Updated on June 9, 2016
It’s a good time to be a cybercriminal. There are more victims to target, there is more data to steal, and there is more money to be made from doing so than ever before.
It would seem to follow, then, that there’s been very little progress since 2007, when hackers stole at least 45.6 million credit-card numbers from the servers of TJX, the owner of TJ Maxx and Marshalls, catapulting the now-commonplace narrative of the massive data breach to national prominence.
But the truth is that the forces of cyber law and order have made lots of headway in the past decade. There are still large-scale data breaches, but credit-card companies are getting better at detecting them early and replacing customers’ cards as needed, payment networks are pushing microchip-enabled cards that render transaction data worthless to criminals, and law enforcement has gotten smarter and savvier. Just ask Albert Gonzalez, who masterminded the TJX breach and is currently serving a 20-year prison sentence.
The biggest shift in the past decade is that it has gotten much less profitable to do what Gonzalez did—namely, steal millions of payment-card numbers and sell them to fraudsters. According to the cybersecurity firm Intel Security, the price of a stolen payment-card record has dropped from $25 in 2011 to $6 in 2016. “We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security. “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”