Darkonomics 101: The Underground Market for PII

Written by

The ubiquity of newsworthy data breaches and cyber compromises has raised concerns over the security of personally identifiable information (PII), which refers to any information that can be used to uniquely identify an individual.

It should come as no surprise that when stolen or compromised, that whether in the form of login credentials, medical records, financial information, or another form, PII can yield serious consequences for its original owners while providing handsome pay-outs to cyber-criminals. Yet, the general public remains relatively uninformed of how malicious actors on the deep and dark web are not only the primary perpetrators of this theft, but also operate complex underground markets that facilitate the sale of this stolen PII.

How exactly does this market function? Much like any modern-day economy, the PII market responds to the same laws of supply and demand that drive the market prices for available PII records. The following factors help determine the optimal pricing of the PII market:

1. Availability of information. Cyber-criminals continue to benefit from the many organizations that have shifted toward internet-connected technologies such as cloud-based solutions, digital CRM systems, and Internet of Things (IoT) devices. As more offline, manual systems are replaced with new, internet-enabled systems, vast amounts of PII will continue to become more susceptible to compromise unless properly secured.

Indeed, the healthcare sector serves as a case in point. Until recently, many healthcare institutions employed manual, offline methods of storing patients’ records. It wasn’t until 2014 when a federal mandate incentivized healthcare institutions to store records electronically that they became available online. Consequently, cyber threats targeting healthcare have been rising since 2014.  

2. Accessibility of information. Although a vast amount of PII may exist online, its accessibility varies. So, how easy is it for cyber-criminals to obtain PII and what security measures aim to prevent that from happening? Generally speaking, there are two opposing forces at stake surrounding PII accessibility:

  • System complexity - This refers to the number of components, as well as the level of connectivity between each component, comprising systems that store PII. In most cases, the more complex and interconnected a system is, the more vulnerabilities it can contain. Systems with more vulnerabilities tend to be easier for cyber-criminals to access and abuse.
  • Advances in threat intelligence and information security - Although it appears that cyber-criminals maintain an advantage, today’s robust information security and threat intelligence programs help organizations identify and mitigate vulnerabilities and compromises more efficiently and effectively.

3. PII Price. The market price of PII is relatively elastic in response to supply and is typically determined by the following:

  • Shelf-life: How long can cybercriminals abuse PII before it becomes invalid? The shorter the shelf-life, the cheaper the price. Credit card numbers, for example, have a low shelf-life due to their high replicability and financial institutions’ anti-fraud measures. Medical records, however, have a long shelf-life because they contain irreplaceable information (e.g. social security numbers, mother’s maiden name) that can be leveraged for criminal activities for many years.
  • Freshness: One of the most significant pricing determinants, freshness refers to PII’s age and level of previous abuse. While outdated credit card numbers or invalid login credentials are relatively stale and cheap, newly-obtained PII that has never been used in criminal schemes remains more desirable and expensive.
  • Amount: The more PII for sale, the cheaper the price per individual record. For purchasers of PII, it pays to buy in bulk. Alternatively, the more saturated the market is with certain types of PII, the cheaper those types tend to be and vice versa. Medical records, for example, continue to decline in price. Following a record year for exposed records in 2015, the deep and dark web has been inundated with medical PII available for sale. While 2016 had an increased number of breaches, the exposed data fetched a cheaper price due to the ubiquity of available PII information.
  • Potential ROI: Prices can vary based on the PII’s potential return on investment. For instance, prices of stolen credit card numbers depend on the card’s class and issuing bank. Premium and business cards command higher prices than “no-frills” cards, whereas those from European and USA banks are usually more expensive than those from regions with less-stable economies and weaker currencies.

4. Regional Customs and Conditions: These factors can even dictate an individual’s decision to engage in cybercrime altogether. After all, the PII market depends on cyber-criminals as both suppliers and consumers, so externalities that influence an individual's decision to do so can influence the entire market. Such externalities can include:

  • Economic Conditions: Cyber-criminals exist across the globe, but top-tier criminal groups are often found in Eastern Europe. Many theories exist to explain this reality, but the simplest explanation is one of a highly-technical and educated populace that is able to generate a higher salary through criminal activities than the economic opportunities offered by the local economy.
  • Legislation: Lax enforcement of existing laws by local authorities allows criminal undergrounds to flourish. Some particularly-depressed regions see cyber-criminal activity as a means of bringing cash into impoverished areas.
  • Fire-Free Zones: The complicity of some local governments is shown by the unwritten code that Eastern European groups will not target domestic companies or individuals. While criminal groups have long adhered to this rule, the last few years have seen a breakdown in this code. Unsurprisingly, law enforcement officials have arrested some of the members who violated this code of ethics.

Individuals should understand that underground criminal markets are flooded with PII information -- some of which likely belongs to you. Identifying the originating source is becoming increasingly difficult, as PII for the same individuals might now be obtained via several different sources, including breaches at differing organizations.

What’s hot on Infosecurity Magazine?