Putting a dollar value on data

Fortinet’s Alain Penel adds a dollar value to all sorts of data types. The results are illuminating

Tags: Cyber crimeData leakageFortinet IncorporationUnited Arab Emirates
  • E-Mail
Putting a dollar value on data Alain Penel, regional vice president for Middle East, Fortinet.
By  Alain Penel Published  June 23, 2017

Personal data is extremely valuable to the person from which it originates. We all have it and we all want it protected when we share it. But do we know how much of that information is really worth?

If we were to take a dive into the world of stolen information, we would find a wide range of pricing depending on details such as the type of data, the volume being purchased, and the target from which the data was collected. While prices vary widely, here are a few rough approximations for the current value of information.

Valid credit card numbers can be purchase for around $.50. If the credit card comes with names, PINs and other vital information, the value increases to the $2.00 to $2.50 range per card number.

Yahoo! accounts, is probably the largest data theft in history. Three copies of the entire data set sold for about $300,000 per copy. That makes each record worth a whopping 1/3 of $.01 on a per-sale basis. The basic premise is to provide customers with the ability to buy more so they will save more on a per-unit basis.

Bank accounts are a little tough to value, but generally speaking a valid bank account, to include login credentials, varies according to the amount associated with the account. There are bank accounts and associated names being sold relatively cheaply (under the $1.00 range). Typical bank account information is sold at a pretty low price.

Medical records are a little more interesting, as they currently bring in from $10 to $20 per record. This is relatively steady and accurate compared to bank account information. It seems that medical records have an intrinsically higher value placed on them than the more common types of financial information. The questions is … why?

Financial Information Issues: When we analyse financial information, there are a few issues that become readily apparent. The primary one relates to the longevity of the information’s usefulness. This includes credit card numbers/PINs and banking account information. Fraud detection, velocity of discovery, and tracing activity are the three major problems criminals encounter with financial information.

Fraud Detection

Banks live and breathe fraud detection, and consumers exert a high demand for implementing adequate financial protections. In order to stay competitive, banks have to keep pace with the marketplace, regulators, and consumer trends. Fraud detection is a competitive edge from a cost and customer confidence perspective.

Chip and PIN systems assist in thwarting the bad guys. Some chips implementations validate the chip serial number and credit card pair back to the bank prior to releasing funds. There are a variety of potential barriers to block unauthorised use of the chip and PIN combination.

Velocity of Detection: We now have the ability to rapidly identify suspicious behaviour as it pertains to our financial transactions. We can set clip levels of transaction alerts for our bank accounts. These include the ability to block transactions based on transaction amount, location of purchase, time of purchase, and other parameters – all customisable by the account holder. Accounts can be frozen until the suspicious behaviour is properly communicated, analysed, or managed.

Traceability: Financial institutions have the ability to trace transactions with a high degree of accuracy as money flows between accounts. A digital paper trail is a glowing set of arrows pointing back to the perpetrator. Customers report fraudulent transactions to the bank, who notified the authorities, who work with banks to back trace account transfers and arrest individuals involved in stealing funds.

So if we look at bank account and credit card data from those three perspectives, the information has a very limited shelf life and poses a higher potential for identification of the individuals stealing money. It is simply a high risk model best left to amateurs or those criminals with little imagination.

Medical Records

Cyber criminals love medical records for several reasons.

Depth of Information: Medical records contain full names, date of birth, parental information, social security numbers, addresses, phone numbers, next of kin information, and a wide variety of other types of personal information. This information is useful for a wide range of cybercrimes.

Longevity: Medical records provide a much longer shelf life for the cybercriminal. It can take months for medical record theft to be discovered, and an even longer period of time to notify the individual that their data was stolen. This allows a deeper analysis of the information at an almost leisurely pace.

Limited Recovery: When a medical record is stolen, recovery to an operationally restored state is extremely difficult if not impossible. Once your medical record information is stolen, it has a very long shelf life from a criminal’s perspective.

Work Correlation: Medical records provide extremely valuable data. One example is the medical plan identifier. This is typically represented by numbers or an alphanumeric, and relate directly to a single company’s medical plan. If a cybercriminal knows the company associated with a medical plan, it is relatively simple to discover other records using that same plan identifier.

Once that is completed, the resulting pile of medical records can be further sifted to provide an even stronger probability of linkage between individuals. The simplest method is to take the country code and next two or three digits of a phone number and cross reference them.  Once these steps are completed it is relatively simple to socially engineer a situation that results in malware being inserted into a corporate IT environment. Cybercriminals can create emails from one friend in a company to another with commonly used document formats harbouring malicious code. They can even determine the department, such as finance, HR, receiving, etc., and leverage that to customise a malware delivery package that will have a very high potential of success.


Millions of medical records have already been stolen. With the static nature of the information contained in them, cybercriminals have years to analyse and mine data, then correlate that information to create highly customised malware packages. Employee awareness training, data backups, or the daily integration of malware signatures into firewalls may not be enough. Reactive measures fail.

Alain Penel, regional vice president for Middle East, Fortinet.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code