A Black Mark(et) for Big Data
Yesterday’s revelation of a massive data breach at Anthem Blue Cross is a potent reminder of the tenuousness of our personal information in today’s digital environment. While corporations maintain large databases by necessity, the ease at which hackers extract that data and sell it on the black market should be a concern to everybody.
Anthem disclosed that the personal data of about 80 million people was stolen in a “very sophisticated external cyber attack” that it says it discovered last week. Hackers got away with names, birthdates, medical IDs, Social Security Numbers, street addresses, phone numbers, email addresses, and income on employees and current and former customers of the nation’s second-largest health insurance company.
No credit card information was involved. But that hardly matters because the data that was lost is considered by security experts to be even more valuable to identity thieves. The prospect of tens of millions of data points caused a flurry of activity at black market websites, where criminals buy and sell stolen records like kids trade baseball cards.
Already, the security pros at EasySolutions noticed increased activity at Validshop.su, one of a number of black market websites where cybercriminals go to sell stolen data to the identity thieves who actually make use of it, often in exchange for untraceable BitCoins.
“Consumers should continue to monitor not just their credit reports, but be alert for any other signs of deeper identity fraud, as these data records make their way into the black markets, and ultimately into the hands of criminals globally,” writes EasySolutions CTO Daniel Ingevaldson in a blog post.
Anthem is lucky that medical records were not lost as part of the breach. Medical records are worth about 10 times as much as credit card numbers, according to PhishLabs, a security software company that monitors underground hacking exchanges.
Each type of data has its own price on the black market. According to the security software firm TrendMicro, which tracks the value of stolen data in the underground economy, a landline phone number is worth $16 each in the Chinese black market and up to $1,930 in the Brazilian black market. Russian cybercriminals will pay up to $100 for each personal email address, while that information will not fetch anything on the Chinese or Brazilian black markets. According to EasySolutions, the combination of Social Security Numbers and birthdates range from $1.50 to $3, depending on how they’re packaged (by ZIP code or by age).
The black market for stolen records is big and it’s getting bigger. In a 2014 report titled “Markets for Cybercrime Tools and Stolen Data–Hackers’ Bazaar,” the RAND Group dove into the seamy underbelly of for-profit cybercrime.
“The hacker market—once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety—has emerged as a playground of financially driven, highly organized, and sophisticated groups. In certain respects, the black market can be more profitable than the illegal drug trade; the links to end-users are more direct, and because worldwide distribution is accomplished electronically, the requirements are negligible,” the company writes.
Cybercriminals are finding it easier to carry out their crimes in the dark thanks to the rise of the “dark net” (via anonymity tools like Tor) and the growing availability of sophisticated cryptography. The cybercriminal community is making strides toward making hacking tools that are easy to use in the same manner that reputable enterprises are delivering ever-more sophisticated business solutions to handle ever-growing data volumes.
“There has been a steady increase in the availability of goods and services offered, from stolen records and exploit kits to ‘stolen-to-order’ goods, such as intellectual property and zero-day (more commonly, half-day) vulnerabilities,” the RAND Group says in the report. “Greater availability of as-a-service models, point-and-click tools, and easy-to-find online tutorials makes it easier for technical novices to use what these markets have to offer.”
Because of the large amount of contact information that Anthem lost, security experts warn that Anthem customers can expect to be contacted by cybercriminals who are perpetrating so-called “spear-phishing” scams, in which they attempt to extract more valuable information. With so many lost email addresses, it’s likely that cybercriminals will impersonate Anthem and attempt to swindle victims into giving up even more data through fake websites. This is why Anthem has decided that it will only contact users through the regular mail.
Anthem’s breach comes on the heels of numerous big data breaches over the past several years: 200 million records lost by Experian; 76 million records lost by JPMorgan Chase; 56 million lost by Home Depot; 40 to 70 million lost by Target; 145 million lost by Ebay; and 33 million lost by Adobe. That doesn’t count the notorious hack of Sony Pictures Studios in December, or the long-running scam from 2005 to 2012 that led to the loss of more than 160 million records from outfits like NASDAQ, JC Penney, 7-Eleven, Heartland, and others.
With so many breaches in the books, it’s likely your data has already been compromised. “The battle for identity theft has already been lost,” Monty Faidley, director of market planning for risk solution services provider LexisNexis, told Datanami last year. “Effectively, if you look at data breaches that have already occurred, pretty much every American’s ID is already floating around out there somewhere and is available for sale.”
The rise of big data has spurred a vigorous debate over rights to privacy and how people’s personal data ought to be handled. We are seeing cases where identifiable information can leak out, even when privacy laws are followed. But when criminals get their hands on so much data, all bets are off.