This article is a continuation of the Darknet Chronicles, a series brought to you by Teramind. This collection of eight articles will focus on bridging the gap between stolen information, insider threats, and the darknet. You can expect to learn about the journey of information after it is stolen, how insiders help set up the breach, and what you can do to protect your company from darknet insiders.

Have you ever wondered where exactly data goes after it is stolen? It’s not like physical property which can only be in possession by one person at a time. If someone steals your pen then you are no longer able to utilize that commodity anymore. When we think about theft this is the common concepcion. However,data is something different altogether. While it is a commodity, it is reproducible at zero marginal cost. This creates some unique characteristics for data and what theft and value mean. In this article we will be exploring why data gets stolen and exchanged. You will also come to understand what specific types of data are stolen the most and what the journey of those datasets are. By understanding how and where data journeys you can better understand where cyber security experts are looking for your stolen data along the theft/sales cycle. While data often gets circulated in underground markets, operations and marketing are very similar to what you would expect from any other business.

Why Does Data Get Stolen

Data is a commodity that circulates within markets like all other commodities, so supply and demand logic applies. Data is often produced to be used in a specific context, it is not often produced for exchange. However, data rarely has an exclusive use and to people with malicious intent can be used for some serious harm. The demand for data is never ending because of the various parties who want to use it for their own ends. For example a hospital may hold medical records that were generated over the years for general health management and developing insight into a patient’s health needs; but other parties may find other uses for that data that impact that same patient’s life. Their managers at work may leverage that data to determine if their employee is costing them more money due to poor health choices. An antagonistic person in that patient’s life may use their health data against them. The data itself is not malicious but people’s intentions with data can be.

Access to such personal data is usually protected by the institutions and organizations that generate or manage that data, however with everything going digital data has been more vulnerable to theft than ever. The people who steal data are not usually the actors above, but often they are simply underground criminals. They are hackers looking to make a quick buck and information peddlers looking to sell that stolen data to anyone willing to buy. Your everyday people who have bad intentions may not know how they can get a hold of the data, but they do know how to purchase it from the darknet when it is stolen, or they know how to hire hackers who can target people and organizations they need. For the hackers, this may be simply a test of their skills or for the “lolz” as some of them put it.

Quite simply hackers and data peddlers are the suppliers, while your everyday people with ill intent are your buyers. Let’s examine below the journey of some of the most targeted forms of personal information stolen.

Journey and Value of Medical Data

One of the most lucrative digital commodities on the darknet is medical data, or electronic healthcare records (EHR). When EHR data is stolen there is an air of uncertainty because there is so many ways in which medical data can be used. It is difficult as well for a victim to identify or make the connection that an incident such as a job rejection or insurance premium hike was a result of a data breach from years ago.

The hackers who cause data breaches to happen are either working with someone or are simply looking to put some fresh inventory on the market, that inventory is stolen data. Most data breaches start with a malicious or manipulated insider and failure of a medical institution managing insider threats. When the EHR data is stolen it is not always apparent at the moment to the victim medical organization, in fact the breach could last years without anyone knowing. Once a hacker has their hands on data they will start posting on both the clearnet and the darknet on forums about recent data dumps. However what is more likely to happen is that there was an arrangement already in place with a client who the hackers were working for. If a client wants data, all they have to do is hire a hacker who turns it over to them. In the cases where it is not, the EHR data goes up for sale. Once the data is purchased no one but the buyer really knows how it is put to use.

One of the most well known hackers in the medical space is TheDarkOverlord (TDO) who specifically targets medical institutions. Although recently the notorious hacker has become interested in Hollywood production studios and local governments. TDO is very brazen and even talks to reporters when they launch a cyber attack. TDO is wanted by the Department of Homeland Security and by officials in the UK. Hackers such as TDO do make money out of extorting victims after attacks but this is not the norm despite how high profile it is. In June 2016 TDO listed an EHR database for sale that held the details of roughly 9 million Americans, in this case they also communicated with reporters. This could be seen as a form of PR or marketing for them and signals to buyers that records are up for grabs again.

