From dossiers to Dutch auctions, the murky market for stolen information is a cross between a James Bond flick and a Persian bazaar. And your personal information is likely on the sales floor.
“It’s about monetizing whatever you’ve got,” said Rodney Joffe, senior vice president and technologist at security consultancy Neustar.
After the mega breach of 70 million payment card records and another 40 million bits of personal information from discount retailer Target (TGT), cyber crooks have lots of sellable details at their disposal.
In fact, Larry Ponemon, chairman and founder of the Ponemon Institute that specializes in data privacy, reckons there is a veritable “flood of information” now available on the black market.
Next on the Auction Block: You
At face value, the data are worth surprisingly little. According to a report Ponemon compiled for FOX Business, one credit card record fetched about 97 cents on the black market in March 2013. The figure is down sharply from $1.49 in February 2012 and a whopping $26.06 in January 2006.
The glut of supply, it turns out, is putting pressure on prices, according to cyber experts.
“When you get this kind of volume, you can’t get as much money,” said Joffe, who has testified before Congress on cyber security issues. The thieves “can’t find enough people to sell them in blocks to generate all this money.”
The hackers, however, have found ways to capitalize on the surge of information seen in recent years.
One method they’ve found effective, according to Ponemon, who’s also briefed Congress on data security, is by “trading” information. For example, if one thief has an individual’s debit card pin number, and another is looking to obtain a separate person’s social security number, they might decide to swap the information on underground forums and chat rooms.
Digging into the data, medical records along with a health insurance ID card fetched $47.62 in Ponemon’s March survey, while social security numbers coupled with personally-identifiable information were worth $14.02, and debit card-pin-code combinations ran $9.55.
“Anyone who tells you their systems are secure is delusional or lying."
- Rodney Joffe, senior VP and technologist at Neustar
Taken together, the complete picture can be worth hundreds to thousands of dollars when sold in various venues, including electronic Dutch auctions.
“The more sensitive the data, the more it’s worth to cyber criminals,” said Ponemon. “That’s the crown jewel information to a criminal.”
A $760 Million Price Tag
Of course, the crooks’ gain comes at a hefty price to the targeted firms.
A separate survey by Ponemon estimates Target will face a cost of about $17 per swiped record – adding up to about $760.2 million at the end of the day. For perspective, the discount retailer earned $341 million on sales of $17.3 billion in the third quarter of 2013.
In comparison, fellow retailer TJX Group (TJX) paid in the order of $540 million in a hack attack that revealed around 40 million records, according to Ponemon’s survey.
The per-capita cost of suffering a breach actually falls as the scope widens. In fact, more frequent breaches in the 100,000-record area tend to cost $188 per piece of data stolen. That’s because many of the costs retailers face are fixed. For example, setting up a 24/7 call center is generally required even for the smaller breaches. Other costs are variable, like litigation expenses and the cost to replace payment cards that financial institutions try to pass on to the retailer, according to Ponemon.
The buck doesn’t stop with the retailers, or the financial instructions, or even the insurers.
“At the end of the day, it will be passed on to the (consumer),” said Joffe.
Nothing is Really Secure
Joffe said he expects an increase in credit card fees, higher insurance premiums and potentially a reduction of credit generally as the rate of data snafus swells.
Perhaps most ominously, the cyber security experts said breaches are becoming unavoidable across the board despite even the best defense. Joffe said a system leveraging microchips in credit cards that is favored in Europe could make the situation better, but, even then, the Target situation may have been inevitable.
Many cyber security companies are advising clients to focus on stemming the effects of the attack as opposed to outright blocking it.
Joffe compared the situation to a missile. A country can’t stop the weapon from being launched, but it can work swiftly to mitigate the effect afterwards. He said in the case of Target, even the best security might not have been enough to stop the hackers in their tracks. He said the retailer’s bigger fault was how long it waited to disclose the information and halt the compromise.
“Anyone who tells you their systems are secure is delusional or lying,” he warned.