What’s Your Personal Data Worth On The Dark Web?

It's an inevitability of the modern world that your personal information is going to be compromised at some point and you'll have to go through the hassle of changing your password or account number or signing up for credit monitoring.

For victims it's a headache, but it generally doesn't extend beyond that. For the cybercriminals, though, it can be a wildly lucrative venture.

But how do hackers sell your stolen data, and who is willing to buy it? Thomas Holt, an associate professor of criminal justice at Michigan State University, recently conducted a study with some colleagues examining the strategies used by individuals operating in the real world for stolen goods in virtual illicit markets that are hidden from the public, specifically, the dark web. This clandestine marketplace is a heavily encrypted underground world within the internet, and it is difficult for authorities to detect the location or owners of the data markets within the dark web.

Funded by the National Institute of Justice, Office of Justice Programs and US Department of Justice, Holt and his colleagues analyzed posts from 10 Russian- and three English-language web forums selling stolen data to engage in identity theft and fraud.

The study found that most of the sellers on the dark web advertise their data and services in forums much like an Amazon or eBay, where buyers and sellers rate each other and the quality of their products being sold, in this case, personal information. While it sounds lawless, there's an honor amongst data thieves. Buyers of stolen data pay first and trust it will be delivered.

Holt claims it is hard to put an exact figure on what hackers are getting for stolen data, for several reasons: Cash transactions tend to be on the rare side in these sorts of transactions, bulk discounts take place for big data scores, and precise negotiations take place via email or private online chat. Yet it appears bitcoin and other web-based currencies are the norm, because the sources are much harder to trace.

What Holt and his colleagues found was that of the 320 transactions they studied, data sellers earned between $1 million and $2 million. Similarly, buyers in 141 of these transactions earned between $1.7 million and $3.4 million through the use of the information they purchased.

How much is your data worth?

So how much is your data worth? It varies, sometimes tremendously, on where it's being sold. To get the broadest possible look at what hackers are buying and selling these days, CNBC.com reached out to several security experts. The prices stolen data is commanding ran the gamut.

According to Michal Salat, threat intelligence manager at Avast Software, an IT security company that develops antivirus software, data is not worth that much individually. Avast focuses on commonly stolen personal data, such as Social Security and credit card numbers.

"The price increase [per account/credit card number] usually isn't linear," says Salat. "A lot of sellers have discounts for higher credentials counts and for regular customers."

Here is what Avast claims data sellers are fetching for the following:

  • Credit cards without a balance guarantee: $8 per card (number and CVV)
  • $2,000 balance guarantee: $20 per card (number and CVV)
  • Driver's license scans: $20
  • Email addresses and passwords: $0.70–$2.30
  • Social Security numbers: $1 ($1.25 for state selection)
  • PayPal credentials/access: $1.50

Beyond the financial data

Yet some thieves are interested in more than just financial data. Some are looking for access to something as mundane as entertainment services or as significant as logins to national services (via FTP or SFTP — file-transfer protocols that allow users to transfer files between computers).

The high prices for .GOV accounts might seem surprising, but Ed Cabrera, chief cybersecurity officer at Trend Micro, says the access they provide commands top dollar.

"These stolen credentials enable criminals to compromise servers to steal data or otherwise launch secondary attacks," he says. "The criminal underground operates on supply and demand so the same market forces we see on surface web you can see in the deep web."

Here are what security software company Trend Micro claims this type of data is commanding today:

  • Credit card credentials: $15-$22
  • Spotify account: $2.75
  • Hulu account: $2.75
  • Netflix account: $1–$3
  • NOAA.gov account (FTP or SFTP access): $476
  • USPS.gov account (FTP or SFTP access): $680
  • CDC.gov account (FTP or SFTP access): $340
  • Western Union account: $6.80

CNBChttp://cnb.cx/2aRwXZS

« Risky Business: Desktop Banking Declines As Users Switch To Apps
Too Much Information: Making Sense Of Big Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NCC Group

NCC Group

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Mako Group

Mako Group

The Mako Group specializes in protection - providing security through auditing, testing, and assessments. And, we do it all with the highest quality standards possible.

Fraunhofer Institute for Secure Information Technology (SIT)

Fraunhofer Institute for Secure Information Technology (SIT)

Fraunhofer SIT is a research centre specialising in all areas of IT security.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

Sopher Networks

Sopher Networks

Sopher is a secure communication and collaboration platform for business and personal use.

ITRecycla

ITRecycla

ITRecycla are specialists in the protection of sensitive computer data by data destruction, re-marketing of reusable computer equipment, computer recycling and disposing of electronic e-waste.

Maven Technologies

Maven Technologies

Maven Technologies specialize in secure data destruction, electronics recycling, asset management, and highly detailed reporting.

IdentityIQ

IdentityIQ

IdentityIQ is a US-based identity theft and credit protection company designed to help users stay on top identity thieves and data breaches.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

Technology Law Alliance (TLA)

Technology Law Alliance (TLA)

Technology Law Alliance is a specialist IT law firm focussed on the fields of technology, outsourcing and e-commerce.

Suresecure

Suresecure

Suresecure are a specialised consulting company providing Strategic IT security consulting, Managed Security Services, and Incident Response Management.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

CypherEye

CypherEye

CypherEye is a next generation trust platform that advances the current state of Multi-factor Authentication (MFA) to enable highly secure, private and auditable cyber-transactions.

View

View

View is the leader in smart building technologies including OT cybersecurity to securely connect buildings to the cloud and manage building networks and OT devices.

DataGuard

DataGuard

DataGuard is a security and compliance software company trusted by organisations across the globe.