March 18, 2016 By Pamela Cobb 3 min read

When we released the “IBM X-Force Threat Intelligence Report” recently, we thought twice about comparing the breach statistics year over year. The previous report was a rallying cry around the volume of records with several mega-breaches, including many in the retail industry, in 2014 that brought the tally up to 1 billion records of stolen data.

The 2015 totals were lower but different in tenor and composition. Rather than a flood of exfiltrated payment card details and account credentials, we saw instead health care-specific breaches and the leak of salacious personal details from adult dating sites. What 2015 lacked in volume, it appeared to have made up in value in the black market.

Cost Versus Value in a Data Breach

Looking at the bubble chart that shows year-over-year breach trends, we can see the highlights of the estimated impact of the incidents.

To quantify the impact, however, we need to bring in another data set. The cost to an organization to recover from a breach includes direct expenses such as hiring forensics experts, hotline support and paying for credit monitoring, as well as indirect costs such as client turnover and brand damage and internal investigations.

The Ponemon Institute’s “2015 Cost of Data Breach Study” put that overall average cost per record at $154. That figure excludes aforementioned mega-breaches because of potential additional costs like legal fees.

Does a cybercriminal get to sell that record for $154 on the Dark Web? Not even close. Because of the oversupply of PII and financial data for sale on the Internet underground, the value of these records has plummeted. According to NBC News, common PII records like stolen credit cards or Social Security numbers can be sold for $1–3 and $15, respectively — well below the cost to the organization that was attacked in the first place.

The Whole Picture

While common PII records are relatively inexpensive on the Dark Web, the potential to build a more complete profile of an individual that includes items such as user credentials for social media sites, behavioral information from dating websites and health care records are the stuff of dreams for cybercriminals.

One such example is the case of compromised health care records. Attackers could resell these complete health profiles to enable medical fraud. The NBC News article cited that complete health care records sell for $60 apiece. That is a paltry amount compared to the estimated cost per record to the breached organization of $363, or more than double the overall average of $154 cited above.

Having the start of a social profile for a person on the Internet can bring the attackers closer to building a full profile of the individual, making it easier to socially engineer an attack. In a more brazen attack, the intimate nature of bedroom behaviors gathered from a hacked dating site was used to extort money from site members whose data was leaked. The attackers are not generally interested in the salacious details of our personal lives unless they can be used for a payday.

‘Not a Complete Disaster’

I confess that one of my favorite lines of the X-Force report was that 2015 was “not a complete disaster,” particularly since we said earlier that 2014 was the year that the Internet fell apart. Subtlety, thy name is security research reports.

To help make things less of a disaster for yourself, consider returning to security fundamentals. Use unique passwords across all your website logins; it’s more difficult for attackers to build a complete profile if it’s harder to jump from one account to another. Don’t write your passwords on a sticky note on your monitor, particularly if your computer is going to be filmed on national television, as was the case in one French broadcasting network.

Download the complete 2016 IBM X-Force Threat Intelligence Report

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today