September 8, 2016
Major security breaches have become too common of a story, with retailers and websites hacked with alarming frequency. It has become so common that it can often take a fairly egregious breach – think SONY in 2014, or Target in 2013 – for something to become a high-profile news story.
Stealing and selling personal information is a profitable business. A report by Intel Security, “The Hidden Data Economy: The Marketplace for Stolen Digital Information” sheds light on just how lucrative this business can be.
“As the commercial value of personal data grows, cybercriminals have long since built an economy selling stolen data to anybody with a computer browser and the means to pay,” writes report author Raj Samani.
According to this report, the going rate for a U.S. credit card number and a software-generated card verification number is worth $5 to $8. Data that includes the number as well as a bank ID number or a date of birth sells for $15. “Fullzinfo” information, which may include details like a cardholder’s full name, address, mother’s maiden name, Social Security number, and other details, can sell for $30.
While those numbers sound low, it’s worth remembering that hackers often make data available in batches of hundreds of thousands – when Target was hacked in 2013, 110 million records were stolen – so en masse, these breaches can become very lucrative for those trading stolen information. Data from some other countries can cost even more, according to the report, with Fullzinfo records from the European Union selling for $45 each.
For ATM cards, the report outlines that US cards with PIN numbers go for $110 each, while cards in Europe are worth nearly twice that. Thieves are reported to use the data they’ve stolen to create actual cards that they claim buyers can use at ATMs throughout the world.
The marketplaces in which hackers and their clients interact operate much like the legitimate online stores, including customer reviews and forums with negotiation advice. According to the report, video advertisements promote the wares of larger sellers, with the videos trying to provide visual confirmation of the trustworthiness of the seller.
Marketplaces such as the now defunct Silk Road pop up and shut down quickly as buyers and sellers dodge law enforcement and attempt to determine whether they can trust one another, reports online security expert Brian Krebs.
According to Intel Security’s report, credit card information is not the only type of data available for scammers to buy online. Login information for everything from streaming music and videos to store loyalty programs can also potentially be found for sale online. The report found logins to HBO GO available for less than $10, stolen sports streaming logins with a list price of $15, and hotel reward memberships (including points) for $20.
Beyond corporate nuisance and reputation, data breaches have a real human toll. According to the latest numbers from the Bureau of Justice Statistics, in 2014, nearly 18 million Americans, or 7 percent of the adult population, experienced at least one incident of identity theft, with the most common type being misuse of an existing account. Of the more than 30 million Credit Karma members enrolled in credit monitoring who accessed their accounts in the last year, almost 1.7% received a fraud alert based on suspicious changes to their credit report.
In addition to being a hassle for victims who need to change their account information and often spend a lot of time clearing up disputes with credit agencies, there’s a financial toll to identity theft. According to the Bureau of Justice Statistics, about half of victims lost $100 or more to ID theft and 14 percent lost $1,000 or more.