In April 2007, the Council of Australian Governments (COAG) agreed to a National Identity Security Strategy to better protect the identities of Australians. This arose out of emerging evidence at the time that large numbers of Australians experience misuse of their personal information for criminal purposes each year (Cuganesan & Lacey 2003; OAIC 2007). The strategy sought to enhance identification and verification processes throughout Australia and to develop other measures to combat identity crime, including the creation of a national Document Verification Service to verify the authenticity of identity credentials, and the development of reliable, consistent and nationally interoperable biometric security measures by all jurisdictions (AGD 2012).
The strategy also recognised the need to quantify the nature and extent of identity misuse, particularly the victimisation experiences of Australians, and recommended the creation of an identity crime and misuse longitudinal measurement framework that could be used to measure the effectiveness of policy and practice throughout Australia. As part of the measurement framework, large-scale surveys have been conducted to determine respondents’ experiences of victimisation during the preceding 12 months and their perceptions of the risk of identity crime in the ensuing 12 months.
This report presents the results of the latest survey undertaken by the AIC, in May 2014. It updates information obtained in an earlier survey, undertaken in 2013, and provides an indication of how the current identity crime and misuse environment has changed in Australia between the two surveys. Future surveys will continue to track changes in victimisation rates and the economic impact of identity crime and misuse.
The 2014 survey adopted the same definitions as the 2013 survey and asked respondents about the misuse of various types of personal information. This included misuse of an individual’s name, address, date of birth, place of birth, gender, driver’s licence information, passport information, Medicare information, biometric information (eg fingerprint), signature, bank account information, credit or debit card information, password, personal identification number (PIN), tax file number (TFN), holder identification number (HIN), computer and/or other online usernames and passwords, student number, as well as other types of personal information.
Misuse of personal information was defined as obtaining or using personal information without permission, to pretend to be the person in question or to carry out a business in that person’s name without their permission, or other types of activities and transactions. The use of personal information for direct marketing, even if this was done without permission, was excluded.
In May 2014, a questionnaire comprising 23 main questions (see Appendix 1) was administered online to a research panel of Australians drawn from all states and territories. The sampling frame and survey hosting were undertaken by i-Link Research Solutions, a commercial provider that provided raw de-identified data for the AIC to analyse.
Data were weighted to reflect the distribution of the Australian population based on census data from the Australian Bureau of Statistics (ABS 2014). Age and gender were used as qualifying variables, so that the results of respondents were nationally representative. The results have not, however, been weighted to indicate national estimates of prevalence and financial loss that would have been experienced had the entire Australian population aged 15 years-and-over been surveyed, as the sampling frame was insufficiently robust to permit such estimations to be undertaken.
Sampling was completed once quotas had been satisfied and a sample of 5,000 participants obtained. Of the 5,000 respondents in 2014, 1,008 reported misuse of their personal information in the preceding 12 months. Of these, 15.7 percent had completed the AIC’s survey in September 2013. In terms of reported victimisation in the preceding 12 months, therefore, an overlap of four months was present—between May 2013 and September 2013—when those who completed both surveys could have reported the same victimisation events. It was not known, however, precisely how many victims in 2014 were the same individuals as in 2013.
Perceptions of misuse of personal information
Participants were asked, in terms of harm to the Australian economy, how serious they thought misuse of personal information was. A high proportion (68.1%) of respondents believed that misuse of personal information was very serious and a further 28.2 percent believed it was somewhat serious. These responses were very similar to the perceptions recorded in 2013.
When asked if they thought the risk of someone misusing their personal information would change over the next 12 months, 22 percent believed it would increase greatly and 45 percent believed it would increase somewhat. Only 0.8 percent believed that the risk would decrease somewhat or greatly. Again, these responses were very similar to perceptions of change recorded in 2013. Interestingly, these perceptions do not reflect the actual reported changes in victimisation, which were minimal between 2013 and 2014.
The perceived level of concern disclosed in the current survey is, however, higher than that reported in prior research by Di Marzio Research (2012), the Office of the Australian Information Commissioner (OAIC 2013) and Veda (2014, 2015), although these prior surveys were not directly comparable in terms of samples and questions asked.
Experience of misuse of personal information
The present survey found that 20.4 percent of the 5,000 respondents reported misuse of their personal information at some time during their life, with 8.9 percent reporting misuse of their personal information in the previous 12 months.