In 2016, TDO communicated with the Darknet news site “DeepDotWeb” and provided images of a healthcare database hack he had for sale on the market for nearly $400,000 USD. TDO also provided some context on three healthcare organizations he breached earlier that same year where he made off with the records of nearly 650,000 patients across the US. The infamous hacker had stated that all credentials were accessible and in a simple plain text format, making the hacker’s job that much easier. He expanded more in the comments section of the same article that was written about him. This is still within the realm of marketing for hackers, TDO is known because they are effective at it.

Medical data is one of the most demanded type of stolen data online. The value of your average medical record was around $75 or more, which is a lot for stolen data. This high price point contributed to a surge of hackers and data vendors causing data breaches to stock up on their supply. Healthcare organizations were also one of the worst sectors when it came to cyber security, so hackers essentially had a field day. The darknet data markets are now flooded with medical records to the point that the price has dropped to around $30 per medical record. It would be safe to assume that your healthcare data is likely for sale somewhere out there.

Journey and Value of Financial Data

When financial data is stolen it is the most visible and the type of breach that everyone is terrified of. When data breaches happen it is financial data that everyone is concerned was stolen, and processes from banks are readily in place to take care of people. However, these processes have led to something of a complacency among people maintaining good security practice. When it comes to financial data people have become rather numb. Even back in 2014 someone wrote an article about it when Home Depot got hacked. However it is this exact numbness among the population that hackers on the darknet take advantage of. If you know a bank is simply going to replace your card or you get free credit monitoring what is there to worry about right? Well quite a lot actually especially if hackers and buyers understand being patient before using the data immediately.

Financial data can account for many different types of sensitive data that we regularly interact with to get around in our society. In some cases hackers only got for credit card (CC) information, but lately there has been a spike in data breaches that include credit card data and personal identification data. At times on the darknet the bank accounts are for sell too, at much higher prices.

The process of stealing the data is similar to how medical records are stolen. In the Equifax breach there was tons of financial and personal information leaked. Often there is little an individual can do to protect themselves because the targets are often businesses and institutions. Financial data and personal information are now usually sold in batching unless there is some form of proof of funds with the ability to launder the money. Prices for data are often around 10% of what is in the bank account and for a single credit card the price can range from $5 to around $12. However in places with unverified caches of data you can find a batch for $4. New purchasers on the darknet though may find a harsh welcome. What often happens to people who are new to the buying process is that they pay and never receive the stolen data they just purchased. This is because anonymity provides sellers a shield and no accountability. The only mechanism that holds sellers accountable are forums and even public forums such as Reddit. They often try to warn people about certain sellers and what the proper process is.

The way in which data is sold is through what’s called escrow. Essentially this is where a third party holds payment until the product is delivered. The role of escrow is to manage a transaction. For data peddlers who operate through escrow on the darknet, they are considered by the community to be safe and legit.

The difference between financial data and healthcare data is not really much. In both cases the final use for the data will be identity fraud or sabotage. However it doesn’t take too long of a search on the web to find reports of how bad medical institutions are at cyber security. This is in contrast to the financial sector. The financial sector has take cyber security very seriously, despite this there are still data breaches, but no where near as frequent as healthcare organizations. Among hackers healthcare organizations are considered low hanging fruit to get started with.

Data moves just like any other stolen commodity, the difference is that you still have possession of the stolen data, they simply stole a copy. The value of data is not the data itself but what actions can be taken with the right data. Data thieves can live whole other lives as another person, they can launder money, sabotage people, and many other acts. Data becomes empowered by the intentions of the party handling it. In the wrong hands and outside of its context data can become dangerous. Stay tuned for more articles about how insiders navigate and use the Darknet.

Darknet Chronicles Pt 1: Clearnet vs Darknet
Darknet Chronicles Pt 2: How Insiders Use the Darknet
Darknet Chronicles Pt 3: Forums & Sabotage
Darknet Chronicles Pt 4: How Money is Exchanged