, that's definitely, obviously not one of the tips we want to give people anymore, or maybe shouldn't have to begin with, now that we look back on it. But what? What can credit unions do to help their members to avoid becoming a victim? And what can the credit unions do for themselves because this is a huge cost for credit unions. It's $30 or so to reissue cards for every single member that gets it, right?

Jim Van Dyke: Yeah, you know, and credit unions, as well as other financial institutions, are generally doing a good job of protecting data from getting breached, so I'm not saying back off of those efforts. But when you look at the financial industry compared to other industry industries, that's not where the data leakage is happening. It's happening in healthcare institutions, number one, educational institutions number two. And it's generally happening with third party providers, like third party firms that have, in the case of a credit union member data. But again, it's other industries that are leaking the data. So I'd say, keep up the work through credit union associations on penalizing firms that keep getting breached, largely in the healthcare sector or educational sector. But so we have to focus on the fraud, not the breach, and in focusing on the fraud, that's where the partnership communication is particularly important, and it is a real opportunity. So we found that consumers do remember, you know, they do notice when they've been breached or said that wrong. Sorry. Consumers are very concerned when they've been breached, but organizations that are required by law to notify consumers do a really sneaky job of confusing consumers. You know, they start out with these data breach letters, and we've all received them. They're a lot longer than they need to be by design. They're intentionally confusing. They're written above the eighth grade level that is advisable for the general public. And they started out with the same statement and saying, We don't, we have no reason to believe that you your data was used in fraud, which is a horrible self serving statement, and that no consumer should ever be told so in that, you know, if I were like writing communication materials to help members know how to protect themselves from possible fraud, fraud that's most likely to occur on the fi in a deposit or a card account that makes up the majority of all Id fraud. That's when you consider the new credit tax all those categories combined. I would tell people about it when they get a breach notice, and make sure they check their updates. Because those who notice that often don't, don't get seen by consumers because they go to a spam folder or other folders, and I'm convinced that Fi's are writing them so they look like garbage marketing. And again, I say this from an expert witness perspective that is not just a casual observer. So when they do that, tell the consumer to think about what kinds of fraud are most likely to occur. You know, if it was an SSN that was exposed. And again, in q1 we saw a record amount of SSN exposures from breaches. To focus on the kinds of online actions that consumers use SSNs for, which, again, would be new credit or tax refund fraud, or if it was your payment card, you know, hopefully that wasn't the credit union, you know, the credit if the credit union knows about that, they probably already reissued the card, but it might be a member that has a Bank of America credit card or American Express card, and this is a great opportunity to out service that credit union competitor and say, well, let's help you Protect your credit card information. Now you need to scrutinize your statement and double up on alerts. If you haven't done it, credit unions can pitch to the consumer on their own alerts, tell them about their own controls that they offer the consumer if they're strong, and hopefully they are. So really getting specific, which for some members might be saying, you know, just call a member service rep, go under a branch if you happen to be near one, and you can have a conversation. Because one of the problems with all this identity fraud risk and all these scams is it's creating fraud that breaks relationships, makes people leave credit unions for others, because then you know, if fraud occurs in somebody's account and the consumer confuses crime number one, the breach that occurred at the healthcare agency that created fraud in a card account, consumer can't figure that out, so it's better for the credit union to offer help in understanding the fraud risk before they lose the member, or before fraud happens. And then now the call centers jammed with a freaked out member.

Sarah Cooke: I think probably all financial institutions have been through that. I've certainly had it when I think it was the target one several years ago now. But yeah, yeah, I got hit then. So alright, we're at the point. Well, I want to say too, I love what you're talking about with communications. Obviously, that's what I'm about. But yeah, communicating more frequently, more clearly, your disclosure doesn't have to be five pages long. There could be three things that I really appreciate, because consumer protection isn't consumer protection if they can't understand what you're even telling them. And you know you were talking about eighth grade level. I have a master's degree, and I've been a professional editor for 25 years. I can't read it sometimes. So anyway, I'm going to go with we're about to wrap up here, because I know I appreciate your time and I don't want to take up too much of it, but I'm going to go ahead and give you the final thoughts as our guest. What are your parting thoughts for our audience?

Jim Van Dyke: Yeah, when we've asked consumers, what prevents them from addressing their number one financial area of interest, which is always cyber and identity safety. That's always number one in interest. They continue to tell us in survey after survey that it's the feeling of being either either confused or overwhelmed in the majority, for the majority of consumers, that's why they don't take action. And I personally have gone to all the sites that pop up if you Google terms like, what are the best ways to protect my identity from identity fraud? And they're not good. You know, there's. The advice is bad. The advice is generic. So this is a strong credit union opportunity to strengthen relationships and to do it faster and better, more effectively, in other words, than the banks. But we see the banks taking moves in these areas, and some of them are reaching out to us. So it's if you look at both Bank of America and Wells, Fargo has started to give tailored advice. But credit unions, we think, because of their higher authentic priority on member well being, have a great opportunity to outpace banks in this area. 

Sarah Cooke: I love it exactly. I don't need to. I knew I didn't need to say anything more. You said it all well. Thank you very much for your time, Jim, I appreciate you joining us today.

Jim Van Dyke: Yeah, great to be here. Sarah, thank you for taking the time with me.

Sarah Cooke: Have an excellent day.
Jim Van Dyke: Thanks, you as well, bye.