05 May 2014

AIC Identity Crime Survey

The Australian Institute of Criminology has published Identity crime and misuse in Australia: results of the 2013 online survey (AIC Research in Policy and Practice no.128) [PDF] by Russell G Smith and Alice Hutchings.

It is described as
This report was commissioned by the Attorney-General’s Department (AGD), as part of broader work under the National Identity Security Strategy to develop a national identity crime measurement framework, with the analysis by the AIC. Attorney-General, the Hon. Senator George Brandis QC, released the report at CeBit 2014 in Sydney. 
The report is a significant independent survey in 2013 of ID crime and misuse in Australia of 5000 participants. It provides an estimation of the extent of the issue, and describes financial loss of victims of ID crime, as well as examining public perceptions. 
The survey asked about the misuse of various types of personal information such as an individual’s name, address, date of birth, place of birth, gender, driver’s licence information, passport information, Medicare information, biometric information (eg fingerprint), signature, bank account information, credit or debit card information, password, personal identification number (PIN), tax file number (TFN), shareholder identification number (HIN), computer and/or other online usernames and passwords, student number, as well as other types of personal information. 
Among other survey findings, 21 percent of the 5000 respondents reported misuse of their personal information at some time during their life, with nine percent reporting misuse of their personal information in the previous 12 months.
The summary is as follows -
Prior research by the Australian Bureau of Statistics (ABS) (2012) has shown that over 700,000 Australians, or approximately four percent of the population aged 15 years and over, fell victim to identity fraud in 2010–11. Criminal misuse of identity not only impedes consumer activity and confidence in the financial system, but costs business and government substantial sums in responding to and preventing these crimes.
The advent of the internet and online commerce has substantially expanded the opportunities that exist for the commission of identity crime and the Australian Government has responded by developing a National Identity Security Strategy, which was endorsed by the Council of Australian Governments (COAG) in 2007. In May 2013, the Australian Institute of Criminology (AIC) was commissioned by the Australian Government Attorney-General’s Department (AGD) to undertake a large-scale survey to determine the extent and impact of identity crime and misuse in Australia. This report presents the results of the survey—respondents’ experiences of victimisation for the 12 months prior to the survey and their perceptions of the risk of identity crime in the following 12 months. The survey was administered in September 2013.
Definitions
Rather than ask respondents about their experience of identity crime, a concept that can be problematic in terms of precise definition, this survey asked about the misuse of various types of personal information. This was defined as including misuse of an individual’s name, address, date of birth, place of birth, gender, driver’s licence information, passport information, Medicare information, biometric information (eg fingerprint), signature, bank account information, credit or debit card information, password, personal identification number (PIN), tax file number (TFN), shareholder identification number (HIN), computer and/or other online usernames and passwords, student number, as well as other types of personal information.
Misuse of personal information was defined as obtaining or using personal information without permission, to pretend to be the person in question or to carry out a business in that person’s name without their permission, or other types of activities and transactions. The use of personal information for direct marketing, even if this was done without permission, was excluded.
Sample description
In September 2013, a questionnaire comprising 23 main questions (see Appendix 1) was administered online to a research panel of Australians drawn from all states and territories. The sampling frame and survey hosting were undertaken by i-Link Research Solutions, a commercial provider that provided raw de-identified data for the AIC to analyse.
Data were weighted to reflect the distribution of the Australian population based on census data of the ABS (2013). Age and gender were used as qualifying variables, so that the results of respondents were nationally representative. The results have not, however, been weighted to indicate national estimates of prevalence and financial loss that would have been experienced had the entire Australian population aged 15 years and over be surveyed, as the sampling frame was insufficiently robust to permit such estimations to be undertaken.
Sampling was completed once quotas had been satisfied and a sample of 5,000 participants obtained. The results of five respondents were removed from the sample as they did not normally reside in Australia and therefore were not eligible to participate, leaving a final sample of 4,995 for analysis.
Perceptions of misuse of personal information
Participants were asked, in terms of harm to the Australian economy, how serious they thought misuse of personal information was. A high proportion (68.8%) of respondents believed that misuse of personal information was very serious and a further 27.8 percent believed it was somewhat serious.
When asked if they thought the risk of someone misusing their personal information would change over the next 12 months, 19.8 percent believed it would increase greatly and 45.4 percent believed it would increase somewhat. Only one percent believed that the risk would decrease somewhat or greatly.
Both of these levels of perception concerning seriousness and likelihood of change were higher than similar findings reported by Di Marzio Research (2012) and the Office of the Australian Information Commissioner (OAIC) (2013), although the questions asked and sampling frames employed in these two earlier surveys were different from those of the present study. Experience of misuse of personal information The present survey found that 20.8 percent of the 4,995 respondents reported misuse of their personal information at some time during their life, with 9.4 percent reporting misuse of their personal information in the previous 12 months. The number of separate occasions upon which participants believed that their personal information had been misused ranged from one to 20 occasions. Just over half of the participants (53.7%) believed that their personal information had been misused on a single occasion only. This level of victimisation is somewhat lower than the lifetime prevalence rate of 27 percent of respondents to the National Fraud Authority’s (2013) survey of identity fraud in the United Kingdom, but higher than the 8.8 percent of respondents in the United Kingdom who reported experiencing identity fraud in the year 2012. It is also higher than the United States National Crime Victimization Survey (NCVS) lifetime prevalence rate of 14 percent and the 12 month prevalence rate of 6.7 percent (Harrell & Langton 2013). The present survey’s lifetime prevalence rate of 20.8 percent is also much higher than the 13 percent lifetime rate of identity fraud reported by respondents to the OAICs (2013) survey. These variations are most likely due to the different sampling frames used, data collection techniques employed and the focus of questions asked of respondents.
