Who steals personal data and how do they make money from it?
The personal data of hundreds of millions of people has been stolen by cyber criminals, but what is the point in stealing this data, and how does anyone make any money from it?
Last Friday, up to half a billion customers of a Marriott-owned hotel chain were informed their data dating back to 2014 had been stolen.
Another 100 million users of Q&A website Quora were told that hackers had made away with their data, the company admitted on Monday.
Sky News and cyber risk business Digital Shadows were unable to find this specific stolen data being sold on the dark web.
However on a variety of marketplaces vendors were offering what they claimed were accounts on Amazon, AirBnB, and a range of retail stores.
The sale of these data sets usually takes place after the attackers have attempted to use it to make money themselves.
Rafael Amado, senior strategy and research analyst at Digital Shadows, told Sky News that there is a standard procedure for criminals who hold this kind of data.
He said: “When large data sets such as these appear within the cyber criminal ecosystem, they are either sold in their entirety or broken up and sold piecemeal across forums, messaging applications and marketplaces.
“The initial holders of the data set will typically exhaust the value of the breached data during their own campaigns, before selling the data once they no longer have any use for it,” said Mr Amado.
Criminals use this data to perform a number of scams, depending on what the data is.
Some of these scams can be direct identity frauds, in which they will pose as a victim to open bank accounts and lines of credit.
In the UK, victims of identity fraud are rarely liable for the debt that criminals create under their name – although the debt can have a significant impact on their credit rating, which is often more difficult to address.
Other scams more directly involve victims whose data has been stolen, and could involve sending them phishing emails to take control of their computers and potentially access their online banking facilities.
“Every time a criminal uses a data set such as this, its value depreciates,” said Mr Amado, adding: “Similarly, as the data set is passed between cyber criminals and sold on, its value also depreciates every time.”
As an example he explained how a criminal would make money from a data set containing 100 emails, non-encrypted passwords, DOBs, and physical addresses.
Mr Amado said he would first use it to perform phishing attacks and account takeovers, as well as commit identity fraud – trying to gain access to bank accounts, whether owned by victim or set up in their name.
“Once I have got as much as I can out of the data, then its value is almost negligible for my purposes,” he explained.
At this point, cyber criminals then sell the data sets on to the next criminals who would probably attempt to do the exact same thing again.
However, the data is no longer as valuable or useful because victims may have changed their passwords, or banks could have been alerted to a risk of fraud from a particular identity.
Mr Amado said: “This is what has happened with many of the big historic breaches, including LinkedIn, MySpace, and Yahoo.
“These data sets were once very valuable, but they have been used so widely, passed through so many hands, and are available so easily, that victims have changed their passwords rendering them virtually useless for most cyber criminal endeavours. This is why they are available for free.”
Nik Whitfield, chief executive at cyber security company Panaseer, told Sky News: “When it comes to data breaches, it’s not a case of if but when, so the overriding priority must be ensuring you have adequate defences in place.
“Given that last year smashed world records for the most data breaches, and the GDPR mandatory 72-hour breach reporting requirement, it has never been more important to have a clearly defined plan to reduce the likelihood and impact of being breached.
“Organisations aren’t preparing in vain – last year the number of total breaches and total records exposed each jumped by 24% over 2016 and this number is only on an upward trajectory.
“There are clear financial implications as well – in 2018 the average data breach fine increased to £146,000.
“The issue is compounded by the problem that most companies are not aware that they have been breached for several months, or even years, after the event,” added Mr Whitfield.