March 18, 2016 By Pamela Cobb 3 min read

When we released the “IBM X-Force Threat Intelligence Report” recently, we thought twice about comparing the breach statistics year over year. The previous report was a rallying cry around the volume of records with several mega-breaches, including many in the retail industry, in 2014 that brought the tally up to 1 billion records of stolen data.

The 2015 totals were lower but different in tenor and composition. Rather than a flood of exfiltrated payment card details and account credentials, we saw instead health care-specific breaches and the leak of salacious personal details from adult dating sites. What 2015 lacked in volume, it appeared to have made up in value in the black market.

Cost Versus Value in a Data Breach

Looking at the bubble chart that shows year-over-year breach trends, we can see the highlights of the estimated impact of the incidents.

To quantify the impact, however, we need to bring in another data set. The cost to an organization to recover from a breach includes direct expenses such as hiring forensics experts, hotline support and paying for credit monitoring, as well as indirect costs such as client turnover and brand damage and internal investigations.

The Ponemon Institute’s “2015 Cost of Data Breach Study” put that overall average cost per record at $154. That figure excludes aforementioned mega-breaches because of potential additional costs like legal fees.

Does a cybercriminal get to sell that record for $154 on the Dark Web? Not even close. Because of the oversupply of PII and financial data for sale on the Internet underground, the value of these records has plummeted. According to NBC News, common PII records like stolen credit cards or Social Security numbers can be sold for $1–3 and $15, respectively — well below the cost to the organization that was attacked in the first place.

The Whole Picture

While common PII records are relatively inexpensive on the Dark Web, the potential to build a more complete profile of an individual that includes items such as user credentials for social media sites, behavioral information from dating websites and health care records are the stuff of dreams for cybercriminals.

One such example is the case of compromised health care records. Attackers could resell these complete health profiles to enable medical fraud. The NBC News article cited that complete health care records sell for $60 apiece. That is a paltry amount compared to the estimated cost per record to the breached organization of $363, or more than double the overall average of $154 cited above.

Having the start of a social profile for a person on the Internet can bring the attackers closer to building a full profile of the individual, making it easier to socially engineer an attack. In a more brazen attack, the intimate nature of bedroom behaviors gathered from a hacked dating site was used to extort money from site members whose data was leaked. The attackers are not generally interested in the salacious details of our personal lives unless they can be used for a payday.

‘Not a Complete Disaster’

I confess that one of my favorite lines of the X-Force report was that 2015 was “not a complete disaster,” particularly since we said earlier that 2014 was the year that the Internet fell apart. Subtlety, thy name is security research reports.

To help make things less of a disaster for yourself, consider returning to security fundamentals. Use unique passwords across all your website logins; it’s more difficult for attackers to build a complete profile if it’s harder to jump from one account to another. Don’t write your passwords on a sticky note on your monitor, particularly if your computer is going to be filmed on national television, as was the case in one French broadcasting network.

Download the complete 2016 IBM X-Force Threat Intelligence Report

More from X-Force

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today