Losses, costs and consequences resulting from the misuse of personal information
Participants who had experienced misuse of their personal information within the last 12 months were asked about their losses; that is, how much they were left out-of-pocket as a result, excluding any money that they were able to recover from banks and any costs associated with repairing what occurred. Almost half (n=210, 45.7%) were not left out-of-pocket. The remaining 250 participants experienced losses that, when weighted, ranged from $1 to $310,000 (mean=$4,101, median $247, SD=$34,062). It was found that over three-quarters (75%) of participants experienced losses of up to $1,000, with some reporting the much higher amounts. Total losses amounted to $1,025,250. Participants who had been reimbursed by banks or other organisations, or recovered their losses in other ways as the result of the misuse of their personal information in the previous 12 months, had recovered between $2 and $310,000. When the data were weighted, the mean amount reimbursed or recovered was $2,381 and the median amount reimbursed or recovered was $300 (SD=$23,478, n=255). It was found that most participants received reimbursement or recovery of small amounts with few receiving much higher amounts. The total reimbursed or recovered during the last 12 months was $607,164. The remaining 205 participants (44.6%) did not receive any reimbursement or recover any losses.
In addition to suffering out-of-pocket expenses, some participants experienced other consequences, the most frequent of which were having been refused credit (14.1%), experiencing mental or emotional stress requiring counselling or other treatment (10.7%) and having been wrongly accused of a crime (5.5%).
Participants reported having spent between zero and 500 hours dealing with the consequences of having had their personal information misused over the previous 12 months (mean=18.1 hours, SD=49.5 hours), with 95 percent of respondents spending 60 hours or less. In addition, 56.1 percent of respondents indicated that they had incurred costs dealing with the consequences of having had their personal information misused over the previous 12 months ranging from $1 to $60,000. Half (50.4%) of those who had spent money spent $40 or less.
Participants were also asked if they were aware that a person who has had their personal information misused could apply to a court to obtain a victim certificate to prove what had occurred and if they had done so in the past. It was found that 3.4 percent (n=168) of respondents indicated that they were aware of victim certificates and had applied for one. It is possible that this question was misunderstood and participants may instead have believed that they were being asked about other actions they could have taken, such as having fraudulent information removed from their credit information file. To date, statutory victim certificates have rarely been applied for and certainly not to the extent reported in this survey (Personal communication, Attorney-General’s Department, September 2013). Reporting the misuse of personal information Of those who experienced misuse of their personal information, 8.9 percent did not report it in any way, 53.5 percent told a friend or family member, 7.8 percent told a government agency or a business organisation and 29.8 percent told a friend or family member, as well as a government agency or business organisation. Respondents were asked to specify which government agency or business organisation they had reported to and how satisfied they were with the outcome. The majority of reports resulted in a satisfactory or very satisfactory outcome. Participants were most satisfied with the response provided by Medicare Australia (91.7% responded either satisfied or very satisfied), an internet service provider (91.3%) and a bank, credit union, credit/debit card company or e-commerce provider (89.1%).
In terms of the reasons for not reporting, 39.5 percent of respondents did not report the misuse of their personal information because they did not believe anything could be done about it, 23.6 percent were too embarrassed to report it, 23.1 percent did not know how or where to report the matter and 12 percent did not believe it was a crime.
Behavioural changes arising from the misuse of personal information
Participants were asked how their behaviour had changed as a direct result of having had their personal information misused. The top five behavioural changes were changing passwords (48.5%), being more careful when using or sharing personal information (48.1%), changing banking details (42.5%), reviewing financial statements more carefully (39.6%) and not trusting people as much (39.0%). A minority (5.9%) of participants who experienced misuse of their personal information in the previous 12 months indicated that this did not result in any behavioural changes.
These types of behavioural changes are similar to those identified by the ABS (2008) Personal Fraud Survey 2007, which asked comparable questions of a nationally representative sample of Australians (these questions were not included in the ABS 2010–11 survey; ABS 2012).
The most serious occasion of misuse of personal information in the previous 12 months
Participants who experienced misuse of their personal information within the previous 12 months were asked further questions about the most serious occasion on which misuse had occurred during the last 12 months. The most serious occasion was defined as the occasion that resulted in the largest financial or other harm to the participant.
The top three types of personal information that had been misused were credit and debit card information (52.3%), name (40.2%) and bank account information (31.1%).
