TL;DR: Identity theft remains a fraud pathway where stolen personal data is used to impersonate individuals, drain accounts, or bypass verification, and the article cites 7.9 billion exposed records in the first nine months of 2019 from RiskBased Security. The governance issue is not digitisation itself but weak identity proofing, insecure collection, and device oversight that let credentials and personal data become usable attack material.
NHIMG editorial — based on content published by Seamfix: identity theft prevention with digital verification, secure forms, and device control
By the numbers:
- A report by RiskBased Security revealed that 7.9 billion records were exposed by data breaches in the first nine months of 2019 alone.
- This figure is more than double, or 112%, the number of records exposed in the same period in 2018.
Questions worth separating out
Q: How should organisations reduce identity theft risk in digital onboarding?
A: Use higher assurance checks for anything that can change account control, move money, or expose sensitive records.
Q: Why do exposed identity records create long-term fraud risk?
A: Because identity data is reusable.
Q: What do security teams get wrong about identity theft prevention?
A: They often focus on spotting fraud after it starts instead of limiting where identity data can be collected, stored, and reused.
Practitioner guidance
- Harden identity proofing for high-risk transactions Use multi-factor verification and authoritative source checks when a request can move money, reset access, or change account details.
- Encrypt and minimise identity data at collection points Store only the identity fields the process truly needs, encrypt them at rest and in transit, and remove duplicate copies from forms, exports, and shared folders.
- Treat device loss as an identity incident Use central mobile device management to remote lock, blacklist, or revoke access when a device holding identity data is lost, stolen, or misused.
What's in the full article
Seamfix's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of identity verification workflows used to confirm who a user claims to be.
- Practical descriptions of secure digital forms and protected storage for identity data collected in the field.
- Device management actions such as remote restriction and blacklisting when a mobile device is compromised.
- The article’s own product examples for validation, data capture, and mobile control.
👉 Read Seamfix's guidance on preventing identity theft with digital verification and device control →
Digital identity and theft prevention in Africa: what teams need now?
Explore further
Digital identity theft is fundamentally a human IAM failure, not just a fraud event. The article correctly ties impersonation to identity proofing, data handling, and device control, which are the points where identity security either holds or collapses. When those controls are weak, attackers do not need to defeat the whole programme, only the trust assumptions around how a person is verified and how their data is protected. Practitioners should treat identity theft as a lifecycle governance problem, not a single detection use case.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when identity data on a lost device is misused?
A: Accountability sits with the programme that allowed sensitive identity data to remain accessible after the device left control. That means endpoint, IAM, and data governance teams all share responsibility. The right response is to define ownership for lock, revoke, and blacklist actions before the loss occurs, not after the fraud event.
👉 Read our full editorial: Identity theft controls are failing where digital verification expands