Valuing A Data Breach Victim

In the relentless world of public breach reporting, there’s a fixation on the number of accounts affected; the higher the number, the larger the impact. But from a victim’s perspective, does it make a difference if your information was included in a breach alongside 10,000 or 50,000,000 others?

From a criminal ecosystem perspective, the number of victims per successful breach is largely irrelevant. Apart from the original hackers, where obtaining a million records is more efficient than just a thousand and, consequently, where basic multipliers are at play, the rest of the cybercrime world is oriented toward timeliness and completeness of the stolen data.

Depending upon which underground hacking site, dark web portal, data trading site or rock you turn over, the price per stolen record will vary considerably — ranging from $0.0001 through to $200. Stolen data value depreciates rapidly for most classes of personal information. For example, the value of credit card records (which would include the victim’s name, address, credit card number, expiry data and CCV) deteriorates by orders of magnitude once the breach is publicly reported, as the credit companies have added the cards to their fraud detection systems and banks may have already canceled many of them.

Within the ecosystem there exists a broad spectrum of criminal services designed to manage, verify, distribute and launder the stolen data. For example, there are moderators and facilitators that charge up to 25 percent in fees for aiding the transfer of data between buyers and sellers — complete with star-rating systems and testimonials. Meanwhile there are services that process tens-of-millions of stolen credit card details each week in order to verify whether each card is still “live” and to determine the credit limit of the account.

A lot of public breaches result in the theft of users’ names, email addresses and their associated passwords. Luckily, those passwords are often encrypted; however, all-too-often the keys (or salts) are also obtained during the breach. For the majority of cybercriminals, this kind of data is practically worthless; any value that can be extracted will be dependent upon the original hackers decrypting the passwords before they look for a buyer — which can take considerable time and resources (but is not uncommon). Even then, the accounts and passwords would only fetch minimum values in bulk packages. For example, a breach of a million records may contain 250,000 victims that registered with a Gmail email address.

As a victim of a data breach, it’s important to understand what data has actually been stolen.

That bundle of 250,000 records (user name, email address, decrypted password) may be purchased for as little as $20 — and the purchaser would likely then use the list to try brute-forcing other sites (including Gmail) in the hope that the victims had reused the same password. The price (and value) of the stolen data bundle drops rapidly every hour and every time it is sold (by the hackers, or resold by the purchasers). Once the list of stolen credentials are made public (for example, posted on a pastebin site or acknowledged in a security blog), the data becomes worthless — except to perhaps security researchers.

Stolen credit card details tend to get the most attention in the media, but the reality of the situation is that banks and credit companies have become very efficient at responding to breaches and have invested heavily in automated fraud detection systems in the U.S. The probability of a breach victim’s stolen credit card details actually resulting in a personal financial loss is practically negligible.

With widespread adoption of chip technology in credit and debit cards within the U.S. (from October 2015), the prospect of counterfeit card cloning and in-store fraud will drop further — and the value of stolen credit card details will continue to fall further for the hackers behind the breaches. Some people have questioned whether the U.S. strategy of chip-and-signature versus the European chip-and-PIN is a better defense against fraud (Brian Krebs has a very good blog on the pros and cons).

If stolen email addresses, passwords and even credit card details aren’t the big money earners for the hackers behind the breaches, what data targets are worth the effort?

The more exhaustive the data record, the more uses it has, and consequently the greater the value to the cybercriminal ecosystem. For example, a single record containing the victim’s full name, address, date of birth, social security number, driver’s license number, photo ID (e.g. scan of passport page or driver’s license) and bank account number can be worth as much as $100 — depending upon the country and nationality of the victim.

While many people may assume that such data would be used by a criminal to remove money from the victim’s bank account (which may be the case if the criminal can uncover a valid online password for the account), it is more probable that those data will be used to create multiple new bank accounts (for the purpose of laundering monies of other international criminal enterprises) or obtaining new credit cards and loans (for the purpose of quick cash).

Whether it’s a mega breach of a retail hardware store or only a hundred records from a florist’s website, it’s not the quantity of records that really matter to the victims — it’s the type, completeness and timeliness of the records that really matter. As a victim of a data breach, it’s important to understand what data has actually been stolen. Data that can’t easily be modified or canceled is what will hurt the most and hurt the longest and, because of its value, will increasingly be targeted by criminals.