The New Economics of Cybercrime

It’s a good time to be a cybercriminal. There are more victims to target, there is more data to steal, and there is more money to be made from doing so than ever before. It would seem to follow, then, that there’s been very little progress since 2007, when hackers stole at least 45.6 million credit-card numbers from the servers of TJX, the owner of TJ Maxx and Marshalls, catapulting the now-commonplace narrative of the massive data breach to national prominence. But the truth is that the forces of cyber law and order have made lots of headway in the past decade.

There are still large-scale data breaches, but credit-card companies are getting better at detecting them early and replacing customers’ cards as needed, payment networks are pushing microchip-enabled cards that render transaction data worthless to criminals, and law enforcement has gotten smarter and savvier. Cybersecurity is often framed as a matter of keeping up with the rapid evolution of online attacks—patching software vulnerabilities and identifying new malware programs. But cybercriminals’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model: They have started selling stolen data back to its original owners. To keep cybercrime profitable, criminals needed to find a new cohort of potential buyers, and they did: all of us. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.