Our data are a valuable commodity that cyber thieves trade in the back rooms of the Internet — far beyond the reach of Google and other common search engines.
Those thieves exploit vulnerabilities in computer networks large and small to access consumer data they then process and sell. The data fuels a vast underground economy that, as with any other marketable commodity, responds to the laws of supply and demand.
The Maine attorney general’s office last year received more than 250 data breach notifications, of which 28 affected 100 or more Mainers.
The data from high-profile breaches — such as the 2013 cyber attack against Target, in which thieves stole credit and debit card account information belonging to 40 million Americans, including more than 115,000 Mainers — often end up for sale in marketplaces on the “ dark Web.”
But following so many major breaches, the influx of data into the underground marketplace has caused the value of our personal and financial data to plummet. Cyber thieves have responded by targeting different types of data, such as credentials for video and music streaming services.
So data breaches, which already occur regularly, are likely to continue making headlines in 2016 as cyber thieves adapt, trying to come out ahead in the underground economy.
Giving away the bank
The dark Web economy has evolved over the last few years to include offerings of all types of data, including log-in credentials for streaming services (Netflix and HBO Go), online shopping accounts (eBay and Amazon) and even payment services (PayPal), according to a 2015 report on the illicit data trade by Intel Security.
Financial information, such as credit and debit card data, is among the most commonly sold product in these marketplaces. The prices for these data products vary depending on their freshness, supply, balance and level of detail.
If a buyer wants credit card data just to make purchases or withdraw money from ATMs, vendors offer a basic package with a card number, expiration date and three-digit security code for about $5 per card, according to the Intel Security report.
But if the buyer wants to more fully take control of a victim’s bank and credit accounts, vendors offer a more detailed package with the victim’s account number, name, address, Social Security number, date of birth and even mother’s maiden name for as little as $30 on some marketplaces.
Back in 2011, this information would have cost hundreds of dollars per card, but the marketplace has been inundated with data after a number of high-profile breaches, forcing down the price, according to Raj Samani, vice president and chief technical officer for Intel Security in Europe, Middle East and Africa, who was one of the authors of the 2015 report.
Still, even with a significant decline in prices, vendors on the dark Web can turn a profit on stolen financial data, Samani said. For example, the 40 million credit and debit card accounts stolen in the Target breach sold at $5 apiece could have netted cyber thieves at least $200 million.
“They’re happy to sell you a card at $5 apiece if they’ve got a hundred million cards,” Samani said.
Credit and debit card data are a perishable commodity, so cyber thieves are motivated to move their product quickly. Once a breach has been reported and banks cancel the cards, these data become worthless, according to Christopher Budd, global threats communications manager at Trend Micro, a Texas-based cyber security company.
Because these data tend to spoil quickly, some black market data vendors offer their customers replacement or refund policies if more than 25 percent of the cards in a given batch are canceled or do not have the advertised balance, Budd said.
Dark Web vendors have responded to this influx of perishable data by diversifying their offerings to include Netflix login credentials that sell for 55 cents per account. These credentials may even allow a buyer to access credit card information linked to the account.
“As you see with any mature economy, once a commodity is no longer lucrative, they turn to a new product,” Budd said.
For sale: Your identity
It’s not just financial information that trades hands in the backrooms of the Internet. Names, dates of birth, Social Security numbers — the basic building blocks of an identity — have become hot commodities. Unlike financial data, there is no expiration date.
Vendors sell Social Security numbers, names, addresses, social media credentials and other individual datum for about $1 each, according to a 2015 report on data breaches by Trend Micro. In 2014, a Social Security number and other datum would have sold for $4 each but, as with credit and debit card data, prices have fallen as the market has been flooded with personally identifiable information.
Buyers also can get scans of passports, driver’s licenses and utility bills for between $10 and $35 per document, according to Trend Micro. A credit report for someone with a high FICO score can go for $25.
It doesn’t take much personal data for buyers to file fraudulent tax returns, apply for loans or credit cards, register fake accounts and commandeer email and social media accounts in order to phish for yet more personal information.
“What worries me is the variety of data that is available,” Samani said. “It’s gotten really personal, the fact that you can buy identities.”
Samani mentioned one case in which he and other researchers located the digital identity of a man living in the United Kingdom for sale on the dark Web that included a rich data set with his name, address, date of birth, email addresses and passwords, Twitter and Facebook log-in credentials and even his parents’ names and their social media accounts and passwords.
“His whole life was being traded by criminals, and he had no idea,” Samani said.
While the man in the U.K. easily could change passwords for his social media accounts and email, he couldn’t cancel his date of birth and name after it hit the market.
“Once the data is out there and you get your ‘tattoo,’ it’s there for life. You can try to remove it — it’s painful and it’s incredibly expensive — but it leaves scars,” Samani said. “This sort of stuff stays with you forever.”
A global market
In the dark Web data marketplace, data from Maine have value on the other side of the world. The global nature of data theft makes it a challenge for law enforcement.
Last year, the cyber security company BitGlass conducted an experiment in which it posted a spreadsheet containing 1,568 fake names complete with Social Security numbers, credit card numbers, phone numbers and addresses on a dark Web marketplace.
Within two weeks, researchers found, the data had been accessed 1,081 times and downloaded 47 times in 22 countries across five continents.
This underscores the problem law enforcement face when investigating data breaches — the criminals responsible often are located far beyond their jurisdictional reach, making investigations and prosecution difficult. With little threat of being caught, criminals reap high rewards with little risk.
Not all escape the reach of the law. Last year, a federal judge sentenced Hieu Minh Ngo, a Vietnamese national, to 13 years in prison after U.S. Secret Service agents arrested him in Guam. In 2012, Ngo hacked into databases belonging to a subsidiary of the credit tracking agency Experian, stealing 200 million records complete with Social Security numbers and making nearly $2 million from selling the data, according to the U.S. Department of Justice.
But cyber thieves responsible for other major data breaches, such as those at Target and Anthem, have so far evaded capture by law enforcement.
“We want them to have a sense of danger associated with this because danger acts as a deterrent,” Samani said. “But now they have a low risk with a high return.”