Participants were asked how they believed that their personal information had been obtained for the most serious occasion of identity crime in the previous 12 months. The top five ways were from theft or hacking of a computer or other computerised device (20.0%), from an online banking transaction (19.5%), by email (18.3%), from information placed on a website other than social media, such as online shopping (15.7%), and from an ATM or EFTPOS transaction (11.0%).
Participants were asked how they believed that their personal information had been misused on the most serious occasion in the previous 12 months. The top three reasons were to obtain money from a bank account (excluding superannuation; 35.4%), to purchase something (32.5%) and to apply for a loan or obtain credit (8.1%).
Participants who indicated that their personal information had been misused to purchase something were asked to specify what was purchased. The most commonly purchased items included airfares and travel, and electronic devices, such as computer equipment and mobile phones. Participants were asked how they became aware of the misuse of their personal information on the most serious occasion in the previous 12 months. The top three ways were receiving a notification from a bank or financial institution and/or credit card company (43.4%), noticing suspicious transactions in a bank statement or account (33.3%) and receiving a bill from a business or company for which they were not responsible (13.5%). Participants were asked how much they were left out-of-pocket due to the misuse of personal information for the most serious occasion in the past 12 months (excluding any money that they were able to recover from banks and any costs associated with repairing what occurred). No financial loss was experienced by 200 participants (43.5%). The remaining 260 participants experienced losses ranging from $1 to $310,000. When these data were weighted, for those who suffered a loss, the mean financial loss was $4,816, the median loss was $200.00 (SD=$30,541.36). It was found that over three-quarters (75%) of participants experienced losses of up to $800, with few reporting the much higher amounts. The total lost in the most serious occasion was $1,252,177.
Participants who had been reimbursed by banks or other organisations, or recovered their losses in other ways, in respect of the most serious occasion recovered between $1 and $310,000. When weighted, the mean amount recovered was $2,209.41, the median recovered was $227.00 (SD=23,944.16, n=246). It was found that most participants received reimbursement or recovery of small amounts with few receiving much higher amounts. The total recovered was $543,514.00. The remaining 214 participants (46.5%) did not receive any reimbursement or recover any losses for the most serious occasion in the past 12 months.
Characteristics of those who experienced misuse of personal information in the previous 12 months
The demographic characteristics of those who experienced misuse of personal information in the previous 12 months were explored in more detail using statistical analysis.
Variables that were found to not have a significant relationship with misuse of personal information in the previous 12 months included place of normal residence, age group, gender, language spoken at home and the number of hours spent on a computer or computerised device.
A statistically significant relationship was found between experiencing misuse of personal information in the previous 12 months and Indigenous status (Indigenous was defined as those who identified as Aboriginal, Torres Strait Islander, or both Aboriginal and Torres Strait Islander). These results indicate that those who identified as Indigenous were more likely to experience misuse of their personal information.
A significant relationship was also found between individual gross income category and experience of misuse of personal information in the previous 12 months. Those in the lowest income category ($18,200 and under) were less likely to experience misuse of their personal information and those earning $37,001 and above were more likely to experience misuse.
A significant relationship was also found between perceptions of the seriousness of misuse of personal information and experiencing misuse of personal information in the previous 12 months, with those who had experienced misuse being more likely to perceive it as being very serious. Similarly, a significant relationship was found between perceptions of the risk of misuse of personal information in the next 12 months and experiencing misuse of personal information in the previous 12 months.
Two significant relationships were found between place of normal residence and the place from which personal information had been obtained in respect of respondents who had experienced misuse of their personal information in the previous 12 months. First, it was found that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information lost or stolen from a business or other organisation (ie a data breach). Second, it was found that respondents located outside a capital city were significantly more likely than those who were located in a capital city to have had their personal information obtained from a website other than social media (eg during online shopping).
Further analyses were undertaken to test the relationship between the characteristics of respondents who reported a financial loss and the amount that they reported. No significant relationship was found between the amount of financial loss and age, gender, location, income and Indigenous status.
A significant relationship was found between financial loss and language spoken at home, with those who spoke English having lost significantly more than those who spoke a language other than English at home.
The number of hours spent dealing with the consequences of identity misuse, as well as the amount of money spent, were both found to have a significant medium, positive correlation with amount of financial loss, indicating that the higher the financial loss, the more time and money was spent dealing with the consequences. 
Conclusion 
The results of this survey confirm prior research that misuse of personal information remains a significant form of criminal activity in Australia in 2013. Those individuals who participated in the survey indicated high levels of victimisation, including both financial losses for which they were out-of-pocket and were not compensated by banks and other organisations, and a range of non-financial losses that involved loss of personal time, as well as mental and emotional consequences for which treatment was required, on occasions. Victims also indicated changes in their personal and online behaviour as a result of their experiences, thus detracting from the positive benefits of online consumer activity. Some categories of victims, including Indigenous Australians and those with higher income levels, experienced significantly higher rates of victimisation. 
The results of the survey could be used effectively by those charged with devising fraud prevention initiatives in a number of ways. For example, it would be possible to provide targeted information to those most likely to be victimised outlining how they could better protect themselves against identity crime and misuse. Hopefully, such initiatives may result in future surveys of this kind finding reduced levels of victimisation and lower financial and other consequences for Australians in the years ahead.