When the U.S. Department of Justice announced the seizure of AlphaBay last year, they closed a criminal marketplace on the Dark Web known to have trafficked in everything from illegal drugs to malware over the course of two years. At the time of the takedown, AlphaBay was home to more than 350,000 listings, many of which offered stolen or fraudulent documents that anyone with the right amount of money could use to assume another identity. While closing AlphaBay was a move in a positive direction, it did little to slow the demand for stolen data.

In Armor’s Black Market Report, Threat Resistance Unit (TRU) researchers found that underground markets, like AlphaBay, are awash with personally identifiable information (PII) belonging to victims from countries all over the world. One of the key challenges of protecting PII online is its pervasiveness. As data breaches in the news continue to show, PII about employees, customers and the public is housed in all kinds of organizations, and the increasing digital transformation of today’s businesses only broadens the number of potential sources for hackers to target.

Full profiles of detailed information such as names, social security numbers, dates of birth, and even full credit reports can go for prices ranging from $40 to as much as $200. PII, referenced as “fullz”, was also observed packaged with credit card data to give the scammer extra information about the legitimate card owner in case their bona fides are challenged when they attempt to use the card.

Also highlighted in the report, templates for official documents and receipts, fake IDs, and highjacked social media accounts are supporting the theft and use of PII for other criminal revenue streams. For example, packets of document templates for creating everything from fake utility bills and bank statements to driver’s licenses and social security cards were being offered for $50. On the more expensive side of things are items like counterfeit passports and other IDs, which, depending on the country, could be sold together for thousands of dollars. Like any other market, customer service matters, so it is not uncommon for sellers to offer little bits of data to allow the buyer to confirm that the information they are being sold is accurate.

Armed with fake passports and other identification, buyers can potentially slip across borders without being detected. Combined with a hotel and airline package purchased from underground travel agencies, someone can travel without leaving a trail, potentially making it easy for fugitives and others to dodge law enforcement.

But PII is more than information in identification documents. While in the United States, PII is typically considered to be information such as your address, date of birth, social security number, and phone number, in other countries, laws like the European Union’s General Data Protection Regulation (GDPR) may define it even more broadly to include things like photographs or social media posts. While some may wonder why an Instagram or Facebook account would have value to an attacker, social media accounts can be ripe targets for identity thieves as well, allowing them to assume the identity of a victim and leverage the account for spam campaigns, malware distribution, personal data theft and more.

Each piece of data available in the underground is an entry point into deeper levels of crime, from mortgage and credit card fraud to everything in between. Last summer, federal authorities charged two people with taking part in a $12 million scam where they allegedly used personal information purchased online or obtained elsewhere to file false tax returns with the IRS. According to the government, the scam allegedly ran from March 2014 to March 2016.

In November 2017, an Atlanta-area man was sentenced to 65 months in prison for his role in a tax fraud scheme that used stolen identities to file phony tax returns and pocket the profits. Some of the identities were stolen from the database of a company in Oregon and purchased from sources in Vietnam by a co-conspirator. As part of the case, agents seized prepaid debit cards with fraudulent tax refunds still on them, as well as cash, electronic devices and approximately $79,000 worth of money orders. All totaled, the IRS determined the co-conspirators had acquired PII belonging to more than 250,000 victims.

The growing ubiquity of PII makes it vital for organizations take a data and risk-centric approach to security. Failure to properly secure some data, such as medical and credit card information, can lead to severe fines from the government, not to mention the potential lawsuits. To safeguard data, your organization must know where the PII is stored, who can access it, and how it will be accessed. In an age of remote workers, BYOD, hybrid clouds, and distributed computing, understanding the threat to your PII and protecting it appropriately is critical and more challenging than one might think.

To learn more about the trafficking of stolen identities, download our Black Market Report: A Look into the Dark Web.