During most people's consideration of Identity Theft, they envision stolen credit card numbers and hacked login credentials. What is not often talked about is the threat that Collection Account Data presents; this type of data contains many more sensitive pieces of information than your average consumer probably thinks it does. The recent Wakefield and Associates Data Breach illustrate the amount of personal and financial information these companies have, and how easy it is to create a full Identity Profile using that information when it falls into the wrong hands.
Collection agencies maintain a unique position since they acquire both Patient and Consumer Information from a variety of sources (like Healthcare, Finance and Insurance companies). Collections typically include: Name, Social Security Number, Address, Date of Birth, Driver's License Information, Account Number, and in some situations Health-Related Billing Information as accounts are sent to collections. Generally speaking, no single platform keeps all of these things in one place; however, most Collection files do.
This kind of consolidation creates a significant amount of value within the collection data. Attackers see the collection files as pre-packaged identity packets because they are able to see all aspects of a person's identity in a single location, rather than gathering bits and pieces from multiple breaches. As a result, criminals do not need to research all different types of data containing a person's identity for them to commit fraud. Additionally, even if the attacker only has access to a fraction of the data within the collection file, they can still determine what else they need to complete their identity map by examining how the collection records are structured.
Another aspect of collection file data that is under considered is how old and where the data originates from. Since collection portfolios are created based on data acquired from various systems throughout the years, such as hospital billing systems, practice management software, claims processing programs, and even legacy accounting systems, they have identifiers that may not be visible to the public (e.g., the name of the original claimant). Once again, when an attacker has access to the collection data, they see not only the present data but also a history of the identity that has been built over many years.
The Wakefield & Associates case showcases just how delicate this environment can be. An attacker gaining access to a collection account breaches not only individual records of data but all necessary components to perpetuate identity theft for an extended period of time. Since collection files contain financial information and personal identifiers, an attacker gains the potential to take those files to an extent far beyond their initial acquisition.
There is a great challenge for consumers to comprehend just how much information about them is collected by collections agencies, and why all of that data is structured in a certain way. When a collection agency takes on the role of recovering accounts on behalf of an organisation, they also obtain a vast quantity of personal information about those individuals composed of several different items that, when aggregated, form a very powerful repository of personal data; however, the amount of visibility these agencies have into the aggregated data is typically extremely limited from the outside.
Due to the large number of records these agencies maintain across a multitude of clients, the level of concentration of this type of data increases further. Therefore, as cyber threats continue to increase and develop in sophistication; it is imperative for consumers to understand the importance of collection account records and how they serve as the foundation for our identity’s identity-based blueprint. The way in which collection account records are created, stored, accessed and transmitted needs to continue to strengthen in order to mitigate risk for the collection agency as well as each of the individuals whose personal data has been transmitted.
