Emily Wilson, vice president of research at Terbium Labs, discusses why consumers and professionals should be concerned if their data is leaked on the Dark Web.
CNET and CBS News Senior Producer Dan Patterson sat down with the Terbium Labs vice president of research Emily Wilson to discuss why consumers and professionals should be concerned if their data is leaked on the Dark Web. The following is an edited transcript of the interview.
Dan Patterson: So Emily, first tell us what the Dark Web is.
Emily Wilson: So the Dark Web is a portion of the internet that’s isolated from the internet we use day to day. Most Dark Web technology was designed with privacy in mind, where criminals have used that technology to build out a vast underground marketplace of all sorts of illicit goods. We’re talking about stolen information, drugs, counterfeits, you name it.
Dan Patterson: So we’ve heard horror stories about the Dark Web being populated with guns and with drugs and with other terrible activities. After every major data breach there’s also a proliferation of data on the Dark Web. But next to guns and drugs and hit men data seems fairly small scale. What’s the harm of data being leaked on the Dark Web?
Emily Wilson: I think the harm is twofold. One, I think people consistently underestimate the harm, and that’s a battle we have to fight. It’s really hard for people to make these digital threats tangible. We understand the danger of someone is selling drugs in our neighborhood or has guns or if someone has a key to our house. But what does it mean if somebody has our credit card information? What does it mean if somebody has my social security number? What does it mean if I was caught in the Equifax breach? That’s one, is it seems innocuous and so no one is doing anything about it. The other harm here is that data is transmitted very quickly. There’s no ship time. Criminals buy it. They get it instantly and they can cash it out. And data is often good for a long time. If somebody uses your credit card and there’s a fraud alert, they’ll get a new credit card number. That’s a loss to you and it’s annoying but it’s not too bad. What about your social? What about your name? What about your address or your drivers license numbers? These are data points that can be exploited for decades or for a lifetime.
And once that’s out, it’s nearly impossible to get it back.
Dan Patterson: So high-profile individuals, like say journalists, but higher-profile people like politicians, famous actors, that type of thing, okay, I understand why their exposure on the Dark Web is a bad thing. But why is it bad for ordinary people, a regular person, if your data is leaked and it likely is leaked, why is it bad that that information is on the Dark Web?
Emily Wilson: It might seem like it wouldn’t be a problem because criminals are going after your credit card or your bank account but these are isolated incidents. Well we have to understand though is that this has become a profession. The Dark Web has provided the raw materials that these fraudsters need to build out scalable criminal empires and they’ve done that. And so it’s not just isolated issues. We’re talking about opening hundreds of new bank accounts or thousands of credit cards. We’re talking about identity theft of hundreds of millions of people including children. This is a real problem and people need to understand the scale of the issue. Because it means that as an individual criminals maybe aren’t targeting you, but once your data is in the mix you’re just another cog in the wheel. You’re just another resource.
And data is often repackaged, resold, re leaked which means if you’re exposed once it’s going to be used hundreds, thousands, maybe even millions of times before all is said and done.
Dan Patterson: Does data ever get old? Does it expire? Do hackers need a fresh supply of data?
Emily Wilson: It depends on the data type. Some data does get old. Some data expires. Examples of those would be things like credit cards. They might be shut down or they might actually expire and you get a new number. Other data types can expire or can get old. Things like passwords or email addresses, things that you might change or that you might not use anymore. Things that may no longer be valid. And then there are other data types. Socials, names, addresses, biometric information potentially. That data is valuable for years to come. And especially when it comes to things like social security numbers. Criminals don’t need a lot else to make that profitable.
Dan Patterson: Who are the threat actors here? Who is stealing information? Is it the lone wolf stereotype of kid in his basement with a hoodie? Are these nation states? Is it organized crime? Is it all of these? Who are the threat actors?
Emily Wilson: Sure. So it could be kids in a basement somewhere. It could be nation states. It could be organized criminal groups. It could be organized criminal groups that aren’t even regionally based. It could be components and contractors from around the world. One of the things here is that the Dark Web makes resources widely available for people to learn how to commit different types of fraud. Or how to commit different types of cyber crime. It doesn’t just provide the raw materials you need. It also provides step by step instructions and a whole community of other fraudsters who are willing to help you out.
Dan Patterson: So on the other side of that coin, who’s the marketplace of buyers?
Emily Wilson: I mean it’s a profitable industry unfortunately. We talked about there not being a lot of resources being put towards these issues right now because guns and drugs and other issues are getting more air time. Fraud is something that most financial institution consider a cost of doing business. So criminals know they can continue to exploit that information. Which means buyers are people who have been doing this for years, people who are just getting interested. It might be new recruits from criminal organizations. I mean the thing about criminal organizations here that we have to remember is why on earth would they spend their own proceeds to fund this kind of crime if they could be spending my money or your money. All of this financial fraud isn’t just going to buy new TVs or to buy drugs. It’s being used to fund criminal enterprises.
Dan Patterson: What is the value of data of individual records and of full dumps? Is it cheap? Is it expensive? Does it matter if you’re attacking a journalist versus a celebrity versus an anonymous person on the street? What’s the value of personal data?
Emily Wilson: Personal data is incredibly affordable. And again it’s not as though criminals are spending their own money to buy this. We could be talking about records of full personal information records, credit card numbers, account user name password, your name, your address, your mother’s maiden name, your date of birth, all of that for just a few dollars. The question about whether or not someone is going to be able to get access to a high profile individual, high profile individuals would be more expensive in that it’s a different kind of data. It’s a different type of service. Most criminals when they’re going in they’re buying information in large batches so they’re buying a bunch of credit cards or a bunch of voting records for example. They don’t really care who they’re getting or where they’re getting it from because it’s just being plugged into a big fraud system.
If you do want to pay for services to attack an individual or go after a specific individual, those are available in an isolated capacity but they are there and they would cost you a little bit more.
Dan Patterson: All right, last question. Let’s say website X is hacked tomorrow just like a million websites and in fact this year we’ve seen Fortnite, Dunkin’ Donuts, the Dow Jones company, all major websites, right? I’m probably fairly blasé when I hear about this. Should I care and if so, why?
Emily Wilson: It can be difficult when we get news every other day of another major website that’s had hundreds of millions of records breached. We even have a name for it. We call it breach fatigue. Consumers in particular have a difficult time processing that information because what can they do about it. We as a country still have not figured out what justice looks like when a major organization is negligent in its security and exposes hundreds of millions of individuals. So what are consumers supposed to do if even the federal government isn’t empowered to do something about it? You as a consumer you should care because again every data breach chips away at your individual privacy and security. It’s not an abstract concept. It’s something that’s going to continue to impact people for generations to come. And people need to care about it because if people don’t care, companies won’t care. And if companies don’t care, the government won’t care. And someone has to start caring about this because it’s already a really big problem.