infoTECH Feature

February 26, 2015

Putting 2014, 'The Year of the Breach,' into Context

The Identity Theft Resource Center reports that there were 783 data breaches in 2014, up 27.5 percent over 2013. These attacks are increasing in number and in collateral damage. Think of all the sensitive data (credit card and Social Security numbers, passwords, emails etc.) that fell into the hands of cyber criminals. These breaches are costlier than ever before, as well. On average, a data breach cost a U.S. company $195 per record last year.

With an average of more than two breaches occurring every day, the headlines begin to sound like an overwhelming, broken record. To take these huge numbers out of the abstract and give the breaches some context, they will be compared to human populations.

A Texas-Size Chuck of Consumer Data

South Korea’s big breach in August hit over 70% of its of 27 million population. Thieves hacked registration pages for gaming and gambling sites, ringtone downloads and movie ticket stores to steal personal information that they then leveraged into nearly US$400,000. That would be like the whole of Texas having their accounts stolen.

Eight Hong Kongs’ worth of Credit Cards

Home Depot emerged as one of the biggest hacks compared to prior years, coming in at a whopping 56,000,000 compromised accounts – the equivalent of the population of eight Hong Kongs or the entirety of the Northeastern United States. But this breach wasn’t the King of the year, either.

The entire Western US “Targeted”

The Target (News - Alert) hack was originally announced to have hit over 40,000,000 accounts but later, that figure rose to 70,000,000 accounts, more than the population of France and the UK combined or just shy of the entire population of the Western United States. It was a card skimming attack, and stolen credentials were sold on the black market for about $27 a piece, netting the hackers upwards of $53.7 million.

Nearly an Egypt’s worth of Email Addresses

Retailers weren’t the only targets – financial titan JP Morgan (News - Alert) disclosed in September that their systems were hacked back in July and over 83 million accounts, mostly individual households but including 7 million small businesses, were compromised, and included things like names, email, phone numbers and postal addresses that can be used in phishing schemes. More than the whole population of Germany, a little less than Egypt.

The Whole of Russia Needs a New Password

But the biggest breach of 2014, and the biggest of any year, was the eBay (News - Alert) hack revealed last May. Thieves socially engineered their way into eBay’s systems and stole an incredible 145,000,000 email and encrypted passwords – more than the entire population of Russia or a little less than half of the United States.

Most of last year’s data breaches were stealthy, opportunistic, long-term skimming operations that took customer credentials during transactions. Retailers often delay announcements partly to protect their reputation but also to allow law enforcement and security experts time to plug the hole and catch the hackers. Bad press has shortened the turnaround time for revealing data hacks, but does that have more to do with the fact that consumers are becoming increasingly complacent?

Now that we have a sense of scale, let’s talk about what those numbers mean in terms of what they represent and what that stolen information goes for on the black market. Time to go shopping.

$20-$135 Credit or Debit Cards

The kind of breach that gets more attention is the kind that hits credit cards, for two reasons: it affects the credit card owner whose card has been stolen and it affects the merchant that might be the target for fraud after the card is stolen. Home Depot and Target were among the largest breaches but certainly not alone. K-Mart and Dairy Queen were hit, as well as a host of other retail chains, mostly through their POS systems.

The going rate for a stolen credit card can vary a lot. Prices skew higher if the data is considered “fresh” or if the card has a guaranteed balance behind it. The Target cards, for example, started out on sale for $20-$135. Costs skew lower if the black market was flooded with a huge batch of stolen cards or the data is old, reaching as low as $2 a card.

Bottom line: credit cards a cheap because they are everywhere, and cheaper every day as more get dumped into the marketplace.

$27 Username and Passwords

These are some of the most common targets and don’t register for most people as a serious event. But usernames and passwords were among the most sought-after data, whether it was a small breach like CurrentC’s unspecified number of beta user email addresses stolen or eBay’s massive hemorrhage, or the Russian crime ring that managed to amass over a billion username and passwords.

Many people assume there’s no value in usernames and passwords, but the market says otherwise. Twitter accounts sell at a higher value than credit cards because of what else they might unlock, and plum targets like eBay and PayPal (News - Alert) user accounts sell, on average, for $27.

$0.10-$0.25 for Fullz

Instead of getting just one credit card or one username, for a bit more money you can buy what’s called in the black market “fullz” – complete records of a person detailing most if not all of their personally identifying information. Names tied to addresses, phone numbers, date of birth, mother’s maiden name in some cases, Social Security numbers, as well as credit and banking information and any associated logins, are all the information someone needs to set up a fraudulent account somewhere else. The more breaches there are, the more data there is to aggregate into information that isn’t just used for a one-time cash grab but for deeper, ongoing fraud.

And while the potential for harm is greater to the individual, fullz are cheaper than ever before – $0.10-$0.25 cents apiece, and usually sold in bulk.

Why are fullz so cheap compared to credit cards? Perhaps a working credit card with a verified available amount is the path of least resistance when compared to committing large-scale identity theft, requiring a raft of raw data with no guarantee of a payout. It’s the sure thing verses a risky gamble.

The black market for stolen data is huge and its prices low – a buyer’s market for criminals if there ever was one. This is why data breaches, identity theft and online fraud will continue – and why organizations would do well to thoroughly investigate the options available to them for creating an iron-clad data security system.

Ryan Wilk is the director of customer success at NuData Security.




Edited by Stefania Viscusi
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers