Small data plucked from big data is the new cash cow for cybercriminals. It’s the basis for some of the newer business models that are evolving. The motivation for these innovations is the same as it is for every organization: Criminals must seek new revenue streams as current ones begin to dry up.

One of the latest examples: A black-market seller is auctioning a database of “real and unique” personal information on 92 million Brazilian citizens. To sweeten or extend the deal, the seller is also advertising “a search service focused on Brazilians, saying that they can dig up details about an individual starting from minimum initial data,” according to a Bleeping Computer report.

Identities, credit card accounts, bank accounts and other cashable data at scale are now going for mere pennies on the dollar. Sales are down as the black market is saturated with the basics of personal identifying information (PII) at scale.

A search service and/or on-demand custom data records on specific individuals, such as this seller is offering, is likely to command a much higher price than the usual black-market goods.

comforte AG’s Jonathan Deveaux

“There’s one thing technology leaders can take from hackers and threat actors — which is the value of data.  On the dark web and underground forums, data has value — so much that threat actors are willing to commit a crime to acquire it, and then another crime to sell it,” said Jonathan Deveaux, head of enterprise data protection with comforte AG.

The seller did not reveal where the data came from but Bleeping Computer said that it was told this is a stolen government database that contains personal details on almost all Brazilian citizens.

It’s not far-fetched to think other countries will be similarly filched as the demand for custom, on-demand data points on specific individuals accelerates. After all, most countries have already seen one or more of their agencies’ databases hacked over the years. The continued onslaught of data breaches has spurred several far-reaching regulations meant to protect citizens’ private data.

“The data from the 92 million Brazilian citizens being auctioned in the underground forum would fall in the category of requiring protection under the Brazilian General Data Protection Law known as ‘Lei Geral de Proteção de Dados’ or ‘LGDP.’ Unfortunately, the law does not go into effect until Aug. 15, 2020, a six-month extension from the previous February 2020 date,” said Deveaux.

“When technology leaders adopt a stronger view that ‘personal data has value,’ they might do more or invest more to protect it and keep it private.  However, with wave of data privacy regulations popping up around the world, organizations are going to have to protect data and privacy, whether the organization considers it valuable or not.  Data privacy is shifting to focus on the consumer.  Under Article 18 of the LGDP, consumers have rights for their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated,” Deveaux added.

Security professionals are recommitting to protecting data, which is no easy task…

…given the shifting nature of attacks.

“An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization. Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multicloud computing, which has been scrutinized as having major data security gaps,” said Deveaux.

There are security gaps on the user end to protect as well.

STEALTHbits Technology’s Gerrit Lansing

“It’s past time for companies to require two-factor authentication for sensitive services; it’s clear passwords aren’t enough and opt-in approaches only work for the already security-minded,” said Gerrit Lansing, field CTO with STEALTHbits Technologies.

Security pros should also consider adding to their risk assessments, the risks from on-demand data profiling on high-ranking clients and on lower-ranking client personnel whose data can be used to infer location or other info on more high-ranking personnel.