Malicious hackers may be criminals, but they are also rational. They want to steal data that has a lot of value and large numbers. Attacks on retailers and hotels can yield high volumes; the attack on Heartland Systems in 2009 exposed 160 million cards, ten years later hackers stole 106 million records from Capital One, and Marriott lost records on over 500 million customers in 2016, including credit card information on over 100 million.
Those are certainly eye-popping numbers, but what are those records worth? According to Experian, if the credit cards included a CVV number, they could bring $5 each on the dark web. Theoretically, these are $500 million breaches.
Now compare that to the Baltimore-based breach at CareFirst BlueCross BlueShield.
You may not remember this 2015 breach on the health insurance provider. After all, it only yielded about 1.1 million individuals. Why would attackers target such a relatively low number of records?
Back to Experian – the significance of the attack is the quantity of records times the value per record. If the CareFirst records included diagnostic codes, employment information, and medical histories, each record could return up to $1,000 – over 200 times the value of a credit card number. This “small” breach could potentially return more than the Marriott breach.
The type of information available is what drives attacks. It’s easy to see why insurance companies are attractive targets. Learn more in our new white paper about cybersecurity for insurance companies.