Back to Thoughts

Do Data Breaches Drive Fraud?

Why stolen identity data has a long tail, and why fresh provenance signals matter.

By Simon Delaney • June 3, 2025

The question

Do data breaches appear to fuel later fraud, and does fresh identity data make it easier to spot fraud built on old, compromised records?

Our five-year analysis found a strong relationship between breach spikes and later fraud increases. It does not mean every fraud case can be traced to a specific breach, but the pattern is hard to ignore: stolen identity data remains useful to criminals long after the breach itself has left the news cycle.

The basic argument

Data breaches do not just create an immediate fraud problem. They create a long tail of identity risk. Stolen records keep circulating, being tested, enriched, repackaged, and reused. That means older, compromised data can still be used to pass weak identity checks years later. Fresh identity signals matter because they expose when a record may be real in format but stale, recycled, or no longer connected to the person it claims to represent.

I have written separately about the Human Data Illusion, the way companies treat data as human simply because it looks human. This article looks at the breach side of the same problem: how stolen identity data keeps circulating long after the original breach.

Breach trends, 2019 to 2024

In the United States, reported data breaches climbed from 1,108 in 2019 to 3,205 in 2023, an increase of roughly 189 per cent according to the Identity Theft Resource Center. Most of that growth was driven by cyberattacks rather than accidental exposure, with thousands of malicious breaches recorded in 2023 alone.

Annual data breaches and fraud reports in the US and UK, 2019 to 2024

The UK pattern is different in shape but similar in direction. The Information Commissioner's Office reported around 11,854 personal data breach notifications in 2019/20, dipping during the pandemic and rebounding above 11,000 by 2024. Unlike the US, a larger share of UK breach reports stem from human error rather than cyberattacks, but the volume of compromised personal data has remained high.

Fraud trends that move with the breach data

US identity theft reports more than doubled from 650,523 in 2019 to 1,387,615 in 2020, according to the FTC Consumer Sentinel Network. Pandemic benefits fraud was a clear accelerant, but elevated identity theft volumes did not return to pre-2020 levels once the emergency support schemes ended.

In the UK, Cifas recorded around 249,000 identity fraud cases in 2024, the highest figure in its Fraudscape series. Roughly 86 per cent of identified fraud now takes place online, with bank accounts the most common target. UK Finance's annual fraud reports show a similar pattern of persistently high authorised and unauthorised fraud losses.

Across both jurisdictions, breach volumes and identity fraud volumes have moved in the same direction over five years. That is correlation, not proof of direct causation. But the relationship is consistent enough that it would be strange to dismiss it.

Why breach data has a long tail

A stolen payment card can be monetised quickly. A password dump can be used for credential stuffing almost immediately. But full identity data is different. A name, address, date of birth, phone number and email can be reused, combined, enriched, and tested for years. That is why identity data breaches do not just create a short-term spike. They create a reservoir of raw material for future fraud.

Timeline showing different fraud lag periods by breach type
  • Payment card breaches: fraud typically appears within days or weeks.
  • Credential dumps: account takeover attempts often follow within days.
  • Full identity data (PII): fraud risk persists for months or years as data is recombined and reused.

Why fresh identity signals matter

Fresh data does not mean perfect data. It means current signals that are harder for a criminal using stale breach data to reproduce. A breached record may contain a real name and a real address, but it cannot easily prove that the same person is reachable on that phone today, active on that email this week, or applying from a device and location that fits their pattern.

The kinds of signals that help include:

  • Current phone activity and reachability
  • Recent email activity and deliverability
  • IP and device consistency
  • Behavioural signals during the application
  • Address recency and tenure
  • Velocity checks across applications
  • Evidence that the human is present now
  • Whether the record is still connected to the person it claims to represent

Some fraud detection benchmarks, such as those published by Socure, suggest that fresh, real-time identity signals can catch a high proportion of fraud while sending only a small share of applications to manual review. The exact figure depends on the dataset and the model. The principle is the more useful point: fresh signals make stale breach data easier to detect.

The provenance problem

If breached identity data can fuel fraud for months or years, the next question is obvious: where does the identity data used to detect fraud come from?

A KYC or fraud system may return a match, but that match is only as trustworthy as the data underneath it. A match against recent, directly collected, well-permissioned data is not the same as a match against legacy, brokered, duplicated, or breach-heavy data.

This is why "does it match?" is no longer enough. The better question is: should this match be trusted?

Where this leaves us

The point is not that every fraud case can be traced neatly back to a specific breach. The real world is messier than that.

The point is that breached identity data has a long tail. It keeps circulating, gets repackaged, gets tested, gets enriched, and eventually appears in places where it can look much cleaner than it really is.

That is why fresh data matters. And it is why provenance matters even more. A match against an old, recycled, breach-heavy record should not carry the same confidence as a match against recent, directly collected, well-permissioned data.

The question is no longer just: does this identity match? The question is: should this match be trusted?

FAQ

Do data breaches always lead to fraud?

Not always in a simple linear way. Different breach types create different risks and timelines. Payment card data can be used quickly, credential dumps can drive account takeover, and full identity data can remain useful to criminals for months or years.

Why can identity data from old breaches still be useful?

Because identity data can be combined, enriched, tested, and reused. A name, address, date of birth, email and phone number may still help a criminal pass weak checks long after the original breach.

Why are fresh identity signals useful in fraud detection?

Fresh signals help show whether the record is still connected to a real person now. Current phone activity, email activity, device behaviour, IP consistency and recent address evidence can expose fraud built on stale breached data.

Does a data match prove an identity is trustworthy?

No. A match only proves that the submitted data exists somewhere in a reference source. The more important question is where that reference data came from, how fresh it is, and whether it is independent, permissioned and trustworthy.

What is the link between breaches and data provenance?

If breached data keeps circulating through the consumer data ecosystem, fraud and KYC systems need to understand the provenance of the data they match against. A match against old or breach-heavy data should not carry the same confidence as a match against recent, directly collected data.

References

  • Identity Theft Resource Center, Annual Data Breach Reports, 2019 to 2023.
  • FTC Consumer Sentinel Network Data Books, 2019 to 2023.
  • Information Commissioner's Office, annual and quarterly personal data breach statistics, UK.
  • Cifas, Fraudscape annual reports.
  • UK Finance, Annual Fraud Report.
  • FBI Internet Crime Complaint Center, Internet Crime Reports.
  • Socure, fraud detection benchmark publications.