How cyber criminals use the Dark Web to monetize stolen healthcare data

Criminals have become incredibly adept at monetizing stolen identities on a massive scale
By Rick Kam
11:05 AM

This is part 1 of a 3-part series on current cyber risks.

According to Paul Kocher, one of the leading U.S. cryptography experts, there has been a 10,000-fold increase in the number of new digital security threats in the last twelve years.1 So it's no real surprise there have been a lot more data breaches in the news lately, particularly in healthcare. In fact, criminal attacks are now the leading cause of healthcare data breaches, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute.

If you're concerned with data security or privacy these days – and who isn't? – you need to understand the fast-changing world of cyber-crime, cyber-terrorism, and cyber-espionage. In this first article of a three-part series, I'll dig into the motivations and methods of cyber-criminals.

Follow the money
How could there be, as Kocher says, a 10,000-fold increase in threats in twelve short years? The answer is simple: money. Criminals have become incredibly adept at monetizing stolen identities on a massive scale.

Two factors have provided the growing conditions for this problem. First, large-scale cyber-crime is a natural consequence of the massive digitization and integration that has been going on since the 1990s. Simply put, there are massive amounts of information connected to or traveling across the Internet. The second factor is the "Dark Web," the web content that exists on so-called darknets, limited-access sites that overlay the public Internet and are often used for illegal or criminal activity. The Dark Web offers cyber-criminals multiple global marketplaces in which to sell stolen personal information. The abilities to steal and easily sell massive amounts of personal information have transformed the economics of information theft.

Best practices in a bad business
One interesting shift over the last decade is that identity fraud is now a multi-tier business. According to Ken Westin, senior security analyst at Tripwire, many people underestimate the complexity of these transactions. For example, credit card numbers are typically sold in bulk to brokers, who then sell the numbers to individual buyers. Top sellers can even give away personal records as free samples so buyers can see the quality of their wares. This chain of distribution lets cyber-thieves concentrate on stealing information without the effort of exploiting it, and it makes it harder for law enforcement to trace the theft back to the source.

Because stolen information has a "shelf life," just like groceries and other perishable goods, buyers have a limited time to exploit it. At some point, the theft will be discovered, either because the business discovers their systems were compromised or because the victim becomes aware the information is being misused. Unfortunately, it's usually the latter, and the damage is done long before a breach is discovered.

There are a number of different schemes for monetizing it in a timely way. Medical identity fraud either takes the form of fraudulent billing by unethical providers or misuse of another person's medical records to obtain care. This kind of fraud may not be discovered for months or years, making stolen medical identities among the most valuable. Bank fraud is also less time-sensitive. If a buyer can get fairly complete bank information, they can clear out accounts before the account holder realizes it, and bank accounts don't have as strong protection as credit cards.

The black market: Where stolen information is commoditized
Cyber-criminals sell stolen information on black markets either individually or in lots, and the price varies depending on how much value the buyer can get from the information. For example, easily obtainable information such as birthdates will go for a few dollars, since it can't be monetized by itself. More valuable information such as a medical record can sell for $50. Business Insider reports that ready-to-use counterfeit Social Security cards can sell for $250 to $400, and bank account information sells for $1,000 and up, averaging 6 percent of the money in the account.

So how much can cyber-criminals make? In its 2014 report, the Center for Strategic and International Studies estimated that cyber-crime extracts 15 to 20 percent of the $2 to $3 trillion dollars generated annually by the Internet economy. That's between $300 and $600 billion a year. Clearly, cyber-crime is paying off big-time.

A strategic defense
In Nicole Perlroth's New York Times article, Scott Borg, the head of the non-profit United States Cyber Consequences Unit, sums up the state of cyber-security: "People are still dealing with this problem in a technical way, not a strategic way. People are not thinking about who would attack us, what their motives would be, what they would try to do. The focus on the technology is allowing these people to be blindsided." The last few years have certainly proven that cyber-criminals can outrun technology, and it's also not financially feasible to defend your data on all fronts. To mount a strategic defense, you have to understand where the next attacks are likely to be coming from.

In my next article, I'll dive deeper into the Dark Web where many of today's cyber-attacks are born. 

Rick Kam is president and co-founder of ID Experts