The numbers are staggering.

According to the Privacy Rights Clearinghouse, more than 8,000 data breaches have been made public since 2005, with more than 10 billion individual records breached. Last year, the Equifax breach alone affected 143 million American consumers. It’s a fact: Massive amounts of credit and debit card information, including other types of personal data, have been compromised by fraudsters.

How does this impact consumers who apply for credit cards or shop online? Fraudsters may be using their stolen information to apply for mortgages, credit cards, loans, make online purchases and commit other forms of online and offline fraud. In the retail, e-commerce, financial services and lending sectors, between 31-43% of monthly transactions involve fraud attempts, according to LexisNexis. 

Fraudsters are gaming the system by exploiting the way that businesses and banks do identity and credit checks to assess risk. Meanwhile, legitimate consumers, thin-file millennials and those living on cash are caught in the dragnet of anti-fraud measures set up by businesses and subject to friction and financial exclusion.

Consider what happens when a person applies for a bank account. With digital transformation being a market mandate today, businesses steer applicants to an online form over visiting a branch in person. Behind the anonymity of a web browser or a mobile app, the applicant can enter whatever data they want: It could be valid data in the right hands, valid data in the wrong hands (i.e., stolen) or simply fake data.

Businesses attempt to validate the information on digital applications through one or more credit bureaus for identity verification as well as credit risk assessment. In addition, banks have a regulatory requirement to complete background checks for know your customer (KYC) and anti-money laundering (AML) programs. Ironically, those regulations often only require banks to rely on verifying information that has been stolen or can easily be found online, such as people’s names, addresses, dates of birth and social security numbers.

The credit agency breaches are a gift that keeps on giving to fraudsters for as long as the bureaus’ data is used for these identity and credit checks. When fraud occurs, the banks are responsible for the loss, not the credit bureaus. Meanwhile, the victim whose identity was stolen is left to deal with the aftermath.

Proposed government legislation aims to hold companies accountable by assessing financial penalties and compensation if they expose consumer data to hackers. Bills like the Data Breach Prevention and Compensation Act address what happens after the data is stolen to encourage measures to prevent breaches in the first place. Europe is enacting a similar law called the General Data Protection Regulation, which goes into effect in May this year, to protect EU citizens’ personal data.