We’re a few weeks past the Equifax breach when we learned 143 million individuals had their personal data stolen. The chorus of “expert” commentary continues to drive the news cycle at a frenetic pace.
In the time since the breach was announced, details on the potential cause and the inevitable corporate fallout have made their way into evocative headlines – driving clicks and inspiring the next wave of “insights.” From unpatched systems to Equifax mistakenly directing victims to phishing websites, the story drives on, providing endless to fuel this media frenzy.
However, in this never-ending cycle of observations, a key question remains: is anybody actually listening?
A Painful Reality
The truth is, this data breach wasn’t the first and it certainly won’t be the last. With at least 400 significant data breach events every year during the last 10 years, billions of records are regularly stolen every year. It’s just a story that keeps repeating itself. However, these staggering numbers aren’t the most frightening revelation of this breach and those from the past 10 years.
No. What should give us pause is the fact that we’ve gotten used to it. As individuals, we’re desensitized to the threat of a breach.
Yes, desensitized. We no longer care. It’s part of our lives. And it rarely affects us personally.
As a famous South American economist once said, “the most sensitive part of the human body is the pocket.” If my pocket doesn’t feel the pain, I don’t feel the pain.
It’s understandable – but not justifiable – attitude. As an organization whose core mission is to “fight for the greater good,” the folks at Armor are keenly aware that the consequences of a data breach run far deeper and darker than any consumer protection regulation can mitigate.
It’s not money at stake – it’s lives. It’s an aspect that has me once again wondering: are we listening and understanding these threats, or are we just becoming apathetic to the media-driven noise?
Data Breaches Financing Evil
The Equifax data breach exposed names, social security numbers, birth dates, addresses, and driver license numbers of 143 million individuals. That’s the known.
What is unknown is exactly when threat actors will begin to exploiting this data. However, we can assume with some certainty, based on the type of records that were taken, how it will be used to inflict pain on victims and elicit profits for criminals.
We’ll now take a look at how this wealth of data will be monetized through several stages of a value chain.
Understanding the Value Chain of Stolen Data
Stolen records are a commodity. They’re traded in Dark Web marketplaces. Cash will be generated. This is the first stage of value creation. Think of it as a manufacturer selling good to distributors. Criminals now have their pockets lined with cash, but it doesn’t stop there.
These distributors will now move their product through their retail channels. More value is added at this stage, and a new set of criminals also profit. As the records exchange hands, their new “owners” use them in different ways:
Social Security Numbers, names and addresses can be used for identity theft. Criminals will apply for credit cards; those credit cards will be used in various purchases of popular consumer goods that can be quickly sold: drones, flat-screen TVs, designer shoes and a variety of other gadgets.
This illegal commerce is the basis for money-laundering activities that allow high-profit illicit enterprises such a terrorism, drug dealing, human trafficking and child exploitation to thrive.
Stolen cards are also used by criminals to anonymously buy goods and services they need to operate their “businesses:” hosting services, proxy services, Shadow Brokers tools and much more. They provide operating capital to finance the growth of the criminal enterprise.
Equally unsettling is the fact that, armed with a combination of driver license numbers, social security numbers, names and addresses, a criminal can get a victim’s birth certificate re-issued, walk into a DMV, and walk away with a legitimate driver license with their picture on it. These can be used for monetary purposes but also for boarding planes or entering secure areas with someone else’s identity.
Is It Really about the Money?
When you feel indifferent to a data breach because you know your bank or credit card company will not hold you liable for illegal charges on your credit card, think about those who are ultimately profiting from your stolen records. They’re stealing more than money – they’re stealing lives.
I’m not encouraging anyone to take drastic measures. Instead, I’m just imploring everyone to feel something, anything when a breach like Equifax occurs; for you to not just shrug at the news of breach before getting back to your daily life. This doesn’t have to be our reality. There is ALWAYS something YOU can do.
Make it personal. Take action.