Hackers Selling Business, Customer Data at Bargain Prices
Every single one of us is for sale on the dark web. We know that—or at least, we should be aware of that risk. But what we may not know is the asking price for our identities. For all the havoc a stolen identity causes, some of that information is almost insultingly cheap.
According to research from VPNOverview, your social media account sells for about $13. Your intimately personal information, including name, address and credit history, goes for a little bit more, in the $40-$200 range—about the same amount as your banking information goes for. (An individual’s most valuable piece of information appears to be the passport, with a UK passport worth $750.)
The information compromised in well-known data breaches is also being sold—again, at surprisingly low costs when you consider the amount of damage that stolen data causes to the victims. For example, the MyHeritage data breach earned $3,552 for 65.7 million accounts, while the MyFitnessPal breach garnered $4,218 for 50 million accounts.
The point of the research, said David Janssen, cybersecurity analyst at VPNOverview, was to raise awareness of identity theft. “Our findings show that thieves and hackers could easily gain access to your most important accounts and spill your information on the dark web, where it is sold for next-to-nothing and used for all sorts of malicious purposes,” he said in a formal statement. “The large-scale availability of stolen and counterfeit passports, driver’s licenses and online accounts leaves us all vulnerable to identity fraud and cybercrime.”
When we talk about identity theft, it is almost always in terms of innocent consumers who were impacted. But what about the sale of business and proprietary information on the dark web?
Sharing Intelligence
“Darknet hacker forums are used to share intelligence on businesses,” said Janssen and fellow analyst Susan Morrow. For example, the information shared includes which businesses are good targets and which key personnel to send spear-phishing emails to. This data, which can be used for surveillance and manipulating users, is then shared or sold on these darknet marketplaces.
Proprietary information, design specifications and software code also land on the dark web. “Sometimes source code is stolen just to find zero-day and other vulnerabilities; these are then sold on to hackers looking to build malware to exploit these flaws,” the analysts said.
Crimes such as credential stuffing are also a problem for business. Accounts taken over by a cybercriminal can lead to losses for the company if it has to pay out fines and other expenses for poorly protected personal and financial data. “All of the above then feed into the general impacts of cybersecurity incidents, with share price drops, reputation damage, IP loss and other related costs,” said Janssen and Morrow.
Protecting the Business (and Customers) From Identity Theft
Security of consumer data and identity requires a multi-layered approach, Janssen and Morrow told me. This involves:
- Developing robust identity services that use state-of-the-art verification and authentication measures. These systems utilize AML measures and have identity checks that are relevant to the demographic. The digital identity arena is starting to build useful and effective systems, but there are still challenges to make them fully fraud-proof.
- Using security measures to protect data across the life cycle at rest, in transit and for certain types of data in use.
- Build consumer systems that utilize data with privacy by design ethos. This should include the principles as outlined in GDPR, but it should also act to ensure that user control is inherent across all demographics, including those where consent could be misused.
- Provide security awareness training to all members of staff.
- Ensure that when you communicate with customers you follow the guidelines on anti-phishing as advised by the Anti Phishing Working Group and others.
- Wherever possible, implement robust authentication to customer accounts, such as using two-factor authentication.
“Businesses should understand that identity theft impacts both their customers and the business,” the analysts stated. “Reputation is something hard to build and easy to lose. Studies show that reputation damage is caused by a loss of trust. Losing customer data because of identity theft is one way to lose this trust.”
