That was the message I got from a CEO when we presented evidence that their organization had been compromised and the attackers had been free to roam for months, resulting in the theft of terabytes worth of data. Actually, the exact words were “So we’ve been hacked, eh? Well, it’s Friday afternoon now so I will get my IT guy to look into it on Monday.”
This response is not uncommon, and to be fair it is better than the usual indifferent response of “So what?” Yet it is disheartening to act as messenger only to realize that your audience has left the auditorium. It is partly because of this level of apathy that we undertook the research which has resulted in the new report I coauthored with my colleagues Francois Paget and Charles McFarland: The Hidden Data Economy: The Marketplace for Stolen Digital Information. Released today, the report highlights what happens with stolen data after a data breach.
In the past, we have covered the concept of “Hacking-as-a-Service,” and although that research did touch on the sale of stolen data—namely credit cards—it just scratched the surface. In this report, we delve deeper into the topic, highlighting ways in which all sorts of stolen data is monetized.
What worries us the most is just how personal some of the data is. Want to be an identity thief? Simply order the person you wish to become. I remember one conversation with law enforcement as we were writing the report. When we uncovered some individuals whose lives were being traded by criminals, we offered advice to the police on what to tell the victims. The conversation went along the lines of “You may not be aware of this, but your entire digital life including that of your family is being sold by criminals somewhere on the Internet.”
This is why data theft matters—it is often very personal. It is easy to talk about cybercrime having something to do with computers, but the reality is that the systems are just objects used in attacks. It matters because it can be about not being able to get a mortgage because someone has destroyed your credit rating. Or about being accused of sending hateful messages via your social media account because someone gained access to your mailbox. The truth is that cyber theft can, and often does, affect peoples’ lives in profound ways.