Every year, massive data breaches harm the public. The targets are email service providers, retailers and government agencies that store information about people. Each breach includes sensitive personal information such as credit and debit card numbers, home addresses and account usernames and passwords from hundreds of thousands – and sometimes millions – of people.
When National Public Data, a company that does online background checks, was breached in 2024, criminals gained the names, addresses, dates of birth and national identification numbers such as Social Security numbers of 170 million people in the U.S., U.K. and Canada. The same year, hackers who targeted Ticketmaster stole the financial information and personal data of more than 560 million customers.
As a criminologist who researches cybercrime, I study the ways that hackers and cybercriminals steal and use people’s personal information. Understanding the people involved helps us to better recognize the ways that hacking and data breaches are intertwined. In so-called stolen data markets, hackers sell personal information they illegally obtain to others, who then use the data to engage in fraud and theft for profit.
The quantity problem
Every piece of personal data captured in a data breach – a passport number, Social Security number or login for a shopping service – has inherent value. Offenders can use the information in different ways. They can assume someone else’s identity, make a fraudulent purchase or steal services such as streaming media or music.
The quantity of information, whether Social Security numbers or credit card details, that can be stolen through data breaches is more than any one group of criminals can efficiently process, validate or use in a reasonable amount of time. The same is true for the millions of email account usernames and passwords, or access to streaming services that data breaches can expose.
This quantity problem has enabled the sale of information, including personal financial data, as part of the larger cybercrime online economy.
eg: In headline of the following chart, U.S. doesn’t need periods.
The sale of data, also known as carding, references the misuse of stolen credit card numbers or identity details. These illicit data markets began in the mid-1990s through the use of credit card number generators used by hackers. They shared programs that randomly generated credit card numbers and details and then checked to see whether the fake account details matched active cards that could then be used for fraudulent transactions.
As more financial services were created and banks allowed customers to access their accounts through the internet, it became easier for hackers and cybercriminals to steal personal information through data breaches and phishing. Phishing involves sending convincing emails or SMS text messages to people to trick them into giving up sensitive information such as logins and passwords,…
