If cyber criminals have a Holy Grail, it’s your fullz, or your full set of personal information. And they’ll go to great lengths to get it.
Since 2005, more than 6,000 companies and organizations have reported breaches. Judging from prior trends, about half of those breaches likely involved the exposure of sensitive information, where consumers’ names are paired with additional data such as addresses, phone numbers, birth dates, Social Security numbers, and health records. In just 2015, for example, nearly 165 million records containing Social Security numbers were compromised in 338 breaches, according to the Identity Theft Resource Center.
Cyber crimimals are focused on bringing together an individual's full information to facilitate identity theft, allow the purchase of goods and services on the Internet, and enable criminals to open new accounts in a victim’s name. Fullz are also for sale in underground markets and the dark web, ranging in price from $15 to $65 for a U.S. citizen’s complete record, according to data collected by security services firm Dell Secureworks.
“Anything you can purchase on the Internet, or applying for any type of bank account or credit-card account, that’s pretty much what you would use a fullz for,” said Shawn Cozzolino, a senior intelligence analyst with Dell Secureworks. “As the Internet grows, and more and more services requires information, pretty much all your information is going to be out there.”
While the security industry is focused on preventing breaches, criminals are focused on extracting value from the stolen data. Like a business building a profile of a customer, criminals are trying to create a complete digital dossier on potential victims. For high net-worth individuals, such profiles can fetch a premium. In one survey of a dark web, for example, a researcher found criminals selling someone’s data for more than $450.
People are not the only target of identity collection. Fairly complete dossiers on businesses, primarily Russian businesses, can be bought for 40,000 to 60,000 rubles (about $547 to $822 currently), according to Dell Secureworks’ report. The files include the company’s original articles of incorporation, lease agreements, and tax identification number.
Data into dollars
“Fullz is the treasure trove,” said John Shier, security advisor at Sophos. “If you have someone’s name and address, that is still valuable, but at the end of the day, the more info you have, the more it is worth.”
The problem with fullz is that the harm is not obvious, and many people will not feel the impact for many years, if ever. While about a quarter of Americans have been notified of a breach, only 11 percent have actually stopped doing business with the hacked company, according to the RAND Corp., a private research organization.
People should pay attention to breaches and which pieces of their personal information may be at risk, warned Lillian Ablon, cybersecurity and emerging technologies analyst at RAND. The theft of this type of information “is incredibly alarming,” she said. “Unlike a credit card number which can be changed, Social Security numbers and health information are hard to change, or cannot be changed. I cannot change my blood type. I cannot move my house, just because someone got my address.”
Also, because consumers do not immediately feel the pain of a breach, they are not calling for change, said RAND’s Ablon. “Because there has not been rampant identity theft, like there has been financial theft, there has not been that pain,” she said.
Overall, the industry needs a better solution. While many companies have suffered millions of dollars in damages from breaches, and some CEOs have lost their jobs, the industry is set up to punish the breach of credit-card information much more rigorously than the breach of immutable personal information.
The problem will only get worse. Attackers are focusing more on combining personal data with health information as a way to conduct healthcare fraud. Information taken in breaches of healthcare firms is now finding its way into fullz, according to Dell Secureworks.
“We have seen a huge spike in healthcare information being sold on the Internet,” Cozzolino said. “Both in the English and the Russian spectrum, we are seeing more and more.” Such attacks could cause healthcare firms to wrongly charge consumers for undelivered care, and they could also adulterate patients’ healthcare records.
Making your fullz hard to find
Because a person has very little control over whether their information is leaked in a breach, consumers should focus on the next step in the criminal’s chain of crime: Their use of the information to make money.
Consumers should do as much as they can to make it difficult for the criminals to use their information. Using a password manager, for example, allows consumers to have complex passwords and not reuse them across sites—two properties of a good password that limits the damage from a breach.
Financial tools are available as well, said Dell Secureworks’ Cozzolino. “Monitor your accounts and your credit scores,” he said. “That can give you an early warning.”