In a story of intrigue worthy of a James Bond movie, a Stradivarius violin was stolen from the concertmaster of the Milwaukee Symphony. The thief had scoped out the habits of the player and then accosted him in the theater parking lot following a concert. The thief shot him with a taser, grabbed the violin, jumped into a van with his accomplices and took off through the dark streets. Of note, this violin is one of perhaps 600 remaining Stradivarius' around the world and these 300Y old violins are considered by musicians and collectors to be the best ever made. The value of this particular violin was estimated at $6mm. While the heist was carefully planned and well executed (and thankfully the violinist was not seriously injured), the thief found that unloading a collector's item for anything close to the actual value was all but impossible. In the end the thief gave the violin back to police and will be spending some time in jail contemplating this omission in his planning.
This tale illustrates a lack of sophistication and foresight that is generally not found among cyber thieves who seem to operate with ever more success in stealing debit/credit card information from large retailers and financial institutions. We are curious though, with the magnitude of the thefts, what is the plan for using the stolen information? What can a thief do with 70 or 90mm credit card numbers - especially given that once the data breach is discovered, those card numbers are disabled and rendered useless. There is a definite shelf life to this information.
Are customers concerned about data theft? The first really big one that occurred at Target around Christmas of 2013 certainly caused a stir. Target earnings were significantly impacted for a time, but now with even larger breaches at Home Depot and Chase, customers have mostly yawned and moved on to the next item of interest. The number of Americans who say they worry "a great deal" about identity theft came in at 23% in a recent survey, down from 31% a year ago.
Perhaps this is because thefts have become somewhat commonplace, but perhaps more important is that no one hears of the theft of 10mm customer records one week and then of $100mm of fraudulent charges the following week. The connection between privacy breaches and financial harm is not clear cut. In addition, consumers carry little liability for data thefts ($50 if they report the problem in time or $500 maximum). Of the institutional theft incidents, certainly no customers were assigned any liability. So, while consumers are concerned, perhaps the impossibility of using what was stolen and the lack of liability has diminished that concern.
Banks still carry a great deal of reputational risk if they (or their outside contractors) are at fault, however. There could be some relief down the road though, as card numbers become more secure as the US fully adopts EMV chip technology in use throughout most of the rest of the world. In the meantime, the temporary nature of the salability of credit card information should make it difficult for thieves to fully use what they have.
As for the thief who steals a collector's item like a precious violin, we note there is little worry that the value will decline or expire like a stolen credit card. In fact some Stradivarius violins have gone missing for generations, only to turn up later and even more valuable Most thieves don't have the time to wait for the value of their stolen goods to appreciate.