Even though the number of security hacks and data breaches have been growing over the past several years with millions of consumers affected, you might still choose to think that your own data isn’t all that valuable to cyber criminals around the world. Even if your data is picked up in one of those breaches — say, your credit card number was one of those lifted from the Target hack, for example — it might be hard to believe that someone is willing to pay money for it on the black market. With the rules of supply and demand, it’s easy to believe that your data might just not be worth that much with so many other victims to choose from.
The reality is that there’s still a booming demand for stolen customer data on the Deep Web — the dark corners of the Internet where Google’s search algorithms don’t look and you need specially encrypted devices to view results. In many cases, stolen data that’s placed on websites known to attract cyber criminals is picked up extremely quickly, and often downloaded more than once by would-be identity thieves.
In 2014, 783 data breaches were reported, a 27.5% spike from 2013. Through March 20, 2015, another 174 breaches affecting almost 100 million consumers have already been reported this year. In light of these breaches, data protection firm Bitglass created 1,568 fake people and shared their fabricated personal data online, to see how quickly and how much demand there was for the information. What they found is that data continues to move quickly in the nether regions of the Internet, and there’s still quite a demand for personal information.
To conduct their experiment, Bitglass created the fake people and randomly generated their social security numbers, phone numbers, addresses, and credit card numbers within an Excel spreadsheet. The company used a distribution proxy, which watermarked the spreadsheet. With the watermark permanently in place, it would “call home” every time the document was opened so the company could look at IP addresses, geographic location, and device type used to access the “stolen” (fake) data.
The experiment attempted to show how stolen data is shared, bought, and then sold on the black market, according to Bitglass. The spreadsheet was posted anonymously on the Deep Web, or “Dark Web,” as Bitglass calls it. From there, crime syndicates in Russia and Nigeria picked it up, shared it among their contacts to vet its validity, and then shared the data elsewhere on the Deep Web. Within just 12 days, the data was accessed by users on five continents (excluding Australia and Antarctica), seen by people in 22 countries, and viewed 1,081 times with 47 unique downloads. The data got the most attention within the countries of Brazil, Russia, and Nigeria. (It seems the Nigerian “princes” have moved on to more stealthy crimes than just emailing you scams asking for money).
“What we set out to do was to figure out whether there is a liquid market for stolen data,” Nat Kausik, CEO of Bitglass, told The Wall Street Journal. “What we found was there is a pretty active liquid market for stolen data.”
Though law enforcement do attempt to track stolen data transactions on the Deep Web, and companies are doing what they can to prevent breaches, more has to be done to create company alerts when their systems have been breached, Kausik said. This needs to happen before hackers have a chance to get away with the mother lode of personal information.
“We had no idea what to expect, how many people would download and view stolen data,” Kausik said. “When you are a resident of the U.S. you don’t think your ID as a person is of value to someone else. It’s a little bit unsettling to find out there is market for it.”
An interactive tool created by data security firm Trend Micro gives an overview of some of the cyber criminal hubs around the world, and also estimates what your personal data might be worth to those hackers or buyers on the black market. The company highlights heavy cyber criminal activity in Russia, China, and Brazil, with each country’s hackers interested in various pieces of your personal information.
For example, email account credentials might sell on the Chinese underground market for around $163, the company shows. In Brazil, a list of mobile phone numbers can be expected to retail for between $290 and $1,236. Landlines are still valued more highly, often selling for between $317 and $1,931.
The company can also provide an overview of what your individual information could be worth in those three countries, if offered up on its own. Just your credit card information, for example, might be worth $135 in Brazil, but almost nothing in Russia or China. When paired with your mobile phone number, your personal email address information, and your online shopping credentials, however, that value jumps to $1,421 in Brazil, $1627 in China, and $105 in Russia.
Though the experiment and worth of your data might be concerning, there is other research that shows that companies are getting faster at detecting when breaches occur. It’s by no means a perfect — or even good — system yet, but it’s clear that companies are beginning to take breaches more seriously. If nothing else, the demand for that data suggests breaches are the new norm, and companies have to prepare for that.
Follow Nikelle on Twitter @Nikelle_CS