When we released the “IBM X-Force Threat Intelligence Report” recently, we thought twice about comparing the breach statistics year over year. The previous report was a rallying cry around the volume of records with several mega-breaches, including many in the retail industry, in 2014 that brought the tally up to 1 billion records of stolen data.

The 2015 totals were lower but different in tenor and composition. Rather than a flood of exfiltrated payment card details and account credentials, we saw instead health care-specific breaches and the leak of salacious personal details from adult dating sites. What 2015 lacked in volume, it appeared to have made up in value in the black market.

Cost Versus Value in a Data Breach

Looking at the bubble chart that shows year-over-year breach trends, we can see the highlights of the estimated impact of the incidents.

To quantify the impact, however, we need to bring in another data set. The cost to an organization to recover from a breach includes direct expenses such as hiring forensics experts, hotline support and paying for credit monitoring, as well as indirect costs such as client turnover and brand damage and internal investigations.

The Ponemon Institute’s “2015 Cost of Data Breach Study” put that overall average cost per record at $154. That figure excludes aforementioned mega-breaches because of potential additional costs like legal fees.

Does a cybercriminal get to sell that record for $154 on the Dark Web? Not even close. Because of the oversupply of PII and financial data for sale on the Internet underground, the value of these records has plummeted. According to NBC News, common PII records like stolen credit cards or Social Security numbers can be sold for $1–3 and $15, respectively — well below the cost to the organization that was attacked in the first place.

The Whole Picture

While common PII records are relatively inexpensive on the Dark Web, the potential to build a more complete profile of an individual that includes items such as user credentials for social media sites, behavioral information from dating websites and health care records are the stuff of dreams for cybercriminals.

One such example is the case of compromised health care records. Attackers could resell these complete health profiles to enable medical fraud. The NBC News article cited that complete health care records sell for $60 apiece. That is a paltry amount compared to the estimated cost per record to the breached organization of $363, or more than double the overall average of $154 cited above.

Having the start of a social profile for a person on the Internet can bring the attackers closer to building a full profile of the individual, making it easier to socially engineer an attack. In a more brazen attack, the intimate nature of bedroom behaviors gathered from a hacked dating site was used to extort money from site members whose data was leaked. The attackers are not generally interested in the salacious details of our personal lives unless they can be used for a payday.

‘Not a Complete Disaster’

I confess that one of my favorite lines of the X-Force report was that 2015 was “not a complete disaster,” particularly since we said earlier that 2014 was the year that the Internet fell apart. Subtlety, thy name is security research reports.

To help make things less of a disaster for yourself, consider returning to security fundamentals. Use unique passwords across all your website logins; it’s more difficult for attackers to build a complete profile if it’s harder to jump from one account to another. Don’t write your passwords on a sticky note on your monitor, particularly if your computer is going to be filmed on national television, as was the case in one French broadcasting network.

Download the complete 2016 IBM X-Force Threat Intelligence Report

More from Threat Research

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…