CIO — When Zappos notified its customers that their names, email addresses, billing and shipping addresses, phone numbers and the last four digits of their credit card numbers may have been exposed during a data breach earlier this month, the online shoe retailer emphasized that "critical credit card and other payment data was NOT affected or accessed."

That's definitely a relief. It means that the 24 million customers whose information may have been compromised in the breach don't immediately have to worry about finding mysterious charges on their credit card statements at the end of the month.

So what do they have to worry about? According to experts, the most likely security risks for consumers range from the annoying (more spam in their email inboxes) to potentially much more dangerous targeted "phishing" emails, where the sender disguises himself as a trusted individual or organization in order to trick the recipient into clicking a link that will download malware onto his or her computer or into giving the sender confidential information such as a password, credit card or Social Security number.

The hackers who infiltrated Zappos' databases certainly accessed a bundle of information. Other breaches, such as some of the web server attacks perpetrated by hacktivists, expose only names and email addresses. Whether large or small, these breaches raise a number of questions:

• Why is this information valuable to cybercriminals?


• What's the actual, monetary value of this information?


• What's the minimum amount of information cybercriminals need to perpetrate their misdeeds?


• When a company gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?


• What's the risk to consumers when cybercriminals get this information?


• What are the odds of those risks occurring?

Why is this information valuable to cybercriminals?

Personal information is the currency of the underground economy. It's literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money.

Spammers, for example, might get a fresh list of email addresses to which they can send Viagra and Cialis offers. They make money (say $1 per click) off response rates or website/pop-up ad impressions. Meanwhile, identity thieves could use the email addresses to create a phishing scheme designed to trick people into giving up their bank account or credit card numbers.

Rod Rasmussen, president and CTO of Internet Identity, a Tacoma, Wash.-based Internet security company, says cybercriminals trade this information among each other to create a more complete picture of an individual. "The idea is, you put together more information on people so you can do more damage. You get their name, credit card number, PIN number, email address, phone number from different sources to get their full information."

Continue Reading