In January, hackers uploaded more than 12,000 files to a cloud hosting service called MEGA. The collection included 87 gigabytes of data, 21 million passwords and 770 million email addresses. It was the largest database of compromised login details ever to have been published.
But it held the title for only a few weeks. By February, a further six collections had appeared online, one of which, Collection #2, was even larger than the first, containing more than half a terabyte of data. However, while 140 million of the email addresses disclosed in the first breach had not been seen before, much of the data had already been circulating on dark web forums.
It’s not clear why the collections were uploaded, but it rendered them largely worthless. Trevor Reschke, a threat analyst at Trusted Knight, suggested it may have been released as part of a spat between two hackers. “[It] would eliminate the other criminals’ ability to make money off it,” he speculated. “[Criminals] don’t always think rationally, and this would be their only recourse in a deal gone bad.” There was another possibility too. “A team [may have] determined the value of the data is so low it [is] not worth selling.”
Sign up to Emerging Threats, our weekly cyber security newsletter
Like any other marketplace, the dark web is tied to the laws of supply and demand. Once data has become universally accessible, its value is diminished. “Scarce data [commands] far higher prices than more easily available examples,” wrote Surrey University’s Dr Mike McGuire in Bromium’s Web of Profit report last year. “For example, the huge breach of the Target chain that occurred in 2013 was estimated to have very quickly caused a fall in prices from $15-$20 per card record to $0.75 per card record.”
“Aside from more obvious data materials, such as stolen credit and debit card details, it is possible to acquire social security information, dates of birth, and residential addresses across many nations, as well as other kinds of background information, often for no more than around $3 per record,” Dr McGuire added.
Almost half of consumers surveyed by Veeam in a recent study said they were more worried about losing their data than their belongings, with the average Brit valuing their personal information at £27,000, several multiples more than it is traded for on the dark web. However, the true value of data can’t be quantified just by how much it sells for on the dark web.
“It depends on who’s buying it and what for,” says Surrey University cyber security professor Alan Woodward. “While the value of data on the dark web has gone down due to oversupply, the value of a person’s data to a marketeer is somewhat different. For any one individual use, it might only pennies, but it gets used so many millions of times. It’s the gross value than the individual sale value that is important.”
While the EU’s General Data Protection Regulation has raised the stakes for businesses’ use of personal data in recent months, Veeam’s survey suggested they need to do more to reassure consumers their data is safe. Over half of the 2,000 surveyed consumers said they could not name an organisation they trusted most to handle their data. A third said they would stop using products if an organisation suffered an outage.
“Over the past 12 months the importance of secure data management has entered the public consciousness, and businesses today can ill afford to bury their heads in the sand to these demands,” said Veeam’s UK and Ireland chief Mark Adams. “Our research highlights that the private and public sectors both have work to do in building trust with consumers when it comes to data management and storage.”