Over 300,000 Kiwis had their identities stolen in the past 12 months and approximately 200,000 of them had their stolen identities actively misused by the thieves, according to IDCARE.
Only 7.6 percent of people reported the theft to police, says New Zealand’s national identity and cyber community support service, which was launched by the Minister of Justice in 2015.
IDCARE’s latest report is based on its household survey of 3,500 Kiwis, plus the experiences of clients that engaged its services throughout 2016.
IDCARE managing director, Professor David Lacey, says each theft equates to a loss of nearly $10,000. “Almost every incident is preventable,” he adds.
Key household survey findings show that:
- 6.1 percent (~ 200,000 residents) of New Zealanders aged 18 and over have experienced some form of identity compromise, and then a subsequent misuse of that information, over the past 12 months
- 8.3 percent (~310,000 residents) of New Zealanders aged 18 and over believed their identity had been compromised over the past 12 months
- only 7.6 percent of New Zealanders surveyed who had experienced a compromise and/or misuse had reported the event to New Zealand Police – down from the previous 2014 survey
- on average, it took New Zealanders 18 hours to respond to their identity and cyber-crime related event
- $9,832 was the average financial loss experienced per identity compromise and misuse event
- 83 percent of respondents that experienced an identity crime event felt extremely dissatisfied with how organisations treated them in response to their event
- 27 percent of New Zealanders experienced some form of mental health impacts that required professional support following the event
- approximately half of all survey respondents (including those that had not experienced identity compromise and misuse) believed that they would experience this crime at some point in their lives.
IDCARE clients also found that:
- the most popular credentials targeted by identity thieves impacting New Zealanders were passports (49 percent), driver licences (35 per cent) and bank account details (32 percent)
- approximately a third of clients experienced misuse of their personal information in the unauthorised access of their bank accounts
- the most prevalent form of identity compromise came from the theft of physical credentials (27 percent), followed by telephone scams (21 percent) and website scams (16 percent)
- it took on average New Zealanders 17 days to detect the compromise of their identity credentials and criminals approximately 72 hours to misuse these details
- 94 per cent of New Zealanders detect the compromise of their identity information first (before an organisation).
Whilst a little over one in four misuse events result from stolen wallets, purses and documents, there is a growing trend around online and telephone scams, Lacey notes. “These tend to originate offshore and add continued complexities in their investigation and resolution for individuals and organisations.”
Most of the data breach events throughout 2016 originated from attacks from offshore. “In some instances, the attacking source had previous indicators of being associated with phishing and spamming but were not detected.”
Ransomware attacks also increased, particularly amongst accounting and medical practices. “Small businesses continue to be a growing target of ransomware attacks and the ability to respond and restore is almost completely dependent on whether they business backs up their systems on separate devices and offline,” Lacey warns.
He insists almost every compromise is preventable and believes that New Zealanders need to be selfish and investigate before they take action.
“In the majority of cases where the compromise was not a physical theft of credentials, the individual had direct contact with the criminal – in other words, they actually facilitated the compromise of their personal information because they believed what the criminal was telling them,” Lacey explains.
“This can be avoided by not responding to someone who approaches you online or offline asking for your details.”
Consumers shouldn’t feel pressured into acting without getting advice first from family, friends, even IDCARE (0800 201 415).
“Make sure you have anti-virus on all internet enabled devices, including smart phones and including Apple, and make sure it is up to date,” Lacey advises.
Watch where personal information is kept and stored. “Avoid keeping scanned copies of licences and passports on email accounts.”
Organisations should plan for the worst as making up a data breach plan when it happens is not when plans should be made. “Call IDCARE to assist and visit privacy.org.nz to get some great materials from the Privacy Commissioner’s Office,” Lacey concludes.
