Sounds a lot, well it is and the reality is that this is just part of the story. These figures relate to the first 6 months of 2016 and constitute only incidents that were publicly disclosed! The bulk of these records were in the US, since to date there is little in the way of disclosure laws in Europe, something that will change when General Data Protection Legislation (GDPR) comes into force in May 2018.

And by complete coincidence Financial Fraud Action, an industry body funded by banks, announced today that more than one million incidents of card scams, online and telephone banking and check frauds occurred in the U.K. in the first six months of the year. 

The reality is that the two sets of statistics are linked in so much as it is the sort of data records as referred to in the first report which fuels the fire that is financial fraud! (Apologies for that alliteration!) 

Each record provides a criminal with scope to 'socially engineer' a means via which an unwitting victim can be defrauded. So whilst a lot of the data contained within the records that will have been 'lost' could be considered as existing within the public domain, the fact that they were acquired illicitly from a trusted source in the mind of the victim, makes them extremely valuable to the fraudster. 

Indeed this has often been one of the criticism levelled at PCI DSS. A standard that focuses on a single data asset, payment card data. In our experience as a PCI Forensic Investigator (PFI), it is not unusual to find e-commerce merchants who have done all they can to comply with the standard, whilst leaving 'other security doors' wide open.  

With criminals upping their game when it comes to effecting such attacks, it is imperative that all business protect any customer data with which they have been entrusted, not just that which falls within scope of PCI DSS.  Whilst fraudulent credit card  transactions are generally recoverable by the consumer, socially engineered scams are definitely not.