We need to talk about the children.
When we think of data breaches, we immediately, instinctively think of adult data. Adults are active consumers, embedded across different tiers and layers of the digital world. Children are typically insulated from these interactions—they’re under the protection of their parents, free from the complications (and compromises) of the system.
Or so they should be.
In recent years, child data has begun to circulate more regularly in the dark web fraud communities. This data marks the beginning of a new commodity in the criminal economy, with far-reaching consequences.
In late December, Terbium Labs discovered a series of listings advertising child data for sale on a handful of major dark web markets. These listings, all from the same vendor, promote “Kid Fullz” as part of the vendor’s “NEW STOCK DECEMBER 2018.” The vendor offers a comprehensive package of data for each of the children exposed: name, address, social security number, and date of birth—everything a cyber criminal needs to create a synthetic identity, open up a payment account, or abuse the child tax credit (particularly convenient as we head into tax season).
Data belonging to young children comes from a limited number of possible sources: the government, medical providers, and, eventually, schools. In one “Kid Fullz” listing, the vendor notes that the data comes from “pediatrician and other medical databases.” In other listings for personal data, the same vendor claims to have “breached a very large hospital recently”—no doubt a similar exploit that compromised the pediatricians. In a disturbing nod to fraud buyers, the vendor goes on to say that these children belong to “good” families, ones that can afford healthcare services for their children.
This is not the first time Terbium Labs has detected sensitive information for children on dark web markets. Terbium Labs discovered a listing for “infant fullz” at end of 2017, offering data on newborn babies. In 2016, a listing appeared on Alphabay that grouped children’s Social Security numbers with parent details in a convenient tax fraud package. Listings for child data appear few and far between—perhaps one or two a year—but they continue to appear steadily year over year. Child data is (for now) primarily a byproduct of other exploits, as in the case of the hospital databases described above. Where child data appears in the mix of standard breaches, vendors see an opportunity to test the market for these rare, truly fresh data sets—sometimes at a significantly higher price than traditional adult data.
Cyber criminals have a distinct advantage here: no one expects identity thieves to go after children, so few watch for it. The data might circulate unnoticed for a decade or two until someone goes to open their first credit card or take out a student loan—long after the damage has been done. Child data is now a commodity in its own right, becoming a more regular feature of the fraud ecosystem. When we think about data exposure, we can’t just think about adults. When we monitor data after a breach, we need to think about the full population of users, because the fraudsters will use every record at their disposal. In a world of constant compromise, the demand for fresh data—particularly for the creation of synthetic identities and pursuit of other fraud schemes—will continue to drive vendors to new, untapped sources. Short of manufacturing a new persona from fake data, the surest way to secure a fresh identity is to seek out one that didn’t exist a few years or even a few months ago.