What’s Your Personal Data Worth On The Dark Web?

Uploaded on 2016-08-25 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

It's an inevitability of the modern world that your personal information is going to be compromised at some point and you'll have to go through the hassle of changing your password or account number or signing up for credit monitoring.

For victims it's a headache, but it generally doesn't extend beyond that. For the cybercriminals, though, it can be a wildly lucrative venture.

But how do hackers sell your stolen data, and who is willing to buy it? Thomas Holt, an associate professor of criminal justice at Michigan State University, recently conducted a study with some colleagues examining the strategies used by individuals operating in the real world for stolen goods in virtual illicit markets that are hidden from the public, specifically, the dark web. This clandestine marketplace is a heavily encrypted underground world within the internet, and it is difficult for authorities to detect the location or owners of the data markets within the dark web.

Funded by the National Institute of Justice, Office of Justice Programs and US Department of Justice, Holt and his colleagues analyzed posts from 10 Russian- and three English-language web forums selling stolen data to engage in identity theft and fraud.

The study found that most of the sellers on the dark web advertise their data and services in forums much like an Amazon or eBay, where buyers and sellers rate each other and the quality of their products being sold, in this case, personal information. While it sounds lawless, there's an honor amongst data thieves. Buyers of stolen data pay first and trust it will be delivered.

Holt claims it is hard to put an exact figure on what hackers are getting for stolen data, for several reasons: Cash transactions tend to be on the rare side in these sorts of transactions, bulk discounts take place for big data scores, and precise negotiations take place via email or private online chat. Yet it appears bitcoin and other web-based currencies are the norm, because the sources are much harder to trace.

What Holt and his colleagues found was that of the 320 transactions they studied, data sellers earned between $1 million and $2 million. Similarly, buyers in 141 of these transactions earned between $1.7 million and $3.4 million through the use of the information they purchased.

How much is your data worth?

So how much is your data worth? It varies, sometimes tremendously, on where it's being sold. To get the broadest possible look at what hackers are buying and selling these days, CNBC.com reached out to several security experts. The prices stolen data is commanding ran the gamut.

According to Michal Salat, threat intelligence manager at Avast Software, an IT security company that develops antivirus software, data is not worth that much individually. Avast focuses on commonly stolen personal data, such as Social Security and credit card numbers.

"The price increase [per account/credit card number] usually isn't linear," says Salat. "A lot of sellers have discounts for higher credentials counts and for regular customers."

Here is what Avast claims data sellers are fetching for the following:

  • Credit cards without a balance guarantee: $8 per card (number and CVV)
  • $2,000 balance guarantee: $20 per card (number and CVV)
  • Driver's license scans: $20
  • Email addresses and passwords: $0.70–$2.30
  • Social Security numbers: $1 ($1.25 for state selection)
  • PayPal credentials/access: $1.50

Beyond the financial data

Yet some thieves are interested in more than just financial data. Some are looking for access to something as mundane as entertainment services or as significant as logins to national services (via FTP or SFTP — file-transfer protocols that allow users to transfer files between computers).

The high prices for .GOV accounts might seem surprising, but Ed Cabrera, chief cybersecurity officer at Trend Micro, says the access they provide commands top dollar.

"These stolen credentials enable criminals to compromise servers to steal data or otherwise launch secondary attacks," he says. "The criminal underground operates on supply and demand so the same market forces we see on surface web you can see in the deep web."

Here are what security software company Trend Micro claims this type of data is commanding today:

  • Credit card credentials: $15-$22
  • Spotify account: $2.75
  • Hulu account: $2.75
  • Netflix account: $1–$3
  • NOAA.gov account (FTP or SFTP access): $476
  • USPS.gov account (FTP or SFTP access): $680
  • CDC.gov account (FTP or SFTP access): $340
  • Western Union account: $6.80

CNBChttp://cnb.cx/2aRwXZS

« Risky Business: Desktop Banking Declines As Users Switch To Apps
Too Much Information: Making Sense Of Big Data »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

InfoSecurity Magazine

InfoSecurity Magazine

Infosecurity Magazine has over ten years of experience providing knowledge and insight into the information security industry.

Rockwell Automation

Rockwell Automation

Rockwell Automation offer industrial security solutions to protect the integrity and availability of your complex automation solutions.

Cyber Risk Opportunities

Cyber Risk Opportunities

Cyber Risk Opportunities was formed to enable middle-market executives to become more proficient cyber risk managers so their organizations can thrive.

Span

Span

Span designs, develops and maintains information systems based on advanced technological solutions of global IT leaders.

Montimage

Montimage

Montimage develops tools for testing and monitoring networks, applications and services; in particular, for the verification of functional, performance (QoS/QoE) and security aspects.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

SecureLayer7

SecureLayer7

SecureLayer7 is an international provider of integrated business information security solutions with an innovative approach to IT security.

Mandiant

Mandiant

Mandiant deliver dynamic cyber defense solutions powered by industry-leading expertise, intelligence and innovative technology.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

JLS Technology

JLS Technology

Since 2007, JLS Tech has been recognized as one of the world’s most innovative cybersecurity and technology operations leaders.

Lineaje

Lineaje

Lineaje solves critical Software Supply Chain security problems faced by every organization that builds, uses or sells software.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.

360 Advanced

360 Advanced

360 Advanced is a relationship-focused cybersecurity and compliance firm offering integrated compliance solutions customized to meet your business’ needs.