It's worth considering what makes cybercrime so compelling from the criminal's perspective.
In this short article we'll share some information about what your data is worth to bad actors, and what you can expect if you're successfully targeted.
Let's start with an example you probably recognize from the news, a data breach leads to the theft of data such as a social security number or a credit card number. These single items of data each have their market value on the dark web, with some examples including:
Maybe your own company offers sell-up and value-added products and services. Well, the criminals do that as well, and the value add is based on how easy it makes for another criminal to benefit from the data. So for something like a credit card, the bad guys value also having things that provide identity and the increase in value can be as much as threefold depending on the country. In the US, a credit card number worth $8 can be sold for $15 with an associated bank ID number, and as much as $30 with "Fullz info". Fullz info is a slang term used by the criminals to describe a complete package of an individual's identifying information, including at a minimum the victim's full name and billing address, credit card number, expiration data and card security code. Just type the word "Fullz" into Google and you'll get nearly 300,000 hits back, the majority providing information on how to get this stolen data and how to use it to commit more crimes - and that's not even on the dark web!
Now we've figured out the unit costs, let's see how this ratchets up in terms of how valuable a given target company might look to a criminal gang. Consider the following:
From the criminal's perspective, this has a potential value of 1,000 x 0.6 x $10 = $6,000 for the basic credit card data. rising to $18,000 with additional information. Plus, they will likely get at least some email addresses for the remaining 40% of users, which they can try to hack in some typical online accounts like Amazon, PayPal, eBay and more (many users being fairly remiss at having complex, frequently changed passwords and a tendency to use the same password for multiple accounts). Worth hacking? Certainly, when you consider that the criminals are also going to attack thousands of other companies - if they are successful in only 100 companies like the one we describe they stand to gain $600,000.