One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud.
ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability of illicitly-gained PII being used for actual fraud is less than 1 in 1000.
In looking over some information I received from New York, I noticed a case in which branded credit card applications (including the assigned CC#) were targeted, and 150 stolen. Now, I don’t know if the case I’m talking about is like those in the “targeted” group studied by ID Analytics, but if it is, I’d expect maybe one fraud attempt, and that’s being extremely generous.
The number actually observed: 11, all fraudulent purchases.
There is a lot of work left to be done on this topic, that’s all I’m saying.
Updated: Link to press release, and characterization of observed fraud.