Following Personal Identifying Information (PII) Down the Black Net Road

August 11, 2015 by ofonseca

As a business manager savvy to security risks, you may be well aware of the costs consumers and businesses incur when personal identifying information (PII) is stolen in a data breach. But once the information is taken from your system, do you know what happens next? Do you understand the route PII travels from its point of origin to the hands of the crook who will actually use it?

It’s a far more circuitous and profitable road than you might think. The thieves who steal your PII almost certainly won’t be those who end up using it, and depending on what they steal, they may not even be those who make the most money off it. The cyber crime “industry” has evolved to look more and more like an ersatz actual business model, with the hackers who pilfer the data acting as producers, underground marketplace operators and guarantors acting as middlemen, and the crooks who use the data as consumers.

Let’s take a look at how stolen data can move across the black net:

First, data is stolen through a data breach, hack or other types of incursion into a company’s proprietary system.

The hacker who steals the information may put it up for sale on a trusted black market forum, or he may sell it to a wholesaler who will then move it onto the black market. He most likely will not risk using the data himself to steal directly from the people whose data he’s taken.

The forum will likely be moderated, monitored and operated just like a legitimate online marketplace. A moderator will ensure everyone moves merchandise according to the rules. A guarantor will ensure the exchange of data and payment takes place fairly by holding both money and product before distributing it to both parties involved in the transaction. The self-regulating nature of the forum – in the form of buyer feedback – will weed out sellers who try to move bad data and reward those who sell good data.

The type of data our theoretical hacker has stolen and how well he’s packaged it will determine how much he makes off your PII. If he’s stolen a lot of data, he’ll make more money. He’ll also likely receive a higher payout if he’s obtained medical data than if he’s managed to steal only credit card information. A study by Dell Secureworks found hackers may make as little as $1 per record for credit card numbers with a CVV code, $20 to $200 for a PayPal account with a verified balance, and as much as $1,000 for an online back account. By contrast, health insurance credentials can go for $20 each, and when packaged with other PII can net a seller more than a $1,000 for each package, Dell reported.

Once a buyer has completed the purchase of stolen data, he can use it in a number of ways to falsely secure new credit or clean out financial accounts. While making actual use of stolen data puts the criminal at greater exposure of discovery, the layers between the user and the initial theft may also insulate him from more severe prosecution. These multiple layers can also make it difficult for law enforcement and breached companies to track the data theft to the original perpetrators.

Many authorities now believe that taking down online marketplaces will be a more effective way to fight the data breach and cybercrime industries. Meanwhile, companies need to continue taking proactive steps to prevent data breaches and to aggressively implement data breach response plans.