Speaking in a recent interview on CBS’ 60 Minutes, Tim Sparapani, a former privacy lawyer for the American Civil Liberties Union, commented “Most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual.”
It was a chilling admission that the world has changed in ways most of us never expected, and that there may be more value in private data about people than in selling goods and services to those people. Or stealing from them.
The same rules apply to the criminal underworld, where it’s becoming very obvious that information is the top currency – more valuable even than bank accounts and credit cards. For example, in a study just published by Russian security firm Kaspersky, the number two target for phishing attacks around the world in 2013 was the financial community. That includes banks, credit card companies, and payment systems like PayPal and Western Union.
Any guess what the number one target for phishing was? How about social networks? According to Kaspersky, social networks are the top target for cybercriminals because they offer so much more than bank accounts and credit cards. Instead of providing access to just one victim, each victim can provide access to hundreds and even thousands of people in their social circles. And all those individuals share lots of personal information that will go further on the black market than any credit card can.
And the evidence is in the black market itself. A study by the RAND Corporation found that while a hacked Twitter account can fetch more than $300 on the black market, a credit card can typically fetch less than a dollar. There are two reasons for this huge difference – the web is awash with stolen credit cards that can have a limited time value because they can be cancelled; but a Twitter or Facebook account can expose a wealth of private data about you, your friends, contacts, interests, beliefs and so much more. The kind of information criminals will pay a much higher price for.
So what’s the point? Well it’s not that you can rest easy about protecting your customer credit and debit cards. Do that, and you’ll be able to count the days your business will survive. The point is that all data is now of value to crooks.
It’s not just credit and debit card information, but any information. Customer and employee email addresses, mailing addresses, home phone numbers and cell numbers are all highly valued. An email address and password are of far more value than a credit card because for most people, their email provides a window into their lives.
It tells hackers who your friends, family and work contacts are. It can include sensitive personal and business discussions and secrets, statements and alerts from your bank and credit card providers, your personal habits, hobbies, beliefs, your travel and vacation plans etc.
And it’s that reality that’s going to make ensuring data privacy and preventing security breaches more costly. Never assume that it’s only credit and debit card information that you need to protect. That’s just where you start. Where do you finish? You don’t. Protecting data never ends. That’s just business.
Focus as much on protecting your data as you do on serving your customers. As long as you do both as best you can, you stand a much better chance of avoiding a data or security breach. And of being forgiven should there be a breach.