The number of separate occasions in which respondents believed that their personal information had been misused ranged from one to 200 occasions. Just more than half of the participants (53.3%) believed that their personal information had been misused on a single occasion only—almost the same as in 2013 (53.7%).
The level of lifetime victimisation (20.4%) is very similar to that reported in the AIC’s 2013 survey, but lower than the lifetime prevalence rate reported in the UK National Fraud Authority’s (NFA 2013) survey of identity fraud (27%). It is, however, higher than the 13 percent reported in the OAIC’s (2013) survey, the 14 percent in the US National Crime Victimization Survey (NCVS) (Harrell & Langton 2013) and the 17 percent reported by respondents to Veda’s survey (2015).
In terms of reported victimisation in the preceding 12 months, the present survey’s 8.9 percent rate is less than the 9.4 percent reported in the AIC’s 2013 survey, and almost the same as the UK NFA’s (2013) rate of 8.8 percent. It is, however, higher than Di Marzio Research’s (2012) 7 percent, Veda’s (2015) 5 percent, and the ABS’s (2012) 4 percent. Again, these variations are most likely due to the different sampling frames used, data collection techniques employed and the focus of questions asked of respondents.
Losses, costs and consequences resulting from the misuse of personal information
Participants who had experienced misuse of their personal information within the past 12 months were asked about their losses—that is, how much they were left out-of-pocket as a result, excluding any money that they were able to recover from banks and any costs associated with repairing what had occurred. Almost half (n=206, 46.2%) were not left out-of-pocket, which was much the same as in 2013 (45.7%). The remaining 240 participants experienced losses that, when weighted, ranged from $1 to $200,000 (mean=$3,572, median=$300, SD=$19,554). The mean and standard deviation were higher than in 2013, and the median loss of $300 was also higher than the $247 recorded in 2013.
It was also found that three-quarters (75%) of participants experienced losses of up to $1,000, with few reporting the much higher amounts. Total losses amounted to $858,599, which was 16.3 percent less than the $1,025,250 recorded in 2013.
Participants who had been reimbursed by banks or other organisations, or recovered their losses in other ways after the misuse of their personal information in the previous 12 months, recovered between $1 and $2m. When the data were weighted, the mean amount reimbursed or recovered was $15,317 and the median amount reimbursed or recovered was $350 (SD=$167,916, n=250). These statistics were much higher than in 2013 owing to the much higher maximum recovered, of $2m, in one case. It was found that most participants received reimbursement or recovered small amounts, with few receiving much higher amounts. The total reimbursed or recovered during the past 12 months was $3.8m—considerably higher than the $607,164 recovered in 2013. The remaining 206 participants (46.2%) did not receive any reimbursement or recover any losses. Amounts recovered in the 12 months preceding the 2014 survey did not necessarily relate to the losses experienced during the same period, making it impossible to state a percentage of losses recovered during the 12 months in question.
In addition to suffering out-of-pocket expenses, some participants experienced other consequences, the most frequent of which were being refused credit (14.9%), experiencing mental or emotional stress requiring counselling or other treatment (11.9%) and being wrongly accused of a crime (5.2%). These findings were consistent with those reported in 2013. In addition, some victims were denied access to their credit cards, bank accounts and utility accounts, and one victim said that police ‘came to arrest me’.
Participants reported having spent between zero and 500 hours dealing with the consequences of having their personal information misused over the previous 12 months (mean=15.3 hours, SD=42.2 hours), with more than half (55.7%) spending three hours or less; this was much the same as in 2013. In addition, almost half (49.1%) of respondents indicated that they had incurred costs dealing with the consequences of having their personal information misused over the previous 12 months, ranging from $1 to $100,000. Half (50.2%) of those who had spent money spent $35 or less.
Participants were also asked if they were aware that a person who has had their personal information misused could apply to a court to obtain a victim certificate to prove what had occurred and if they had done so in the past. It was found that only 171 (3.4%) respondents indicated that they were aware of victim certificates and had applied for one, while 14.9 percent of respondents were aware of the availability of certificates in 2014. These findings are almost identical to those in 2013, indicating a need to raise awareness of victim certificates.
