Marc Daalder is a political reporter based in Wellington who covers Covid-19, climate change, energy, primary industries, technology and the far-right. Twitter: @marcdaalder.

Newsroom

Identity theft by the numbers

Every year, 130,000 New Zealanders are hit by identity theft. Here's what you need to know.

The announcement on Sunday that 302 people had their passport numbers and drivers licenses compromised on a Ministry of Arts, Culture and Heritage website was a canary in the coalmine.

According to the Department of Internal Affairs, as many as 133,000 Kiwis are victims of identity theft annually. That represents a $209 million burden on the economy, not to mention incalculable stress for those affected.

The Government has been working since March of last year on revamping the Privacy Act to better deal with identity theft. But what really is identity theft, and what does it look like?

By the numbers

On Tuesday, David Lacey spoke about identity theft at the annual Identity Conference, held in Te Papa in Wellington. Lacey heads up IDCARE, a non-profit that provides free advice to Australians and Kiwis who have had their identities stolen.

He said that 22 percent of identity scams are carried out by phone - a surprisingly high number in an increasingly digital world.

The most commonly compromised information is identity documents. Passports top the list, with 21.2 percent of New Zealand cases that IDCARE has handled involving stolen passport numbers. Drivers licenses come next, at 19.7 percent.

After that, financial documentation is in high demand. Credit and debit cards were stolen in just under 14 percent of cases, as were bank account details. Internal revenue numbers were also a popular target, with 7.7 percent of cases involving them.

Others are more esoteric. One of the top identity scams involves cloning someone's mobile phone, Lacey said. Mobile phone data was stolen in 10.9 percent of IDCARE's New Zealand cases.

How data is misused

By far the number one motivation of identity thieves is accessing your bank account. In 28.7 percent of IDCARE's NZ cases, the scammers used the stolen information to access victims' bank accounts.

Fraudulently using debit and credit cards came second, with 16 percent of cases, followed by fake tax lodgements at 6.8 percent. Sending unauthorised emails was also a motive, with 5.8 percent of scammers engaging in this behaviour.

According to Lacey, the average Kiwi identity theft victim lost $12,213.

Detection is key

Prevention, Lacey says, is difficult. About a quarter of types of scams can't be prevented. There is no way, for example, to stop someone from opening a fake email or social media account in your name.

Instead, scam detection is the the most important focus for protecting your identity. On average, it takes about 18.9 days to find out that your identity has been stolen, while it only takes the thieves 6.7 days to put the ID to misuse.

Detection varies by type of theft. For example, relationship scams, in which money and personal info is stolen by someone pretending to be an online love interest, take Kiwis 287 days to detect on average. This is despite the fact it only takes about 38 days for a victim to start sending money to the phoney online lover.

Importantly, about 80 percent of identity scams are detected by the victims themselves. It takes organisations twice as long to detect a breach as it does individuals. And in New Zealand, companies are not required to inform customers if their information has been compromised or breached.

That is something that the new Privacy Bill currently before Parliament seeks to address. If companies don't notify affected customers, they could pay a fine of up to $10,000.

This is paltry when compared with the European Union's privacy requirements, which can charge companies up to 20 million Euros. The proposed penalty is also less than what the average Kiwi victim of identity theft loses - around $12,000.

John Edwards, the Privacy Commissioner, previously argued for a $1 million fine for companies that seriously violate their privacy obligations.