January 26, 2012, 1:49 PM — When Zappos notified its customers that their names, email addresses, billing and shipping addresses, phone numbers and the last four digits of their credit card numbers may have been exposed during a data breach earlier this month, the online shoe retailer emphasized that "critical credit card and other payment data was NOT affected or accessed."
That's definitely a relief. It means that the 24 million customers whose information may have been compromised in the breach don't immediately have to worry about finding mysterious charges on their credit card statements at the end of the month.
[ Free download: 68 great ideas for running a security department ]
So what do they have to worry about? According to experts, the most likely security risks for consumers range from the annoying (more spam in their email inboxes) to potentially much more dangerous targeted "phishing" emails, where the sender disguises himself as a trusted individual or organization in order to trick the recipient into clicking a link that will download malware onto his or her computer or into giving the sender confidential information such as a password, credit card or Social Security number.
The hackers who infiltrated Zappos' databases certainly accessed a bundle of information. Other breaches, such as some of the web server attacks perpetrated by hacktivists, expose only names and email addresses. Whether large or small, these breaches raise a number of questions:
- Why is this information valuable to cybercriminals?
- What's the actual, monetary value of this information?
- What's the minimum amount of information cybercriminals need to perpetrate their misdeeds?
- When a company gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
- What's the risk to consumers when cybercriminals get this information?
- What are the odds of those risks occurring?
Why is this information valuable to cybercriminals?
Personal information is the currency of the underground economy. It's literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money.