Reporting the misuse of personal information
Of those who experienced misuse of their personal information, 10.1 percent did not report it in any way, 48.5 percent told a friend or family member, 10.6 percent told a government agency or a business organisation and 31 percent told both a friend or family member and a government agency or business organisation. There was a small (1.2%) increase between 2013 and 2014 in those who failed to make any reports, while overall there was an increase in reporting to government and business. This could be due to increased publicity of the need to report by groups such as the Australasian Consumer Fraud Taskforce (ACFT).
Respondents were asked to specify which government agency or business organisation they had reported to and how satisfied they were with the outcome. The majority of reports resulted in a satisfactory or very satisfactory outcome. Participants were most satisfied with responses provided by financial institutions (77.5% were either satisfied or very satisfied), followed by utility companies (74.3% were either satisfied or very satisfied). Levels of satisfaction with reports to Medicare Australia declined between 2013 and 2014: in 2013, 91.7% were either satisfied or very satisfied, while in 2014 this had fallen to 63.3%. The lowest levels of satisfaction were in relation to reports to consumer protection agencies.
In terms of the reasons for not reporting, 32.5 percent of respondents did not report the misuse of their personal information because they did not believe anything could be done about it and 35.2 percent did not know how or where to report the matter. This latter reason showed a large increase from the 23.1 percent recorded in 2013. In 2014, a further 18 percent did not believe it was a crime and 14 percent were too embarrassed to report it.
Behavioural changes arising from the misuse of personal information
Participants were asked to indicate if, and how, their behaviour had changed as a direct result of having their personal information misused. Almost all (91.6%) indicated that they had changed their behaviour in some way—a similar result to the previous 12 months (94.1% in 2013). Some respondents even indicated that they had changed their place of residence (n=13 in 2014).
The top-five behavioural changes made in 2014 were changing passwords (56.1%), reviewing financial statements more carefully (39.6%), being more careful when using or sharing personal information (38.6%), changing banking details (34%), and not trusting people as much (32.1%). The top-five behavioural changes were the same as in 2013, although the proportion who said they changed passwords increased by 7.6 percentage points over the 12 months. These types of behavioural changes were similar to those identified by the ABS Personal Fraud Survey 2007 (ABS 2008), which asked comparable questions of a nationally representative sample of Australians (these questions were not included in the ABS 2010–11 survey; ABS 2012).
The most serious occasion of misuse of personal information in the previous 12 months
Participants who experienced misuse of their personal information within the previous 12 months were asked further questions about the most serious occasion on which misuse had occurred during that time. The most serious occasion was defined as the occasion that resulted in the largest financial or other harm to the participant.
The top-three types of personal information that had been misused were credit and debit card information (51.8%), name (36.7%) and bank account information (24.6%). These were the same top-three categories identified in 2013. Almost half of the respondents (44%) indicated that only one type of personal information had been misused.
Participants were asked how they believed their personal information had been obtained for the most serious occasion of identity crime in the previous 12 months. Of the 339 respondents who responded to this question, 23 percent did not know how their information had been obtained. Others reported the top-five ways as being from theft or hacking of a computer or other computerised device (20.2%), from an online banking transaction (15.1%), from information placed on a website other than social media (such as online shopping) (13.5%), by email (12.9%), and from information lost or stolen from a business or other organisation (i.e. a data breach) (10%). The top-four sources were the same as in 2013, but information obtained from an ATM or EFTPOS transaction declined by almost 5 percentage points between 2013 and 2014.
Participants were asked how they believed their personal information had been misused on the most serious occasion in the previous 12 months. The top-three reasons were to purchase something (35.8%), to obtain money from a bank account (excluding superannuation) (24.8%), and to file a fraudulent tax return (5.6%). Although the top-two categories of misuse were the same as in 2013, the misuse of information to apply for a loan or to obtain credit declined by 3.1 percentage points between 2013 and 2014.
Participants who indicated that their personal information had been misused to purchase something were asked to specify what was purchased. The most commonly purchased items were consumer electrical goods (n=21), airfares and travel (n=16), fashion items (n=15) and for gambling (n=7), the last two of which were more prevalent in 2014 than in 2013.
