Infosec 2010: What is lost data actually worth?

How much is your personal information worth to a criminal?

With the Information Commissioner's Office (ICO) now able to fine firms up to £500,000 for any data losses, and more information than ever being stored, the safeguarding of that data is a major concern for all businesses.

But what is lost data, such as credit card numbers, customer databases and financial information, actually worth, particularly to the criminal fraternity?

A mock data auction at Infosec 2010 aimed to provide some answers. Several lots of data were up for bidding, and a panel of industry experts was on hand to provide some thoughts and valuation estimates.

Audience members voted using keypads on what they believed the data to be worth, and the highest, lowest and average figures were displayed on a large screen.

Lot one was credit card information on 100,000 people including PIN, date of birth and mother's maiden name. Perhaps surprisingly, the average bid from around 50 members of the audience came in at just £869,250. The highest bid was £10m.

Michael Paisley, head of information security and business resilience at Santander, said that his company would not see the loss of information of this nature as financially very troublesome, as it would merely re-authenticate the information as issues were reported.

However, he said that the reputation damage of such a loss would be much more significant, and that media and public reactions to such incidents are often far more costly than simply replacing credit cards and PIN details.

Geoff Harris, president of the Information Systems Security Association, said that, based on figures from the Dark Market forum, credit card information of this nature usually sells for around £3 a time, making roughly £300,000 for the information up for auction.

Martyn Croft, chief information officer for The Salvation Army, pointed out that stolen credit cards are often tried out on charity donation sites as an easy way to test cards without arousing suspicion.