After Sony Pictures Entertainment's computer network was breached in late November, it appeared the hackers wanted to blackmail the company.
"We've got great damage by Sony Pictures," read an email sent to Sony executives. "The compensation for it, monetary compensation we want."
Apparently Sony Pictures didn't give the hackers what they wanted, and gigabytes of data were posted online, including a spreadsheet of all of the company's employees and their salaries.
Though the Sony hackers apparently did not get what they wanted, data clearly has a value. But determining its value depends on a variety of factors. And it's not as easy as it used to be to cash out.
Home Depot lost 56 million payment card numbers and 53 million email addresses between April and September in one of the largest data breaches on record. Batches of stolen card numbers soon appeared on underground forums, priced according to the potential cash-out value.
But banks are acting faster than ever to shut down compromised cards, meaning fraudsters have to steal ever-larger batches of numbers to compensate for lower margins.
For example, if 10,000 cards are stolen, as few as 100 may have the potential for a successful cash out and maybe 10 cards will actually be productive, said Alex Holden, founder and chief information security officer for Hold Security, a Wisconsin-based company that specializes in finding stolen data on underground websites.
It's also become more complicated to steal card numbers because of better cybersecurity defenses, he said.
Hackers need email lists of potential victims, spam messages crafted to evade filters and specialized malware that can slip past antivirus software. Similar to the gold rush, where many profited by selling shovels and mining equipment, there's a healthy trade in such lists and tools. But those expenses all ultimately come out of a hacker's bottom line.
"You can no longer do an operation by yourself," said Holden, whose company discovered data breaches affecting Target and Adobe Systems. "Every person in that chain wants to get paid."
One way fraudsters have attempted to expedite cashing out on stolen card data is by creating bogus merchant accounts with payment processors. That way, cards can be charged to fake businesses in transactions that appear real before card companies have a chance to shut down the numbers.
IntelCrawler, a Los Angeles-based security company, found an advertisement for such a system called the "Voxis Platform." The program lets scammers potentially increase the profit from their illegal gains by scheduling amounts to be charged at certain times to the payment processors.
"Cybercriminals don't have enough resources to monetize stolen data in big volumes," said IntelCrawler CEO Andrew Komarov via email. "It really has a small margin, and it is pretty complicated to resell it in big amounts."
Sign up for Computerworld eNewsletters.