Participants were asked how they became aware of the misuse of their personal information on the most serious occasion in the previous 12 months. The top-three ways of becoming aware of misuse were receiving notification from a financial institution (38.9%), noticing suspicious transactions in a bank statement or account (33.3%) and receiving notification from the police (8.4%). Between 2013 and 2014, there was a 6.1 percentage point reduction in individuals becoming aware of misuse after receiving from an organisation a bill for which they were not responsible.
Participants were asked how much they were left out-of-pocket due to the misuse of personal information for the most serious occasion in the past 12 months (excluding any money they were able to recover from banks and any costs associated with repairing what occurred). Almost half of the participants (n=222, 49.8%) did not report any out-of-pocket losses. The remaining 224 participants experienced losses ranging from $1 to $200,000. When these data were weighted, for those who suffered a loss, the mean financial loss was $3,687, and the median loss was $200 (SD=$20,181). Three-quarters (75%) of participants experienced losses of up to $750, with few reporting much higher amounts. The total out-of-pocket losses in the most serious occasion reported in 2014 were $824,800. This was 34.1 percent less than the total in 2013 ($1.25m).
Participants who had been reimbursed by banks or other organisations, or recovered their losses in other ways, for the most serious occasion recovered between $1 and $60,000. When weighted, the mean amount recovered was $1,318; the median recovered was $350 (SD=4,505, n=244). It was found that most participants received reimbursement or recovered only small amounts, with few receiving much higher amounts. The total recovered was $321,653, which was 40.8 percent less than the $543,514 recovered in 2013. The remaining 202 participants (45.3%) did not receive any reimbursement or recover anything relating to the most serious occasion of misuse in the previous 12 months.
Characteristics of those who experienced misuse of personal information in the previous 12 months
The demographic and behavioural characteristics of those who experienced misuse of personal information in the previous 12 months were explored in more detail using statistical analysis.
The findings of the survey for 2014 found the following statistically significant relationships between variables:
- experience of misuse of personal information in the previous 12 months and Indigenous status (those who identified as Indigenous were more likely to experience misuse of their personal information);
- individual gross income and misuse of personal information in the previous 12 months (those in the lowest income category, $18,200 and under, were less likely to experience misuse, and those earning $37,001 and above were more likely to experience misuse);
- perceptions of the seriousness of misuse of personal information and experience of misuse of personal information in the previous 12 months (those who had experienced misuse of personal information in the previous 12 months were more likely than expected to perceive that risks would increase in future);
- place of normal residence and the place from which personal information had been obtained (those located in a capital city were significantly more likely than those who were not in a capital city to have had their personal information obtained from the theft of their mail);
- age category and the amount of financial loss, with the average financial loss generally increasing with age; and
- financial loss and the number of hours spent dealing with the consequences of identity misuse, as well as the amount of money spent (the higher the financial loss, the more time and money were spent dealing with the consequences).
No significant relationships
Variables that were found in 2014 not to have a significant relationship with misuse of personal information in the previous 12 months included place of normal residence, age group, gender, the number of hours spent on a computer or computerised device and language spoken at home.
Further analyses were undertaken to test the relationship between the characteristics of respondents who reported a financial loss and the amount they reported. No significant relationship was found between the amount of financial loss and gender, location, language spoken at home, Indigenous status or individual gross income. Further analysis of the relationship between age, gender and amount of financial loss showed that gender was not statistically significant when controlling for age.
The results of this survey confirm prior research that misuse of personal information remained a continuing problem in Australia in 2014, with one in five survey respondents reporting misuse at some time in their lives. Of the one in 11 respondents who experienced misuse of their personal information in the past 12 months, more than half had experienced financial losses for which they were not compensated. In addition, they experienced a range of non-financial losses including loss of personal time, as well as mental and emotional consequences, sometimes requiring treatment. Victims also indicated changes in their personal and online behaviour as a result of their experiences, thus detracting from the positive benefits of online consumer activity. Some categories of victims, including Indigenous Australians and those with higher income levels, experienced significantly higher rates of victimisation, in the same way as reported in the 2013 survey.
The present survey results should assist those charged with devising relevant prevention initiatives by assisting them in determining where to direct targeted information to those most likely to be victimised and indicating the best ways in which those at risk of victimisation can protect themselves against identity crime and misuse. Over time, such initiatives may result in reduced levels of victimisation and lower financial and other consequences for Australians in the years ahead.