News & Comment: China sees surge in personal information up for sale

Data dump: China sees surge in personal information up for sale

NEWS: When William Zhang’s car insurance was about to expire in March, he didn’t need to look far for renewal options. In the two months before the policy was up Zhang received calls almost daily from insurers trying to sell him a new one. READ FULL ARTICLE


Terry Ray, CTO of Imperva, provided the following comments:
“This isn’t only a Chinese problem, it’s global. Data, especially long-lived data, is highly resalable, which is one reason why the sales price can be very low. This kind of data could be names, addresses, phone numbers, birth dates, mobile information, e-mail addresses, bank usage, even your insurance provider.

“Two big differences between short-lived data and long-lived data, are time to value and future value.

“Time to value for short-lived data is usually very high, think credit cards and the combination of matching usernames and passwords. These have very high short-term value, but change very quickly, especially post breach or theft of money or an account take-over.

“Time to value for long-lived data can be low to high value depending on the reliability, data type and quantity, yet this data also tends to be more widely available from multiple sources due to previous data breaches. This data doesn’t age as quickly as short-lived data, think phone numbers, home addresses, employers, etc. Standard economics of supply and demand apply here, lowering the value of this data since it’s often available from many sources and lowest price often sells well. This data is often cheap enough for buyers to purchase from multiple sources and build an large data repository.

“Future value for short-lived data expires very quickly, so while we see some data repositories of this type of data, it is usually significantly less valuable as it ages. Consider that you find a bank charge on your credit card, the first thing you do is call the bank, make claim for fraud against your account and the bank responds by replacing your credit card and number, thereby making the data stale in the breached data. This can happen quickly reducing the future value of the data.

“Future value for long-lived data like names, addresses, phone numbers, etc. lasts a very long time and can be resold for years and still have a fairly high level of accuracy.

“Why do we see this is China, mostly because they started paying more attention to it, where in the past very few companies spent much on data privacy. Even today, I would estimate that Chinese companies are 5-10 years behind Europe and United States in detective and protective controls for data. That’s not say there are no success stories of Chinese companies modeling their data security practices after more modern foreign entities, but that is the exception rather the norm.”