My invited post on the IBM Institute for Advanced Security Expert Blog

July 27, 2011

By Marc Goodman

While businesses around the world struggle to understand how to profit from the information revolution, one class of enterprise has successfully mastered the challenge—international organised crime. Though the recent theft and hacking of tens of millions of customer accounts at Sony has garnered much attention, the attack is but the most recent example of organised criminals successfully leveraging the data deluge for their own “business” purposes.

At first glance, the exponential growth in digital information would appear to hold significant economic promise for corporations capable of gleaning new and powerful insights into their customers and the marketplace. Storage has become cheap and companies are processing and generating volumes of data that would have been quite literally unimaginable just a few years ago. For example, in late 2010 officials at the social gaming company Zynga noted that its users were generating a full petabyte (1,000,000 gigabytes) of data every day, requiring the San Francisco-based firm to add up to 1,000 severs every week to accommodate its growing Internet traffic. Nevertheless, as with all new opportunities, there are risks to be considered—the vast amount of data the is available for theft and exploitation by organised crime groups.

Easy pickings: Criminals treat the breadth of data available to them as a veritable smorgasbord of illicit possibilities and gorge themselves on the sheer number of available opportunities.

In the case of the April 2011 Sony hacking incident, the client records and personal details of 77 million customers of the Sony PlayStation Network were stolen, including user’s names, addresses, phone numbers, passwords, purchase histories and in many instances, their credit card details as well. To add more fuel to the fire, a mere few days after the initial breach, it emerged that an additional 24.6 million customer accounts, this time in Sony’s Online Entertainment division, had also been compromised.

The numbers are staggering: all told, international organised criminals stole the personal data of more than 100 million Sony clients. But for the recent advances in information technology, when in recorded human history would it have been possible to ever steal one hundred million of anything?

Though Sony has drawn ire for its handling of the incident and the loss of its customer’s information, sadly, the Japanese conglomerate is hardly unique when it comes to criminal exploitation of big data. In 2007, hackers obtained the credit card and transaction details from 94 million customers of the TJX Companies (including T.J. Maxx and Marshalls). The largest known case of data theft to-date occurred in 2009, when 130 million credit card numbers and user details were stolen via a malicious software attack against U.S.-based Hartland Payment Systems, the nation’s fifth largest credit card processor. So much data, so much opportunity.

The criminal data underground: Organised crime groups around the world have created a vast and highly efficient underground economy in which the stolen data is exploited by networks of geographically disparate crime syndicates. Just as the modern corporation is structured by functional areas of expertise,these groups follow a similar organization.

Law enforcement authorities have uncovered a data crime syndicates structured into specifically identifiable teams, each with its own area of expertise, including the generation of any required computer malware, offensive hacking and intrusions, underground sales of stolen data, creation of functional plastic credit cards coded with stolen account data for in-store purchases, exploitation of credit card data specifically for online transactions, receipt of stolen property at untraceable drop-locations, online fencing/resale of stolen goods and money laundering of stolen proceeds, to name but a few.

These specialty crime syndicates cooperate with one another with great efficiency around the globe, as any given area of required criminal expertise is contracted for in an underground modern bazar of illicit activity. Criminals have even set several level agreements on the quality of the data stolen, guaranteeing that minimum levels of fraudulent transactions will be successful and even provide technical support to other criminals on how to exploit any “crimeware” purchased.

In the age of big data, organised crime groups find themselves in the knowledge management business, competing daily with legitimate companies for the upper hand in understanding the data deluge. Surprisingly, in the case of the Sony hack, transnational criminals actually had better knowledge and understanding of the online PlayStation network than did the legitimate owners of the data.

The cost to business: The costs of these data breaches are rarely borne by the criminals responsible, but rather by the firms whose systems are compromised. According to a study by the Ponemon Institute, in 2010 the average cost of data breach was $214 per record stolen. This included the costs of detecting and responding to the incident, notification of clients whose accounts were compromised, increased customer churn due to mistrust, negative publicity, erosion in corporate share price and ensuing lawsuits. Assuming the $214 figure to be correct, the Sony breach may cost company more than $21 billion in losses, a considerable toll that will have untold impact on a marquis Japanese brand for years to come.

In the matter of the TJX breach, Attorneys General in both New York and Massachusetts sued and won cases against the company for failing to appropriately safeguard their customer’s data. Significantly, on the international front, many nations have stringent regulatory and criminal privacy statutes, such as the EU’s European Directive on Data Privacy, which attaches a number of sanctions for big data breaches. These, too, add significantly to the cost of mismanaging the deluge in customer information.

Internal threats in the age of big data: While it may be convenient to blame sinister criminal outsiders for all data breaches, the internal threat to big data cannot be underestimated. Perhaps no incident drove this point home more than the recent Wikileaks case in which more than 250,000 classified documents were exploited and stolen. The fact that a trusted, but malicious, insider was able to access hundreds of thousands of secret documents, save them to a compact disk and then post the information on the Internet, should be a wake-up call to both public and private enterprise around the world. Of course the majority of big data breaches do not result from malicious insiders, but rather through benign neglect and carelessness–employees accidentally leaving laptops with millions of protected records on subway cars or misconfiguration of information systems, exposing privileged data to public view.

The future of illegal data: Future trends bode well for international criminals. While enormous amounts of digital information are being created today by human beings as they surf the Internet and post information to their favorite social networks, imminent fundamental shifts in computing, including the emergence of ubiquitous computing and the “Internet of Things,” will yet again exponentially drive growth in big data. As companies gather more and more data from more and more devices, including tablets, RFID readers, mobile phones, location-based services, public and private cameras, alternative payment systems, smart grids, augmented realities and machine-to-machine communication, criminals will have an ever expanding pool of targets from which to choose in pursuit of their own business objective—making money from the deluge in illegally purloined data.

A news reporter once famously asked American bank robber Willie Sutton why he robbed banks: Sutton responded without hesitation: “because that is where the money is.” Though Sutton could have robbed hundreds of individuals over an extended period of time, it was more efficient for his business model to simply rob one bank instead. Similarly, in the age of big data, transnational criminals will continue to seek opportunities to profit from the information deluge, because that is where the money is.

This paradigm shift raises significant questions for legitimate businesses. Though it may be possible to store a petabyte of client information each and every day, is it necessarily a good idea to do so? Do the benefits of preserving more and more data outweigh the potential risks to the firm? In light of a highly agile and adaptable global criminal underground, the more data collected may simply mean there is more information at risk. Based upon the evidence from the egregious data breaches seen to date, it is clear that some of the most respected businesses in the world continue to struggle with these issues. Enterprises that learn to successfully navigate both the risks and opportunities associated with judiciously handling, sharing, storing and transmitting digital information will find they have a competitive advantage over their peers.

Marc Goodman founded the Future Crimes Institute to inspire and educate others on the security implications of emerging technologies such as the social data revolution, artificial intelligence, synthetic biology, virtual worlds, robotics, ubiquitous computing and location-based services. Marc currently serves as the faculty advisor for security at Silicon Valley’s Singularity University, a NASA and Google sponsored venture dedicated to using advanced science and technology to address humanity’s grand challenges. He is also the Chief Cyber Criminologist of the Germany-based Cybercrime Research Institute and a fellow at the Hybrid Reality Institute.. The following article is a repost from a recent issue of “The Economist “