Stolen credit card data and confidential financial information can move fast in the hands of thieves, a lot quicker than most consumers or IT organizations likely realize.
However, the good news is that there's a bit of a window to prevent big damage if a breach is identified in fast fashion. If users are notified, they can shut down accounts and start monitoring card activity and account changes.
That's the outcome of an experiment undertaken by BitGlass, a security and data monitoring services provider. The "Where's Your Data" exercise used data tracking tools to monitor where and when vulnerable data goes once it's discovered by hackers.
Bitglass created a fake file of credit card data and seeded it in some forums where hackers lurk and dropped it in a Dropbox account. After a week or so, the data was snatched and went to 22 countries and five continents and was accessed by 1,100 in just 12 days. It was shared with peers by two cybercrime syndicates based in Russia and Nigeria.
"We were trying to figure out, is there really a liquid market for breach data?" said BitGlass CEO Nat Kausik. "If you go out there with a million social security numbers, what do you do with it?"
The Excel file held names, phone numbers, social security numbers, addresses, fake person profiles and credit card numbers. The file was then tagged with a hidden watermark that would let BitGlass know every time the file was opened. During the first week to eight days, the file stayed where it was and only got 200 views.
However, then it started drawing tons of attention, and 800 views in the next few days. Ultimately, it was downloaded by 47 different parties.
"Our goal was to see how liquid the market is for breached data," said Kausik. "We were curious to see what happens to it after a breach."
One thing BitGlass learned is that hackers and thieves apparently vet data before stealing it.
"People do cross-examine it and download it, looking for breached data," he notes.
The exercise also reveals there is a healthy dark Web market for buying such confidential information, but the research effort didn't explore that aspect by offering the file for sale.
"There is a well-established online marketplace," adds Kausik.
What was most surprising, says BitGlass, is that the "vetting" time, which amounted to about eight days in the experiment, is plenty of time for enterprises to react to a data breach. The key, obviously, is discovering such hacker activity so quickly.