Prices are dropping for Personally Identifiable Information (PII) on the Dark Web. One likely reason is a surplus of the data; cybercriminals have been too successful gathering the stuff.
Criminals can now purchase PII for $1 a line — that's down from $4 just a year ago, Trend Micro reported in its new research paper.
Each line contains a name, a full address, a date of birth, a Social Security number, and other information. Criminals only need a few lines to clone an identity.
Studying stolen data
Trend Micro analyzed a decade's worth of data breach information in its new report, "Follow the Data, Dissecting Data Breaches and Debunking the Myths' (PDF).
Some data came from the non-profit Privacy Rights Clearinghouse.
Numaan Huq, the report's author, wrote that, by studying stolen data, the researchers were able to "get a picture of what attackers are looking for, how they use the data, how much it costs, and where it eventually ends up."
Stolen Uber accounts currently cost $1.15, and full credit reports of individuals with very high credit scores are $25 per report, according to Trend Micro. eBay accounts with transaction histories (making them less likely to get flagged) come in at $300, the study says.
Even scans of driver's licenses and utility bills have value. Huq reports each document can fetch $10 to $35. The scans are used to create counterfeits or steal identities.
In addition to this black-market pricing data, Trend Micro explored the causes of data theft. And they came up with a surprise. Hacking or malware are not the leading causes of breaches. Trend Micro says it is device loss that's the problem.
It's "sensitive information stored on employees' laptops, mobile devices, and thumb drives," the report says.
Device loss accounts for 41% of breaches, compared with 25% that derived from hacking and malware.
Rounding out the numbers are 12% for insider leaks, 17% from unintended disclosure, 1% from payment card fraud, and 3% unknown breach causes.
Although the retail sector gets the most attention for breaches in the media, it's healthcare that has actually suffered the most.
Healthcare had more than a quarter of the breaches, with 27%. Retailers provided for 12%.
Huq points out that "businesses and organizations" don't report all data breaches.
"Breached organizations are not legally mandated to disclose what data was compromised if this doesn't belong to customers," Huq wrote in the report. Intellectual property would fall into this category.
It's one reason Huq has been studying the data, as opposed to simply looking at reported breaches.
And what to do to stop the breaches? "Data breaches are inevitable," Huq writes. But enterprises can help themselves by following the "Critical Security Controls," a publication of best practices for computer security, says Huq.
The document is maintained by the Center for Internet Security (CIS) and covers such items as inventorying devices and software, malware defenses, data recovery capability, and so on.
And the "proverbial keys to the kingdom?" If attackers really want to gain the most?
Huq wrote that it is "credentials," more specifically, "the credentials of a network administrator."
This article is published as part of the IDG Contributor Network. Want to Join?