The lucrative cost of cybercrime of PII

As the rate of data breaches increases year over year, the sale of personally identifiable information (PII) is becoming more and more lucrative as well. Every week, new underground storefronts pop up on the dark web ready to facilitate the sale of stolen PII, including names, birthdates, Social Security numbers, credit card and banking information, and even voter records.

Why is PII valuable?

PII is valuable because it can be used to steal one’s identity for fraudulent purposes. Even something as innocuous as an email address can be used to create accounts in an unsuspecting victim’s name. The more PII a cybercriminal has access to, the more damage they can do to a victim.

Just how valuable is PII?

For an unbelievably small investment, cybercriminals can walk off with valuable personal information:

  • $1 for Social Security numbers (SSN)
  • $1+ for medical records, depending on how complete these records are
  • $12-20 for credit card and CVV numbers
  • $20 for payment services
  • $20 for driver’s licenses
  • $30 for credit card fullz, or a bundle of information that includes the “full” package of name, SSN, birth date, account numbers, voter records, and more
  • $1,000+ for U.S. passports

Like any retail market, most stolen data prices follow the principles of supply and demand. The harvested information can be sold individually or in bulk, and vetted information with proof of legitimacy will sell for a higher price than data that hasn’t been vetted.

On top of PII and company data for sale on the dark web, bad actors will take this opportunity to advertise their services, looking for nefarious business partners. Empire Market, a dark web marketplace, saw its user base double from 3,000 listings in April 2018 to more than 6,000 listings in July of that year.

Though the cost may seem low for criminals to acquire this information, it can mean substantial fines, a damaged reputation, decrease in stock prices, and lost jobs for any organization that lets it happen.

How to mitigate the risk

In order to know how to prevent unauthorized access to your organization’s sensitive data, you first need to identify your vulnerabilities.

While some personal data can be gathered directly from individuals who gave it willingly, though unknowingly, most of it comes from cyberattacks aimed at large organizations, such as government agencies, financial institutions, and healthcare facilities, as these are huge reservoirs for a variety of PII.

Poor security infrastructure, phishing attacks, and insider threats are some of the most common causes of data leaks and breaches, meaning you’ll need to fortify all locations your organization’s sensitive data resides, from networks to inboxes on employee laptops to the cloud, with security measures that are compliant and ensure only essential roles and personnel can access PII.

Implement a compliant data retention policy with Spirion

Spirion’s Sensitive Data Platform discovers and classifies your organization’s PII so it can be properly secured and continuously monitored for unusual activity, such as leakage or extraction, and made less vulnerable to cybercriminals looking to make a profit off consumer data. In addition, SDP seamlessly integrates with other intelligent data security solutions to deliver maximal protection. Learn how we do it today!