The Price of Data in the Underground Economy
By Rashaqa Rahman
Monetizing data is a growing topic of conversation globally. The proliferation of data and the Internet of Things (IoT) is providing a lens into understanding customer usage like never before. One that will help drive innovative models for data monetization. Yet, one cannot discuss the opportunities that come with big data without thinking about data security. As pricing consultants, we are constantly thinking about capturing part of the value provided to users through sophisticated pricing models. But how does the underground economy of stolen data and malware operate - do the same principles of supply, demand, value drivers and market segmentation apply? In this blog, I compare how stolen credit card data and ransomware are priced in the underground economy.
Stolen Credit Card Data
The once lucrative stolen credit card data market has become commoditized due to oversupply of data. Previously, the price of stolen cards were differentiated by a) brand (AMEX & Discover fetching less that Visa or Mastercard due to the latter having stricter security measures), b) region where the underground marketplace is located (E.g. US, UK, EU) and c) the type and usability of the data. In recent times, the overall price of stolen card data has commoditized and according to McAfee research, the data has become brand agnostic - the asking price ranging from $5/per card in the US (due to relatively lax card security standards) and between $20-$30/per card in the UK, Canada, Australia and EU.
Currently, the per unit price of cards differ somewhat and fetch small premiums, depending on the type and amount of personally identifiable information. Other than the US, there isn’t significant price differentiation in the global marketplace. However, hackers can still charge a premium (up to $1190) by providing value-added information like account balances and purchase behaviour to the buyers of the stolen data. This information helps avoid security measures and milk more value from the stolen card. In other words, value-based pricing prevails.
Ransomware
Ransomware is a type of malware that prevents access to the users’ systems by encrypting their data and asking for money to decrypt or unlock it. While the stolen credit card market has commoditized, the large influx in the volume of data across industries have had the opposite effect on the ransomware business model.
It is a high growth underground economy, estimated to have cost businesses $1 billion in 2016. The existence of a supporting ecology, such as Ransomware-as-a-Service, means that anyone can be a hacker, purchasing the ransomware/encryption for a lifetime license at $39, and making a healthy ROI. Vendors of these supporting services are able to charge such nominal amounts for the license because they often take a cut out of the hacker’s profits. Pricing model innovation!
Between 2015 and 2016, the average “price” or ransom asked has more than doubled from $294 to $697. Research conducted by the Ponemon Institute shows that the victims of ransomware attacks have a high willingness-to-pay, with 48% of respondents saying their company paid the ransom - $2500 on average. For most businesses, the driver behind the high willingness-to-pay is the opportunity cost of downtime (which can cost anywhere between $5000 and $20,000 per day) and loss of reputation. Furthermore, in the higher end of the spectrum, the attacks are increasingly targeted at the types of companies that generate the highest ROI.
Over the past couple of years, targets for ransomware attacks have been segmented by regional attitudes towards cyber-threats (that inform willingness-to-pay) and the nature of the data at risk. Businesses operating in different global regions display starkly different patterns of behaviour. For example, 97% of American businesses don’t pay ransom, but UK businesses are more likely to pay. Consequently, UK businesses are on average asked to pay much higher ransoms. One-fifth of British companies are charged $10,000 (which is considerably higher than $2500 average) and 3% of UK companies are charged upwards of $50,000.
Data is incredibly valuable, yet the downside risk of exploited data is exponentially higher. As businesses and hackers both race to find new and innovative models to “monetize” data, the burden of risk has shifted from mostly individuals to both businesses and individuals. It remains to be seen how the downside cost of data risk and the price of security is incorporated into the new IoT driven business models. Working out fair ways to share these costs between businesses and consumers will be critical to scalable business models that do not attract regulatory responses.
