Your identity is sold for $1 in the Dark Web

If you or your company is a victim of a cyberattack, where does this stolen data go, and to what purpose?

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
4 min read

The Dark Web acts as an underground marketplace for stolen data, weapons, drugs and counterfeit goods. James Martin/CNET

Stolen data is a hot commodity in the Internet underground -- but how much it goes for might be a surprise.

Data breaches are becoming a weekly part of the news cycle, and so common that the idea of our data being lost by companies which collect it, while still distressing, is not as much of a surprise as it used to be. The recent Ashley Madison and Hacking Team data breaches reveal just how damaging these kinds of cyberattacks can be, with millions of user accounts compromised, intellectual property leaked and the private details of both user and executive spewed onto the web.

In Trend Micro's new report, dubbed " Understanding Data Breaches," the security firm explores who is most often targeted in data breaches, how they take place, and what happens to data once it leaves corporate networks.

Using the Privacy Rights Clearinghouse (PRC)'s Data Breaches database, Trend Micro found that hacking or malware was behind only 25 percent of data breach incidents from 2005 to April this year. Insiders are also a common reason for data loss, as well as the use of physical skimming devices and the loss or theft of devices including laptops, flash drives and physical files were also found to be the root cause of damaging data breaches.

But what happens to this data afterwards can often be lost in the news. While sensitive, stolen information used in identity theft can cause heartache for victims, for those who trade in this data, personal information can be sold at a pittance. Unintended disclosure, through mistakes or negligence, is also a reported reason for information to end up in the wrong hands.

Payment service providers are a hot target for hackers these days, with an increase in card-related data breach reports of 169 percent over the past five years. Cybercriminals can steal data through card skimming, making a rub off cards, rigging ATMs with skimmer devices or cameras and modifying point-of-sale (PoS) terminals. Interestingly, hardware keyloggers installed on cash registers have also entered as a data theft tactic.

The healthcare industry is now the most affected by data breaches, followed by government, retail and the education sectors, according to Trend Micro's findings.

Trend Micro says personally identifiable information (PII) is the most commonly stolen record type, followed by valuable financial data. Aside from the usual card details and bank accounts, Uber, PayPal and online gaming accounts are also bartered in the Dark Web.

Burrowing into the Dark Web -- a small area of the Deep Web which is not accessible unless via the Tor Onion network -- stolen data for sale is easy to find. Accounts belonging to US mobile operators can be purchased for as little as $14 each, while compromised eBay, PayPal, Facebook, Netflix, Amazon and Uber accounts are also for sale. PayPal and eBay accounts which have a few months or years of transaction history can be sold for up to $300 each.

According to the firm, compromised Uber accounts are in high demand in the underground -- as they can be fraudulently charged and give users free rides.

Bank account details, naturally, are offered for a steeper price of between $200 and $500 per account -- the higher the available balance, the more they are sold for.

Card information is sold to anyone willing to pay for the data. While price brackets vary depending on supply and demand, validation and how much can be stolen from them before deactivation, buying in bulk reduces unit price -- and some sellers insist upon sales in this format, which in turn suggests the data has been acquired as a result of a large-scale cyberattack. Credit cards from every continent can be purchased, but cards which are not from the US tend to fetch higher prices than those registered to United States addresses.

When it comes to PII, sales are conducted on a per-line basis of approximately $1. Each line of data contains a name, a full address, a date of birth, a Social Security number, and other personally identifiable information. If someone buys just a few lines, they can commit serious identity fraud. Trend Micro says this data used to go for $4 a line, but as so many data breaches have occurred in recent times, supply has increased and demand dwindled.

However, if someone really wants the skinny on a potential victim, full credit reports can be purchased for $25 a go. In addition, document scans of passports, driver's licenses and utility bills, among others, are available for purchase from $10 to $35 per document.

Trend Micro says:

"Any business or organization that processes and/or stores sensitive data is a potential breach target. In today's interconnected world, data breach prevention strategies should be considered an integral part of daily business operations. Ultimately, no defense is impregnable against determined adversaries. The key principle of defense is to assume compromise and take countermeasures.

This story originally posted as "The price of your identity in the Dark Web? No more than a dollar" on ZDNet.