Infosec 2010: What is lost data actually worth?

How much is your personal information worth to a criminal?

With the Information Commissioner's Office (ICO) now able to fine firms up to £500,000 for any data losses, and more information than ever being stored, the safeguarding of that data is a major concern for all businesses.

But what is lost data, such as credit card numbers, customer databases and financial information, actually worth, particularly to the criminal fraternity?

A mock data auction at Infosec 2010 aimed to provide some answers. Several lots of data were up for bidding, and a panel of industry experts was on hand to provide some thoughts and valuation estimates.

Audience members voted using keypads on what they believed the data to be worth, and the highest, lowest and average figures were displayed on a large screen.

Lot one was credit card information on 100,000 people including PIN, date of birth and mother's maiden name. Perhaps surprisingly, the average bid from around 50 members of the audience came in at just £869,250. The highest bid was £10m.

Michael Paisley, head of information security and business resilience at Santander, said that his company would not see the loss of information of this nature as financially very troublesome, as it would merely re-authenticate the information as issues were reported.

However, he said that the reputation damage of such a loss would be much more significant, and that media and public reactions to such incidents are often far more costly than simply replacing credit cards and PIN details.

Geoff Harris, president of the Information Systems Security Association, said that, based on figures from the Dark Market forum, credit card information of this nature usually sells for around £3 a time, making roughly £300,000 for the information up for auction.

Martyn Croft, chief information officer for The Salvation Army, pointed out that stolen credit cards are often tried out on charity donation sites as an easy way to test cards without arousing suspicion.

The second lot, a 'cure' for influenza, produced some interesting discussions on the likelihood of reputable companies buying information that had clearly been stolen. The market for fake medicines is worth $75bn (£49m), and the average bid was £3.8m.

Another bid that caused some interesting debate was for a high-street retailer's customer database. The average bid was £1.16m, and the highest £10m.

However, as auctioneer Marcus Alldrick, chief information security officer at Lloyds of London, pointed out, this is a situation that clothing retailer TJ Maxx found itself in some years ago after a major security breach. The company had to spend upwards of £50m in marketing and incentives to keep its customer base.

Other lots included 50,000 life insurance records (average bid £311,324), copies of mobile phone bills for 50,000 customers (average £456,000), all your deleted emails (average £5.96m, although an audience member argued there was no such thing as a deleted email), and the audit trail that could put your chief executive in jail, which averaged £2m but maxed out at a whopping £20m.

However, the largest bids were reserved for records from a leading credit ratings agency. The top bid hit £99,999,999 (possibly a joke) and the average was £8.3m.

Throughout the proceedings, the members of the panel offered thoughts on this data and its value, often disagreeing as to its worth owing to the potential, or lack of potential, to monetise it in any straightforward way.

Overall, the event highlighted the clear fact that all data can be considered valuable to someone, and that criminals will use it in ways that could damage individuals and the company or organisation that lost it.