What if you had an asset you could sell for cash, but each time you sold it, you got to keep it? And sell it again. And again. And again …

That’s not hypothetical. That’s the business model of cybercriminals who traffic in PII (Personally Identifiable Information) and PHI (Protected Health Information). And right now, they’re in the middle of a 21st-century gold rush.

Unlike gold, oil, or grain, data doesn’t deplete when stolen. Once breached, your identity can be replicated infinitely, sold to dozens or hundreds of buyers, and repurposed for fraud schemes for years. And the most coveted “claims” in this new rush aren’t tucked in Silicon Valley or Wall Street; they’re sitting in labor union benefit offices nationwide.

Real World Examples 

When the Pennsylvania State Education Association (PSEA) was attacked, cybercriminals weren’t directly trying to siphon pension funds. They were after the vast identity datasets kept on hand: the personal information of tens of thousands of members and their families.

Same story with UNITE HERE Local 100 in New York and SEIU Local 1000. Cybercriminals were after high-quality PII and PHI: retirees’ Social Security numbers, dependent data, addresses, medical claims, and banking information for benefits disbursements.

To attackers, these offices are quiet treasure troves, often under-resourced in cybersecurity and holding data that never expires. Once inside, bad actors don’t just “take the gold,” they mint new coins. 

Why Identity Is a “Forever Asset”

Here’s what makes PII and PHI so potent: it doesn’t expire. If a credit card is stolen, the bank cancels it. The number is dead. But your Social Security number? Your date of birth? Your medical history? Those remain valid for life. In fact, in many fraud cases, identity data is abused long after the victim has died.

The Social Security Administration estimates that hundreds of thousands of deceased identities are exploited every year in everything from tax refund fraud to synthetic identity schemes. Criminals use obituaries, leaked death records, or previously breached data to resurrect identities. These “ghost profiles” are incredibly valuable: they don’t complain, they don’t freeze their credit, and they can go undetected for years.

And it’s not always one significant breach. Each piece of stolen data — a date of birth here, an address there, a health claim from a separate source — is another puzzle piece in a complete identity profile, known in underground markets as a “fullz.” Once assembled, a fullz can be reused and resold repeatedly, driving fraud for years.

On the dark web, a U.S. “fullz” can sell for $20 to $100-plus, depending on quality. Basic PII trades for less than the cost of a pizza. A complete medical record? It can command $250 to $1,000, according to 2024–2025 threat intelligence reports.

Here’s Why “fullz” Are So Valuable:

Fraud Multiplication 

One “fullz” can support multiple fraud vectors, including tax refund fraud, unemployment benefit fraud, synthetic identity creation, insurance scams, and more. Each buyer extracts a different value from the same victim profile.

Long-Tail Monetization 

SSNs and health data don’t change, unlike credit cards, which expire quickly. Fraudsters can wait months or years before cashing in, even picking up abandoned identities (including the deceased) to quietly exploit.

Industrial-Scale Operations 

Modern cybercriminals aren’t lone wolves. They operate in supply chains: initial access brokers, data harvesters, money mules, fraud specialists, and resellers — each taking a cut, just like a gold mining syndicate.

Why This Matters for Labor Unions

Labor union benefit offices sit at the crossroads of personal identity and trust. They hold troves of data that make day-to-day operations possible, but those duplicate records also make them attractive targets. Cybercriminals don’t need to guess what’s valuable; they already know what your members’ data is worth.

Unlike corporate breaches, which dominate headlines briefly and then fade, union breaches linger. The fallout can include tax fraud notices, credit denials, medical identity theft, and shaken member confidence that can last for years.

The Long Game

The story doesn’t end with the breach itself. Once personal data is stolen, it enters a global marketplace where it can circulate for years, fueling wave after wave of fraud. This isn’t an abstract risk for labor unions, it’s a long-tail threat to members’ financial security, privacy, and trust. 

PII and PHI have become a durable currency for cybercriminals. The question for benefit offices isn’t if they’re holding valuable assets; it’s whether they’ve built the defenses to protect them. The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) Cybersecurity Best Practices provide clear, actionable guidance on what those defenses should look like, covering governance, access controls, vendor oversight, participant protections, and incident response. Linking security efforts to this framework isn’t just smart; it’s expected.