Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
08:35 AM
Raj Samani
Raj Samani
Partner Perspectives
Connect Directly

What Is Your Customer Data Worth?

How to make sense of the market for stolen information.

Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. This market has expanded far beyond credit card numbers, mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy, detailing key types of information that are available and how much they cost. Since you cannot trust criminals, some of these marketplaces may be scams or may be using reputable brand names to perpetrate a different type of fraud, but that does not reduce the overall impression of a vibrant cybercrime economy.

Credit card numbers and other payment information are the most common stolen data, with the lowest price point and widest range of values. Large scale thefts, the increasing use of chip-and-PIN cards, and rapid response from credit card companies have driven down the value of basic card information. After a big data breach floods the market with new numbers, they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45. Many options are available for the discerning criminal, including issuing bank, country, available balance, maximum withdrawal limit, and usability at an ATM, store, or online.

The Stolen Data Value Chain

Credit card numbers are the base metal of stolen data markets -- widely available but not worth that much without additional info. Moving up the value chain are account login credentials for payment accounts or banking services, which appear to be priced based on the balance in the account. For less than 5% of the account balance, you can purchase login information for an online payment account. More valuable are full banking services, especially those with the ability to transfer funds to US banks, which sell for about 8% of the balance. Some sellers offer replacements if the purchased account no longer has the advertised balance, while others rely on reputation rankings, purchase feedback, and other common tools of online shopping to reassure customers.

High demand and automated theft operations have made the market for premium content account information attractive and apparently profitable. Whether you want to read some comic books ($0.55), watch online video (up to $1), get access to premium cable channels ($7.50), or watch live professional sports ($15), stolen login credentials are readily available. In an ironic twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open vulnerabilities to valuable systems at banks and airlines, access to industrial machines or critical infrastructure, and even stolen enterprise datasets. Just like rare art or jewels, this type of stolen data does not typically carry a direct price tag; instead, value is negotiated between the buyer and seller. Also like stolen art, the prospect of commissioned thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the last two years, it’s not surprising to see so much consumer data for sale. But the wide variety of data and related profit-making schemes never cease to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond the aforementioned stolen data types, you can also find personal identities, social media access, email accounts, medical information, and much more.

I know from direct conversations with organizations that there is quite a bit of apathy on the subject of cybercrime. Even today, after all the headlines, cybercrime still seems intangible. Too many of us still fail to realize cybercrime is simply the digital evolution of crime, and given the widespread apathy, the emergence of an increasingly established hidden data economy is the destination at which we are bound to arrive. It’s a constant and important reminder for those of us committed to making our connected world safe for our connected lives. 

Raj has previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.