Skip to content

What Happens to Stolen Personal Data?

Thieves sell it to other thieves in a vast underground market

Q. What happens to the personal information that's stolen by online scammers? Do the same people who steal it then turn around and try to drain the accounts of each victim?

A. The people who run those info-theft operations sometimes do go after the money of the victims. But more often their mass-mailings — such as recent emails that tricked people into downloading data-stealing software by promising photos of the Osama bin Laden raid — are aimed at gathering information for sale on a huge cyber-crime black market.

See also: Online shopping crimes and misdemeanors.

Its inner workings were exposed in a recent report by security software vendor Panda Security (PDF). Posing as cyber criminals, Panda's people infiltrated the online marketplace and found that a large variety of illicit personal information, as well as goods and services, were for sale on Internet forums and at 50 online stores frequented by scammers from around the world.

Buyers buy the data to avoid the risk and trouble of having to steal it themselves.

Email lists for mass mailings of spam emails go for $15; stolen credit card numbers sell for as little as $2 each. Prices jump to $80 to $700 per account number if there are additional details or a "guarantee" of a high credit line. Records detailing past online transactions and PayPal payments fetch $1,500, reports Panda.

Much of this information is pilfered through some 63,000 "malware" threats that happen each day, says Panda, most of them carried out by organized crime rings.

The rings employ a variety of personnel:

  • programmers who develop the information-stealing software that computer users unwittingly download. As the bin Laden scam proved, this software can be quickly prepared, thanks in part to what Panda calls pre-prepared kits for sale on line;
  • distributors who trade in stolen data;
  • "money mules" who complete wire transfers between the bank accounts of victims and scammers.

For commissions of 10 to 40 percent, some thieves provide money-laundering services.

Panda also found deals on various cards and hardware that scammers use. Cloned credit or debit cards start at $180. Machines that make duplicate plastic go for $200 to $1,000. And there are even fake ATMs, which capture the data and PINs of debit cards that unwitting people stick into them. The machines begin at $3,500 — with free delivery — but rise to $35,000 for the best models.

You may also like: ATM skimmers can read your pin numbers. >>

Sid Kirchheimer writes about consumer and health issues.