This post was originally published on December 6, 2017.
Not everything on the dark web is illegal, but it is a huge marketplace for stolen data and personal information. After a data breach or hacking incident, personal information is often bought and sold on the dark web by identity thieves looking to make money off your good name—and any numbers or information associated with you. (See also: What is the Dark Web?)
What Information Is Most Common and How Much Is It Worth?
But just how much is your information worth to criminals? The answer may surprise you. The fact is various pieces of information may be more valuable to criminals and it depends on a variety of factors.
Here are the 10 most common pieces of information sold on the dark web and the general range of what they're worth—or rather can sell for:
- Social Security number: $1
- Credit or debit card (credit cards are more popular): $5-$110
- With CVV number: $5
- With bank info: $15
- Fullz info: $30
Note: Fullz info is a bundle of information that includes a "full" package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.
- Online payment services login info (e.g. Paypal): $20-$200
- Loyalty accounts: $20
- Subscription services: $1-$10
- Diplomas: $100-$400
- Driver's license: $20
- Passports (US): $1000-$2000
- Medical records: $1-$1000*
*Depends on how complete they are as well as if its a single record or an entire database
- General non-Financial Institution logins: $1
Note: Prices can vary over time and prices listed below are an estimation and aggregation based on reference articles and hands on experience of Experian cyber analyst the last two years.
How Is This Information Purchased by Identity Thieves on the Dark Web?
There are three main ways that personal information is commonly bought and sold on the dark web:
- Purchase data as a one-off, such as a Social Security number
- Purchase bulk data, batches of the same types of information
- Purchase bundled data, this is the "premium" package for identity thieves as it includes various types of information that are bundled together
I was the data breach victim many years ago, do I still need to be concerned about my data be sold?
Yes. According to a 2017 Javelin strategy and research presentation the amount of fraud committed based on data breach data that is 2-6 years old has increased by nearly 400% over the last 4 years to $3.7B in 2016.
What Drives the Cost of Personal Information on the Dark Web?
There are four main factors that drive the cost of information that's bought and sold on the dark web:
- Type of data and the demand for that data: as mentioned above, different types of information can bring different monetary values.
- Supply of the data: the economic principle of supply and demand applies to criminals buying and selling stolen information. If there's a lower supply of particular information available for purchase, then that information is more valuable to thieves.
- The balance of the accounts: whether dollar values or points in an account, the higher the amount that can be taken, the higher the cost of that stolen information.
- Limits or the ability to reuse: if something has a higher limit or can be reused multiple times, it's more valuable to fraudsters. Alternatively, information that has low limits to use or steal and can only be leveraged once is less valuable.
So What Can You Do to Protect Yourself?
This may seem frightening or overwhelming, but it's important to be aware of what is going on so you can protect yourself. While data breaches are on the rise and outside of your control, you can practice good habits for your own personal information like maintaining healthy password practices, and not sharing your personal information unless it's necessary.
It's also a good idea to make sure that you keep your antivirus software and software updates on all devices (computer, laptop, tablet, phone) current as those updates may include security patches that are important to protecting your information.
You can also check out identity protection products for yourself and your family. Products such as Experian IdentityWorks provide dark web monitoring, alerts and a view into your credit report and FICO® Score so you can keep an eye on things and get a heads up on potential red flags for identity theft. You can also run a free dark web scan on your Social Security number, phone number and email address.
About the author: Brian Stack is Vice President of the Experian® Engineering group at Experian Consumer Services, leading a team who's responsible for scouring the dark web for compromised consumer data and incorporating non-credit based data sources such as court records, payday loans, and social network data to produce best of breed identity protection products for Experian consumers and business partners.
Sources: Liv Rowley on Flashpoint, Richard on Dark Web News, and The Hidden Data Economy by Charles McFarland, François Paget, and Raj Samani. Prices can vary over time and prices listed below are an estimation and aggregation based on reference articles and hands-on experience of Experian cyber analyst the last two years.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.