Every year, massive data breaches occur that include sensitive personal information like credit card numbers, addresses and passwords among other information. Targets range from email service providers to government agencies and commercial retailers.
For example, when National Public Data, a company that does background checks, was breached, criminals gained access to the personal information of 170 million people. When Ticketmaster was hacked, personal data was released from 560 million customers. The average global cost of a data breach reached almost $5 million in 2024.
Tom Holt, a professor at Michigan State University’s School of Criminal Justice at the College of Social Science, studies the ways that hackers and cybercriminals misuse people’s private information in stolen data markets.
Here, he answers questions about stolen data and the major implications.
Content includes excerpts from an article published in The Conversation.
What kind of personal information do hackers steal, and how do they get it?
Every piece of personal data captured in a data breach — a passport number, Social Security number or login for a shopping service — has inherent value. Offenders can use the information in different ways. They can assume someone else’s identity, make a fraudulent purchase or steal services such as streaming media or music.
In the early 2000s, vendors transitioned to web forums where individuals advertised their services to other users. Forums quickly gained popularity and became successful businesses with vendors selling stolen credit cards, malware and related goods and services to misuse personal information and enable fraud.
Why is there so much demand for stolen personal data?
The quantity of information, whether Social Security numbers or credit card details, that can be stolen through data breaches is more than any one group of criminals can efficiently process, validate or use in a reasonable amount of time. The same is true for the millions of email account usernames and passwords, or access to streaming services that data breaches can expose.
This quantity problem has enabled the sale of information, including personal financial data, as part of the larger cybercrime online economy.
Stolen data is usually available in individual lots, such as a person’s credit or debit card and all the information associated with the account. These pieces are individually priced, with costs differing depending on the type of card, the victim’s location, and the amount of data available related to the affected account.
Where is stolen data bought and sold?
The sale of data, also known as carding, references the misuse of stolen credit card numbers or identity details. These illicit data markets began in the mid-1990s through the use of credit card number generators used by hackers. They shared programs that randomly generated credit card numbers and details and then checked to see whether the fake account details matched active cards that could then be used for fraudulent transactions.
One of the more prominent forums from this time was ShadowCrew, which formed in 2002 and operated until being taken down by a joint law enforcement operation in 2004. Its members trafficked over 1.7 million credit cards in less than three years.
Forums continue to be popular, though vendors transitioned to running their own web-based shops on the open internet and dark web, which is an encrypted portion of the web that can be accessed only through specialized browsers like TOR. These shops have their own web addresses and distinct branding to attract customers, and they work in the same way as other e-commerce stores. More recently, vendors of stolen data have also begun to operate on messaging platforms such as Telegram and Signal to quickly connect with customers.
Who runs these markets, and who are the buyers?
Many of the people who supply and operate the markets appear to be cybercriminals from Eastern Europe and Russia, who steal data and then sell it to others. Markets have also been observed in Vietnam and other parts of the world, though they do not get the same visibility in the global cybersecurity landscape.
The customers of stolen data markets may reside anywhere in the world, and their demands for specific data or services may drive data breaches and cybercrime to provide the supply. Vendors frequently offer discounts and promotions to buyers to attract customers and keep them loyal. This is often done with credit or debit cards that are about to expire.
Some vendors also offer distinct products such as credit reports, Social Security numbers and login details for different paid services. The price for pieces of information varies. A recent analysis found credit card data sold for $50 on average, while Walmart logins sold for $9. However, the pricing can vary widely across vendors and markets.
Why are data breaches likely to continue?
Data breaches are likely to continue as long as there is demand for illicit, profitable data. The rate of return can be exceptional. An offender who buys 100 cards for $500 can recoup their costs if only 20 of those cards are active and can be used to make an average purchase of $30. The result is a highly profitable system that incentivizes ongoing breaches.
How does your research shed light on stolen data markets?
As the director of MSU’s Center for Cybercrime Investigation and Training, we are engaging in different projects to reduce the threat these markets present. We are currently assessing how many people in the state of Michigan experienced a loss of information in data breaches and the extent to which they reported the experience to police, support entities like the Internet Crime Complaint Center, as well as their financial institution and other service providers. This will help develop messaging campaigns to improve awareness of the threat these crimes present and what victims can do to help protect themselves. We also provide free trainings to local police and criminal justice agencies across the state to aid in their response to different cybercrimes, like carding and online fraud.
