Is It the Breadth of the Breach or the Value of the Volume?
When we released the “IBM X-Force Threat Intelligence Report” recently, we thought twice about comparing the breach statistics year over year. The previous report was a rallying cry around the volume of records with several mega-breaches, including many in the retail industry, in 2014 that brought the tally up to 1 billion records of stolen data.
The 2015 totals were lower but different in tenor and composition. Rather than a flood of exfiltrated payment card details and account credentials, we saw instead health care-specific breaches and the leak of salacious personal details from adult dating sites. What 2015 lacked in volume, it appeared to have made up in value in the black market.
Cost Versus Value in a Data Breach
Looking at the bubble chart that shows year-over-year breach trends, we can see the highlights of the estimated impact of the incidents.
To quantify the impact, however, we need to bring in another data set. The cost to an organization to recover from a breach includes direct expenses such as hiring forensics experts, hotline support and paying for credit monitoring, as well as indirect costs such as client turnover and brand damage and internal investigations.
The Ponemon Institute’s “2015 Cost of Data Breach Study” put that overall average cost per record at $154. That figure excludes aforementioned mega-breaches because of potential additional costs like legal fees.
Does a cybercriminal get to sell that record for $154 on the Dark Web? Not even close. Because of the oversupply of PII and financial data for sale on the Internet underground, the value of these records has plummeted. According to NBC News, common PII records like stolen credit cards or Social Security numbers can be sold for $1–3 and $15, respectively — well below the cost to the organization that was attacked in the first place.
The Whole Picture
While common PII records are relatively inexpensive on the Dark Web, the potential to build a more complete profile of an individual that includes items such as user credentials for social media sites, behavioral information from dating websites and health care records are the stuff of dreams for cybercriminals.
One such example is the case of compromised health care records. Attackers could resell these complete health profiles to enable medical fraud. The NBC News article cited that complete health care records sell for $60 apiece. That is a paltry amount compared to the estimated cost per record to the breached organization of $363, or more than double the overall average of $154 cited above.
Having the start of a social profile for a person on the Internet can bring the attackers closer to building a full profile of the individual, making it easier to socially engineer an attack. In a more brazen attack, the intimate nature of bedroom behaviors gathered from a hacked dating site was used to extort money from site members whose data was leaked. The attackers are not generally interested in the salacious details of our personal lives unless they can be used for a payday.
‘Not a Complete Disaster’
I confess that one of my favorite lines of the X-Force report was that 2015 was “not a complete disaster,” particularly since we said earlier that 2014 was the year that the Internet fell apart. Subtlety, thy name is security research reports.
To help make things less of a disaster for yourself, consider returning to security fundamentals. Use unique passwords across all your website logins; it’s more difficult for attackers to build a complete profile if it’s harder to jump from one account to another. Don’t write your passwords on a sticky note on your monitor, particularly if your computer is going to be filmed on national television, as was the case in one French broadcasting network.