Report Finds that PII Data Is Much Less Valuable to Cybercriminals than IT Professionals Think

Trustwave released the “Value of Data Report,” a sponsored research report conducted by industry analyst firm Quocirca. The global study includes a survey of 500 information technology (IT) decision makers in the United States, Canada, United Kingdom, Australia and Japan, examining attitudes towards the value of confidential data including: personally identifiable information (PII), payment card data, intellectual property (IP) and email. It reveals significant differences in both the level of vigilance applied to assessing and mitigating the level of risk, as well as the relative value attached by different verticals, countries, and stakeholders to various types of data, including the hospitality industry.

The report found that the hospitality industry places the most emphasis on securing PII data. This is unsurprising given the amount of fanfare that has been made recently regarding hospitality's need to lockdown PII data. However, this report indicates that hospitality professionals and others are overestimating the importance of PII data to cybercriminals. Instead, criminals consider PII a cheap tradable commodity compared to the higher values placed on it by data controllers, regulators and insurers. According the report, overall criminal resale values for PII on the black market are less than 5% of the value that enterprise security professionals estimate them to be worth. It goes on to state that cybercriminals are, on average, willing to pay $39 for PII record. However, IT professionals seem to believe that same record is worth $1,198, while insurers believe it's worth $3,211 and regulators believe it's worth $8,118. Data controllers have little idea their PII records are being sold so cheaply. Their own estimates of criminal resale values are much closer to their own valuations than reality. This isn't just true of PII data, it's true of all data being sold on the black market. For instance, for a payment card record, data controller estimates averaged out at around 60 times the actual criminal value. For a single banking record, it is 2,000 times more than the actual criminal value.

The more value that is placed on something, the more it might be expected that vigilance would be put in to caring for it. Unfortunately, the report found this is not the case for the hospitality industry. According to the study, retail and hospitality had the lowest data risk vigilance score compared to other sectors, which is worrying given the amount of consumer data they handle and store.