INTELLIGENT ENTERPRISE SECURITY
After finance threat actors
turning to healthcare
Bulk theft of medical records is a relatively new cyber trend and the pricing model
is still to get established in the underground market.
F
inancial data, such as payment card
information, has many established
markets. The going price for a
single record of information, full package
of an individual’s identifying information,
with names, social security numbers,
birth dates, and account numbers —
ranges between $14 to more than $25 per
record. Less established sellers have low
introductory prices. Intel Security has
recently seen around $20 per record for
small-scale purchases.
Wholesale prices can be even lower, as
low as $3 per card sold in bulk. Medical
records, on the other hand, appear to be
highly variable and range from a fraction
of a cent to $2.42 per record. This price is a
significantly lower than individual payment
card prices but only slightly less than
wholesale card prices.
Do these prices mean medical data is not
worth as much as financial data? Perhaps,
but the markets are different. Some sellers
have taken advantage of parallel markets to
increase their profits. On the underground
market forum AlphaBay, the user
Oldgollum sold 40,000 medical records for
$500 but specifically removed the financial
data, which was sold separately.
Oldgollum is essentially double-dipping
to get the most from both markets.
Financial data can also be sold in individual
records or in bulk. Medical data appears
to be sold only in bulk at this time, which
reduces the per-record price to something
near the wholesale prices of cards.
Certainly, medical data adds value to the
transaction. The sellers aim to ensure they
extract maximum profit from both markets
and do not expect to sell at a premium to
either side.
40
Financial data is not the only type of data
Intel Security can use to compare market
dynamics. Take, for example, two recent
social media account dumps, both selling
in bulk between 65 million and 167 million
accounts, but also gaining only fractions
of a penny per record. Even more recent
leaks involving Bitcoin forums have similar
per-record pricing. Our findings on medical
data exceed this amount but do not yet sell
at the rate of established markets such as
payment cards.
The stolen medical data still appears to
be taking shape, but the current ecosystem
already has a higher per-record value than
in markets of non-financial account data.
Issue 02
INTELLIGENT TECH CHANNELS