The data breach at credit-monitoring agency Equifax is, to put it plainly, a heaping, dangerous trash fire. It took Equifax more than a month to disclose that 143 million records — that’s nearly half the U.S. population — including Social Security numbers, had been compromised. As if that wasn’t bad enough, the breach contained hundreds of thousands of credit-card numbers, too. If you’re worried you might have been affected, you can check here (and sign up for a free year of credit monitoring being offered by Equifax). But you might also be wondering: What’s going to happen to all that data?
As it happens, there’s a well-established game plan for what hackers do with astronomical amounts of personal data, but the short and the long of it is: They sell it. Like safecrackers, hacker groups concentrate their efforts on getting in, getting the goods, and getting out. They don’t have the resources or know-how to weaponize the data they’ve obtained, and it’s quicker and more efficient to just sell it to someone who does. How these sales work varies, but generally the database of identities is sold — either in parts or in bulk — to whomever can pay the price. And the price is determined by the value of the identities inside.
The Equifax records would qualify as what’s termed among hackers and black markets as “Fullz” records — name, date of birth, address, SSN, and more. Individual identities are sold online, but they’re not sold by advertising the name of the victim. They’re advertised by the quality of the identity: a higher credit score or bank balance means a higher price tag. These records are useful for people attempting run-of-the-mill identity or credit-card theft, but they’re not useful for anyone trying to target a specific individual.
But the Equifax database is so enormous that the hackers who stole it are unlikely to have the ability to break it down in a systematic way into individual records that could be sold. More likely, the entire database will be sold at once, which, given the size of the Equifax breach, would cost in the hundreds of thousands of dollars, if not millions. An individual record of an American usually falls in the two-digit price range; multiply that by 143 million, apply a discount for purchasing in bulk, and you still get a hefty price tag that puts the data set out of the reach of everyone that’s not a well-funded spammer, hacker — or intelligence operation.
For comparison, take the Yahoo! hack, in which 500 million accounts were stolen by hackers in 2014. Last August, a cybersecurity firm found that three people or organizations had each paid about $300,000 for the bulk data obtained by the hackers. Those three buyers were “two known spammers and an entity that appeared more interested in espionage.” Spies want information like the kind leaked in the Equifax or Yahoo breaches because it can be used to compromise certain targets — DNC employees, say. If email account passwords were cracked, the huge store of data might be useful for a practice known as credential stuffing — seeing if someone uses the same login info on multiple accounts (which, like, everyone does). Or, if you have a certain person’s name, email address, and Social Security number, you could talk your way into a password reset or another kind of account access across a number of services.
What this means is that it’s hard to tell when, where, or how the leaked data might be used against victims. And the structure of stolen data sales (not advertised by victim name) and the economics of it (data sold in bulk at high cost) means that it’s incredibly difficult to take preemptive action against identity theft. The sheer size of the data can lend false hope that hack victims are unlikely to be chosen as a identity-theft victims — but the only real solution is monitoring banks accounts and credit reports to make sure that nobody is misusing your information and then taking swift action if they do.