Lately, stolen data has become all to frequent. From the Equifax breach to Forever 21 to dozens of others, losing control of our personal data has become sadly commonplace. But did you ever stop to wonder where all of this stolen data ends up? Some of it is stolen by nation state's intelligence services like the data breach with the United States Office of Professional Management (OPM). This information will likely never been seen online and would be used to find targets to turn into spies. But a lot of the stolen personal information ends up on criminal black markets to be sold to the highest bidder. The shocking part though, is just how sophisticated these online market places are. Many are modeled after e-Bay. It would surprise most people just how easy (and cheap) it is to get your most precious personally identifying information.
Stolen data sold on online market places
When we started to investigate this subject, we weren't quite ready for what we found. In this first example of stolen data, this picture is a screenshot taken from the Evolution marketplace. This is credit card data being sold. At the time it was being sold, the price was .0176 Bitcoins. At today's prices that would be $211. Please notice that these are American Express Centurion (Black Card) and Platinum cards. This means you could purchase the credit card information of very large limit credit cards for just $200.
In this next example, the healthcare records of 48,000 patients from the Farmington, Missouri area are being offered for sell. This picture is a bit older and the price is 158.6823 Bitcoins. At the time of the stolen data sale, that price was $15,823. So that means you could purchase the records of 48,000 people for around $16,000, or $0.33 per record. A criminal could use this data to get free health care or open credit in the victim's name.
Continuing at the Real Deal Marketplace, we see the data of 397,000 patients from the Atlanta, Georgia area. This was stolen by the Dark Overlord so this is believed to be the data from Athens Orthopedic that was breached in 2016.
The asking price is 634.7292 Bitcoins, or $63,729. That would be about $0.16 per record.
Lastly we have stolen data from Tumblr for sell on the Real Deal Market Place. How about 68 million user accounts? Since most people use the same username and password for every site they visit, what do you think this is worth to criminal hackers? The entire database can be bought for 0.1881 Bitcoin or about $2000.
These are just a few examples of what is being offered for sell on criminal underground market places. These sites are very efficient and organized to be like eBay. Did you notice that each seller even has a rating? This gives others an indicator of this "trustworthiness" as a seller.
How can I protect myself?
We can't stop company's from having data breaches. But we can make sure that we protect the data we are responsible for. If you own a business or practice that has personal data about your customers or patients, make sure you protect it. Have a quality firewall in place at your internet connection. Make sure you use commercial (not free) antivirus products on each workstation. Also, be sure to have daily backups that you have tested. Many people think their backups are good until they need them. Then they find out that they don't actually have a working backup. Test your backups so when you do need them, you have them.
What can a user do? Use a password manager like Lastpass to store your online user accounts. Then you can use a unique password for each site you visit. Make sure you provide the minimum amount of data to any site you visit. This way if there is a breach and your data is stolen, the criminals will have less to abuse.
We can't stop the large scale data thefts that are occurring, but we can do our part to protect the personal information we have. If we all did our part, then the amount of breaches would decrease as its harder to accomplish. Even small steps can make a big difference when it comes to security. Attacks usually go after the easiest targets.