How much do you think a buyer on the dark web would pay for stolen data? How much would you estimate a hacker can profit off of personal data? The truth is, the price of stolen data is worth the risk for hackers but always costly for organizations that store, process, transmit, or destroy personal data.
When a system is breached and personal data is stolen, the hacker involved in the malicious activity will typically sell or advertise that data on the dark web. Even if your company is small, a hacker will cast a wide net to obtain stolen information from multiple sources. If they steal personal data from your organization, it will cost you money – that’s the end of it. It’s up to you to decide if the cost of stolen data is worth it, or if proper information security testing is a better investment.
How Much is Data Sold For
Symantec released an in-depth Internet Security Threat Report in 2019 that lays out a cost sheet for the most commonly sold personal data. Here’s how much hackers earn after stealing the personal data you are responsible for:
- Online banking account – 0.5%-10% of value
- Cloud service account – $5-$10
- Hacked email accounts (groups of 2,500+) – $1-$15
- Hotel loyalty from reward program accounts with 100,000 points – $10-20
- Stolen identity – $0.10-$1.50
- Medical notes or prescriptions – $15-20
- Stolen medical records – $0.10-$35
- ID or passport – $1-35
- Full ID – $30-100
While these numbers may seem small in terms of individual pieces of data, the total sum of how much is data worth starts to add up. If you store passport data, how much could a hacker earn by breaching your database? If you process online payments, how much could a hacker earn by skimming your site? The cost of the individual may be minor, but when you view it in terms of entire databases of personal information, the costs can make an impact.
The Real Cost of a Personal Data Breach
Let’s take a look at a recent breach that made headlines – DoorDash. The food delivery service was breached in September 2019 when a hacker stole private information of 4.9 million customers and delivery workers which included full names, delivery addresses, phone numbers, digits of credit cards and bank accounts, and hashed passwords. If we use the data from Symantec’s report that claims, at the cheapest price, full ID packages can be sold for $30, we can estimate that the personal data stolen from DoorDash was worth $147 million. The hacker that breached DoorDash’s system is probably sitting on a good profit right now. Do you want your organization to be the next target for a hacker looking to make a good buck off stolen personal data?
How to Stop the Money Machine
What can you do to protect your organization from fueling the money machine of hackers selling personal data on the dark web? You can start by annually testing your processes and controls to make sure your system can withstand common hacking tactics, whether that’s through your internal audit team or the external penetration testers who are skilled enough to spot suspicious activity. Staying updated on current hacking tactics provides greater assurance that your employees will recognize an attack early on.
Organizations have a great responsibility to protect individuals’ personal data because they store, transmit, process, and destroy so much of it. Whether it be employee data or client data, you need to have practices in place that secure information and work against a hacker’s tactics. If you’re interested in learning more about third party penetration testing to mitigate the risks you face, contact KirkpatrickPrice today!