Future of IT: If you or your company are the victim of a cyberattack, where does this stolen data land and what is it used for?
Stolen data is a highly sought-after commodity in the underground internet, but its resale value may surprise you. Not a week goes by without a data breach being reported in the news. The idea that our data is lost by the companies that collect it, while still painful, has become so widespread that it's not as surprising as it used to be.
The recent data security breaches that have affected Ashley Madison and Hacking Team reveal how devastating these types of cyberattacks can be, with millions of user accounts compromised, the loss of intellectual property, and the spread of personal information about users and executives on the web. In Trend Micro's new report, "Understanding Data Breaches," the security specialist looks at which entities are most often targeted in data breaches, how they occur, and what happens once data leaves corporate networks.
Using the Privacy Rights Clearinghouse (PRC) database of data breaches, Trend Micro found that hacking or malware accounted for only a quarter of the breaches identified between 2005 and April this year. Attacks from within are also a common reason for data loss, as is the use of physical credit card copying devices. The loss or theft of devices such as laptops and USB flash drives and their physical files are also among the root causes of devastating data security breaches.
Reports of card breaches have jumped 169% in 5 years
However, not all data breaches have malicious origins. Unintentional disclosure, due to errors or negligence, is also one of the reasons reported for the information being in the wrong hands.
Payment service providers are a prime target for hackers today: reports of payment card data breaches have jumped 169% in the last five years. Cybercriminals can steal data via card copying, by fingerprinting payment cards, housing card copiers or cameras in ATMs, and modifying point-of-sale terminals. Interestingly, hardware keyloggers installed on cash registers are also becoming a data theft tactic.
However, the healthcare sector is now the most affected by data breaches, followed by the public sector, retail and education. Trend Micro reports that personally identifiable information is the most common type of stolen record, followed by high-value financial data.
Selling credit cards
In addition to the usual bank accounts and payment card data, Uber, PayPal and online gambling site accounts are also subject to haggling on the dark web. When you enter the deep web (which is a small part of the hidden web that is only accessible through the Tor Onion network), the stolen you can buy credit cards. For sale is easy to find. PayPal and eBay accounts with a transaction history of a few months or years sell for up to $300 each.
According to Trend Micro, compromised Uber accounts are in high demand in the underground internet, as they can be charged fraudulently and allow users to enjoy free rides. Naturally, bank account details are offered at a higher rate, between $200 and $500 per account. The higher the available balance, the more expensive they are sold.
Credit card data is offered for sale to anyone who is willing to pay to get it. If price ranges vary based on supply and demand, validation, and the amount of money that can be stolen before deactivation, bulk purchase lowers the unit price. Some sellers insist on selling in this format, suggesting that the data was acquired as a result of a large-scale cyberattack. It is possible to buy credit cards from all continents, but cards outside the United States tend to reach higher prices than those registered at addresses in the United States.
Personal data is no longer worth much
When it comes to personally identifiable information, it is sold for about $1 per line. Each line of data contains a name, full address, date of birth, Social Security number, and other personally identifiable information. If someone buys even a few lines, they can commit serious identity theft. Trend Micro says this data used to sell for $4 per line, but given the number of data breaches that have occurred recently, supply has increased and demand has decreased.
However, if someone really wants to rob a potential victim, they can buy credit cards for $25 a unit. In addition, scanned copies of passports, driver's licenses and consumer bills, among others, are offered for purchase between $10 and $35 per document.
Trend Micro concludes with a caveat: "Any company that processes and/or stores sensitive data may be subject to a security breach. Ultimately, no defense is impregnable for determined opponents. The key principle of defense is to consider that you can be compromised and to take the necessary counter-measures."