Behind The Scenes: What Happens To Your Personal Information Once Stolen

As yet another headline related to a massive data breach makes it to the front page of publications across the world, it is perhaps time to take a step back and try to grasp the bigger picture. If you’re one of the countless individuals that can’t help but ask ‘Why?’ when faced with this sort of news, this article is for you.

Obtaining information people go to great lengths to secure from prying eyes is no easy feat – gaining the skills required for this sort of exploit takes time, practice, curiosity, intelligence and a great deal of perseverance. It takes months, years even to learn your way around the strengths and weaknesses of various computer systems and even more to successfully exploit those vulnerabilities while remaining anonymous and safe from the reach of law enforcement. A single false move can bring about enough trouble to last one several lifetimes, as Turkish national Onur Kopçak discovered when he was sentenced to 334 years in prison.

Why, then, do some people bother going through these hoops if all they can hope to make off with is a list of e-mails, names or telephone numbers?

There is one common thread that links almost every aspect of human activity: the search for profit. Data is valuable. So valuable, in fact, that it has spawned entire new industries and redefined others. Some companies gather and process personal data in order to obtain information about what a user likes or dislikes. Armed with this knowledge, said companies can provide the user with custom-tailored adds for products he or she would be interested in. Other companies gather personal data in order to aid insurance providers or financial companies with risk assessment for individual cases. These are just two of the many ways in which your data is valuable to enterprises around the world that are looking to lawfully monetize your online behavior.

Things aren’t as clear-cut with data thieves and the shady underworld they operate in. To start with, hackers have no interest in building and maintaining a business model which creates added value. While most companies try to generate wealth through their businesses, cybercriminals operate under the premise of a zero sum game. From their perspective, value is something to be captured from others.

Credit card fraud

Perhaps this is why credit card fraud is among the most popular avenues for criminals on the Internet. The past six years have seen carding grow into a veritable industry made up of different categories of players, each with their own strategies, motivations and degrees of success. The Target hack of 2013 put some 40 million U.S. credit and debit cards into the hands of attackers. Data like this typically finds its way to brokers on the dark web, who package it into large bundles and then sell it for prices that typically range anywhere between $10 and 20$. Many factors determine the asking price of each card – among them are known withdrawal limits, the credit score of the victim or the amount of time passed since the card was stolen.

Brokers sell the data to carders, who attempt to withdraw as much as they possibly can from the cards before they are either canceled or emptied by other carders. This is done through a shell game that involves buying gift cards to retail shops and then using those gift cards to purchase high-value items. Once they receive the items, the carders resell them at prices lower than the retail price so that they can get hold of the money required to purchase more cards.

The value of stolen cards increase as more data related to the holder of the card is available. Information such as date of birth, billing address or social security number can help attackers extract more value from an account; this is why the most coveted price for a carder is the ‘fullz’ or ‘fullzinfo’, which means that the seller supplies the full spectrum of information related to the stolen card. Fullz typically consist of the card number and CVV2, as well as the holder’s full name, payment card number, primary account number, billing address, social security number, date of birth, social security number, PIN number and mother’s maiden name. This is all the data one needs to sign up for new accounts with other banks and have new cards released, so it is understandable why accounts that come with this type of information are typically worth twice as much as accounts that only come with the card number, expiry date and CVV2.

Identity theft occurs every time an individual uses a piece of personal information belonging to someone else in order to obtain some sort of gain. Credit card and bank fraud are just one of the many reasons for which identity theft is carried out; most of the time no personal possessions are taken from the victim, yet the effects can more devastating than waking up to an empty bank account. Employment and tax related fraud, utilities fraud, loan or lease fraud and government documents or benefits fraud are some of the preferred activities of identity thieves. It’s difficult to accurately quantify the damage done to victims, as it can spread over many years and impact all aspects of life.

Medical identity theft

Deborah Ford is a retired postal worker from Houston. One dreadful day, she received a telephone call from a bail bondsman who told her that she was about to be arrested for buying over 1700 prescription opioid pills. Deborah had no recollection of this, yet her mugshot and fingerprints were taken and she was considered the prime suspect in the investigation.

Weeks after the birth of her son, Katrina Brooke found a bill for $94 that came from a local health clinic she had never heard of. The clinic claimed that her son had visited them and had been prescribed OxyContin for a work-related injury.

Andorie Sachs received a phone call from Social Services during which she was told that her newborn baby had tested positive for methamphetamine and that she was under investigation. Andorie had not given birth in years, however, nor had she ever consumed drugs. Despite her protests, Social Services continued their investigation, at times threatening to take away her four real children away. Despite the fact that DNA tests confirmed she was not the person the hospital and Social Services thought her to be, Andorie was still expected to pay the hospital bill.

All three of the cases described above are cases of medical identity theft. Unlike credit card or bank fraud, medical identity theft can haunt victims for many years after the crime has been perpetrated. Since the data contained within a medical record does not change over the course of a lifetime, there is no way for victims to deny attackers access. Bank accounts can easily be opened or closed, but medical history is there to stay. To add insult to the injury, medical records contain all the necessary information to commit not only medical fraud, but any other type of fraud imaginable. What’s more, there are fewer legal protections for customers than there are for cases of credit card fraud.

Medical records are veritable treasure troves that can serve attackers in a variety of ways. These range from buying prescription medicine to opening up bank accounts and applying for loans. This is why they sell for serious money on the dark markets. Depending on how complete they are, how long they have been out in the open for and whether they are part of an entire database or a single file, medical records can sell for as much as $1000.

Data is valuable in ways few can imagine. There are many things you can do to keep your personal information from prying eyes – change your passwords regularly, educate yourself on phishing and other social engineering techniques, do not trust, but verify that people are who they say they are. If criminals use your identity when commiting other crimes, such as cybercrimes, drug trafficking, money laundering, or entering and exiting a country illegally, you will have to deal with the any police investigations in the matter and find ways to prove that you are innocent – something which may, at times, be impossible to do.


Cyberdeception. Powered by Hardware.