March 18, 2016 By Pamela Cobb 3 min read

When we released the “IBM X-Force Threat Intelligence Report” recently, we thought twice about comparing the breach statistics year over year. The previous report was a rallying cry around the volume of records with several mega-breaches, including many in the retail industry, in 2014 that brought the tally up to 1 billion records of stolen data.

The 2015 totals were lower but different in tenor and composition. Rather than a flood of exfiltrated payment card details and account credentials, we saw instead health care-specific breaches and the leak of salacious personal details from adult dating sites. What 2015 lacked in volume, it appeared to have made up in value in the black market.

Cost Versus Value in a Data Breach

Looking at the bubble chart that shows year-over-year breach trends, we can see the highlights of the estimated impact of the incidents.

To quantify the impact, however, we need to bring in another data set. The cost to an organization to recover from a breach includes direct expenses such as hiring forensics experts, hotline support and paying for credit monitoring, as well as indirect costs such as client turnover and brand damage and internal investigations.

The Ponemon Institute’s “2015 Cost of Data Breach Study” put that overall average cost per record at $154. That figure excludes aforementioned mega-breaches because of potential additional costs like legal fees.

Does a cybercriminal get to sell that record for $154 on the Dark Web? Not even close. Because of the oversupply of PII and financial data for sale on the Internet underground, the value of these records has plummeted. According to NBC News, common PII records like stolen credit cards or Social Security numbers can be sold for $1–3 and $15, respectively — well below the cost to the organization that was attacked in the first place.

The Whole Picture

While common PII records are relatively inexpensive on the Dark Web, the potential to build a more complete profile of an individual that includes items such as user credentials for social media sites, behavioral information from dating websites and health care records are the stuff of dreams for cybercriminals.

One such example is the case of compromised health care records. Attackers could resell these complete health profiles to enable medical fraud. The NBC News article cited that complete health care records sell for $60 apiece. That is a paltry amount compared to the estimated cost per record to the breached organization of $363, or more than double the overall average of $154 cited above.

Having the start of a social profile for a person on the Internet can bring the attackers closer to building a full profile of the individual, making it easier to socially engineer an attack. In a more brazen attack, the intimate nature of bedroom behaviors gathered from a hacked dating site was used to extort money from site members whose data was leaked. The attackers are not generally interested in the salacious details of our personal lives unless they can be used for a payday.

‘Not a Complete Disaster’

I confess that one of my favorite lines of the X-Force report was that 2015 was “not a complete disaster,” particularly since we said earlier that 2014 was the year that the Internet fell apart. Subtlety, thy name is security research reports.

To help make things less of a disaster for yourself, consider returning to security fundamentals. Use unique passwords across all your website logins; it’s more difficult for attackers to build a complete profile if it’s harder to jump from one account to another. Don’t write your passwords on a sticky note on your monitor, particularly if your computer is going to be filmed on national television, as was the case in one French broadcasting network.

Download the complete 2016 IBM X-Force Threat Intelligence Report

More from X-Force

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today