What is your bank account data worth on the black market? This Germany data breach shows the value of sensitive consumer data. On Monday, IT World reported:
"Reporters for WirtschaftsWoche (Economic Week) managed to obtain a CD containing 1.2 million accounts after a November face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12 million for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate."
The cyber criminals offered to sell the sensitive consumer data (e.g., 21 million German bank accounts) for a reported 12 million Euros or about US $15 million. That's about US $ .70 per account, depending upon the exchange rate. Apparently, that is the low price:
"When sold in small quantities, full bank account details can fetch as much as $1,000 per record..."
That means, a criminal paying $1,000 for each consumer's stolen bank account data expects to steal at least that amount. What data was stolen, and how?
"That CD contained the names, addresses, phone numbers, birthdays, account numbers and bank routing numbers of the theft victims, they reported. In some cases, the victim's account balance was also provided. The data was most likely collected from call center employees, the magazine reports."
As I have written previously in this blog, there clearly are data security risks with offshore outsourcing and many U.S. companies, including the three national credit bureaus, outsource their call center operations. Also, even though the online passwords weren't included in the stolen data, the cyber criminals have enough personal data about the German bank account-holders to impersonate them, withdraw money from their bank accounts, and ultimately acquire (and/or change) the consumers' online passwords.