When Zappos notified its customers that their names, email addresses, billing and shipping addresses, phone numbers and the last four digits of their credit card numbers may have been exposed during a data breach earlier this month, the online shoe retailer emphasized that "critical credit card and other payment data was NOT affected or accessed."
That's definitely a relief. It means that the 24 million customers whose information may have been compromised in the breach don't immediately have to worry about finding mysterious charges on their credit card statements at the end of the month.
So what do they have to worry about? According to experts, the most likely security risks for consumers range from the annoying (more spam in their email inboxes) to potentially much more dangerous targeted "phishing" emails, where the sender disguises himself as a trusted individual or organization in order to trick the recipient into clicking a link that will download malware onto his or her computer or into giving the sender confidential information such as a password, credit card or Social Security number.
The hackers who infiltrated Zappos' databases certainly accessed a bundle of information. Other breaches, such as some of the web server attacks perpetrated by hacktivists, expose only names and email addresses. Whether large or small, these breaches raise a number of questions:
- Why is this information valuable to cybercriminals?
- What's the actual, monetary value of this information?
- What's the minimum amount of information cybercriminals need to perpetrate their misdeeds?
- When a company gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
- What's the risk to consumers when cybercriminals get this information?
- What are the odds of those risks occurring?
Why is this information valuable to cybercriminals?
Personal information is the currency of the underground economy. It's literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money.
Spammers, for example, might get a fresh list of email addresses to which they can send Viagra and Cialis offers. They make money (say $1 per click) off response rates or website/pop-up ad impressions. Meanwhile, identity thieves could use the email addresses to create a phishing scheme designed to trick people into giving up their bank account or credit card numbers.
Rod Rasmussen, president and CTO of Internet Identity, a Tacoma, Wash.-based Internet security company, says cybercriminals trade this information among each other to create a more complete picture of an individual. "The idea is, you put together more information on people so you can do more damage. You get their name, credit card number, PIN number, email address, phone number from different sources to get their full information."
What's the actual monetary value of this information?
A name or email address is worth anywhere from fractions of a cent to $1 per record, depending on the quality and freshness of the data, information security experts say.
"There's so much data flowing around, you have to have lots of it in order to get money for it in the underground," says Rasmussen. "Even credit card numbers are going for under $1."
That may not sound like a windfall, but when you multiply it by millions of records, it quickly adds up. Take the Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop—cha-ching—they've just made $250,000 off of one hack.
Botnet operators make even more money. Say you own a botnet that consists of 100,000 computers. You may rent it out to spammers for $1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a provider of Internet security awareness training based in Clearwater, Fla. If you rent or buy the 24 million records from Zappos' so that you can then send malware to those email addresses, even if only 20 percent of recipients get infected with your malware that takes control of their computer, you've still grown your botnet by about 5 million computers with very little work, he adds.
"Now you can charge $5,000 an hour instead of $1,000 per hour for 5 million bots that start sending spam," says Sjouwerman. "These guys make money hand over fist." Of course, their illegal activity also means criminal charges, jail time and financial restitution.
What's the minimum amount of information cybercriminals need to perpetrate their misdeeds?
Sjouwerman says all cybercriminals require to start doing damage is an individual's email address. With that, they can inundate victims' inboxes with spam.
To steal people's identities or commit credit card fraud, cybercriminals need a password, credit card or Social Security number, says Rasmussen. If they have people's email addresses, they can sometimes obtain that more sensitive data by sending phishing emails or distributing malware via email, says Sjouwerman. Some malware installs key-logging software that records usernames and passwords when they log on to their various online accounts, he says. If one of those accounts is a bank account, cybercriminals can quickly empty it.
If cybercriminals get only the last four digits of your credit or debit card, they may be able to use it to reset your password on an ecommerce site, says Rasmussen. Some companies use the last four digits of customers' credit cards as a PIN code, and they may ask for it if you need to reset your password, he says. So cybercriminals may use it to reset your password so that they can make purchases using your account. But more likely, adds Rasmussen, "They'll sell that information to someone else who will do some other attack."
When an organization gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
It depends on the criminal and the information they obtained, says Rasmussen. If credit card numbers are involved, fraudsters will start using that information immediately, he notes. Cybercriminals who use emails for phishing schemes may also act quickly. To trick more people into downloading malware onto their computers or giving out sensitive information, cybercriminals may send a fake breach disclosure notification asking victims to reset their passwords on a website that looks real but is, in fact, fake, before the company that was hacked sends out a disclosure notice, says Sjouwerman.
That's why it's critical for organizations whose customer information has been compromised in a breach to send notifications as soon as they know what happened and who was affected, says Rasmussen. He notes that the European Union is considering a law that would require companies to notify customers of breaches within 24 hours.
What's the risk to consumers when cybercriminals get this information?
If your email address was compromised in a security breach, you can expect more spam, phishing emails and malware sent via email. The malware could allow cybercriminals to take control of your computer so that it becomes part of a botnet, says Sjouwerman. It could allow them to activate the webcam or microphone on your computer so that they can spy on you. It could download key-logging software onto your PC so that the criminals can record your passwords and or financial information, he adds.
If hackers obtain more information than just your name and email address—if they get your phone number, mailing address, the last four digits of your credit card number—they can create more convincing and effective phishing schemes that can ultimately lead to identity theft and credit card fraud.
What are the odds of those risks occurring?
Rasmussen and Sjouwerman agree you can count on getting more spam if your email is exposed in a breach. You also need to be wary of "phishy" emails. Four in 10 individuals will fall for a phishing attack, based on Sjouwerman's anecdotal research. He conducted an experiment with one of KnowB4's customers, a defense contractor, in which KnowB4 sent a fake email, allegedly from the company's CEO, to 100 employees whose email addresses KnowB4 found on the web. In the email, KnowB4, posing as the CEO, asked employees to make changes to their benefits via a website KnowB4 spoofed. Forty percent of employees fell for the scam.
Unless your credit card number or bank account information was compromised in the breach, you don't have to worry about financial fraud, provided, of course, you don't give that information to a phisher.
If hackers make off with credit card numbers, you can expect to find fraudulent charges on your next bill, and you should alert credit card companies and credit reporting agencies that your information may have been compromised in the breach. After last year's Sony PlayStation Network hack, some PlayStation Network users began reporting fraudulent charges on the credit and debit cards they used to access the PlayStation service, but at the time there was no way to tell whether the fraud was a result of the Sony breach or just a coincidence, according to CNET.
Obviously, not all breaches will lead to identity theft and credit card fraudor even extra spam and phishing emails. CIO.com recently contacted 10 individuals whose names, email addresses and passwords were posted to Pastebin after LulzSec hacked PBS last May to find out if they were impacted by the breach. Of four people who responded to CIO.com's inquiry, three said the breach didn't affect them in any way. The fourth declined to comment.
Even if hackers obtain only people's names and email addresses, what troubles people the most, says Rasmussen, "is the feeling of being victimized: Somebody without your permission has published something about you."
Meridith Levinson covers Careers and Security for CIO.com. Follow Meridith on Twitter @meridith . Follow everything from CIO.com on Twitter @CIOonline and on Facebook . Email Meridith at firstname.lastname@example.org.