Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information. Symantec reports that the income received by sellers of stolen personal information continues to be high.
Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.
A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information. Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.
However, the most interest statistic may relate to so-called phishing scams. A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months.
Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible.
What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.
Issues from businesses are dramatic:
– Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software
– Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)
– Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are
Mark McCreary is a partner in Fox Rothschild’s Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or firstname.lastname@example.org.