The Equifax hack released the private information of tens of millions of people into the hands of criminals.
Now what happens to it?
The Equifax breach included names, Social Security numbers and home addresses. Those are valuable details for criminals who want to drain bank accounts or commit tax fraud.
In fact, it’s common for criminals to buy this kind of information.
It’s sometimes stolen on a much smaller scale, and the public never hears about it. Other cases, like hacks at health insurer Anthem and the federal Office of Personnel Management, face a lot of public scrutiny.
“This is something that’s been really a focus of cybercriminals for quite some time now,” said Roman Sannikov, director of Eastern European research and analysis at security firm Flashpoint. During the housing boom last decade, he recalled, criminals used “personally identifiable information” from data breaches to take out fraudulent mortgages.
Related: Cybercriminals can take a class on stealing credit cards
Criminals sell stolen personal data on the dark web via sites accessed through special software called Tor, which are not readily accessible for most users of the Web. These websites specialize in facilitating an illicit economy, from drugs to stolen identities. Law enforcement recently shut down two of these websites — Hansa and AlphaBay — but lesser-known sites are still active.
Researchers have not seen Equifax-specific data circulating on the dark web yet or an uptick in social security numbers for sale. But there’s already a thriving ecosystem built around buying and selling human identities.
And this data is cheap. Individual Social Security numbers may run a few dollars. A family’s Social Security numbers — two parents and a child, let’s say — cost $10 on one marketplace. Information sold as a family unit is more valuable for tax fraud.
“I’ve seen people talk about getting sources from local hospitals, local employers, or talk about having access to law enforcement databases,” said Emily Wilson, director of analysis at data intelligence firm Terbium Labs.
Wilson says dark web criminals often have consistent access to breaches not yet exposed to the general public. In one case, she said, a criminal boasted about having open access to patient data at a local hospital and told interested buyers they could provide identities with specific age ranges.
Related: Equifax’s legal and government troubles keep piling up
Many vendors trade in what’s called “fullz,” or full identity packets. This includes someone’s name, date of birth, Social Security number and credit card info. These can cost $20 or less. Some fullz with criminal or medical history, financial data and past addresses can cost over $100.
It’s not just identities that are bought and sold — vendors also sell guides explaining what to do with personal data, like how to commit tax fraud or open a fraudulent bank account.
One packet viewed by CNN Tech teaches criminals how to run background checks and find personal data on people whose identities they stole. Some packets also describe using social media sites such as Facebook, Instagram and Twitter to find dates of birth, personal anecdotes or other information that can be used in security questions.
So what about the Equifax data?
No one knows the identity and the motives of the person or group behind the Equifax hack. If they intend to sell the data, Wilson said there are people who would be willing to pay a lot of money to keep it out of the mainstream and slowly take advantage of it.
“I wouldn’t be surprised if we actually don’t see this surface as a dataset for sale,” Wilson said. “We are more likely to see the fallout of this for the next few years and potentially decades.”
Criminals might be taking advantage of their peers, too. Sannikov says some might try to defraud others by selling fake Equifax databases.
There are steps people can take to protect themselves now and in the future when other breaches happen. Keep an eye on your credit score, and sign up for credit monitoring services that can alert you to fraudulent activity. Practice good tech hygiene, like not reusing passwords.
“Most people’s information is stolen on a regular basis,” Sannikov said. “It’s not the end of the world, but you always have to be very careful.”