Identity thieves want to steal as many identities as they can, so they can sell them to other criminals who will immediately use them to defraud users, right?

Wrong, according to a study being released today by ID Analytics Inc., which operates a nationwide network of identity information compiled from multiple resources and industries. The study, which evaluated cases of ID theft and the use of the stolen data, debunks some myths about fraud.

For example, while much hype surrounds large breaches such as TJX, the study found that smaller breaches had a higher misuse rate. Misuse of personal data ranged from one in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 individuals.

In most cases, fraudsters don't store up stolen ID information, but cycle through it quickly, the study says. Fraudsters misuse a breached identity for no more than two weeks before moving onto the next identity, researchers found.

The study found no evidence that fraudsters who misuse breach data were selling the data broadly or distributing it over the Internet. "This finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent," ID Analytics says.

You can get a copy of the report by contacting ID Analytics via [email protected].

— Tim Wilson, Site Editor, Dark Reading