Why businesses must prevent their data from fueling “Fullz” packages

A class action filed in Boston federal court on August 14, 2025, against DTiQ Technologies puts a spotlight on one of the darker consequences of a data breach.  

Former employees claim their Social Security numbers and bank account details were stolen when hackers gained access to DTiQ’s systems. That kind of information doesn’t just vanish into thin air. It becomes prime material for what cybercriminals call “Fullz”—complete identity kits sold on the black market.

As a business leader, you don’t want your company’s security failures commoditized by this criminal trade. Allowing your data to end up in a Fullz package doesn’t just create liability. It enables identity theft, damages lives, and leaves a permanent stain on your organization’s reputation. And once it happens the first time, you become a target for more.

What is a Fullz package?

In cybercrime slang, a Fullz is a complete dossier of a person’s identity. It typically includes:

• Full name and date of birth

• Social Security number

• Current and past addresses

• Bank account or credit card numbers

• Sometimes driver’s license details, login credentials, or other personal identifiers

Criminals piece these data points together from breaches like the one at DTiQ. If a single breach doesn’t include every detail to be considered “Fullz,” stolen data from past breaches may be correlated to fill the gaps. Once assembled, the package allows a fraudster to convincingly impersonate a victim, apply for credit in their name, drain bank accounts, or even commit tax fraud.

Who creates them and why

Fullz packages are created by organized cybercriminal groups that specialize in data aggregation. A single breach may expose only one type of information, like Social Security numbers, but criminals combine data from multiple breaches to build out a complete identity profile.

The economics are simple. Incomplete data sells for pennies. A single Social Security number or email address might be worth less than a dollar. But a Fullz package, with all the key identifiers stitched together, can fetch hundreds or even thousands of dollars depending on the quality and freshness of the information.

Why this matters for businesses

When companies lose data, they’re not just exposing individuals to nuisance spam. They’re providing the building blocks for large-scale identity theft operations. Once data leaves your systems, it doesn’t just disappear. It gets repurposed, combined, and sold again and again.

In the DTiQ case, the plaintiffs allege that their Social Security numbers and bank details were exposed. That’s the exact mix criminals need to create premium Fullz packages. And because Social Security numbers cannot be changed, the risk to employees is permanent.

The outcomes of Fullz-driven fraud

The potential damage to victims includes:

• Unauthorized credit accounts opened in their name

• Tax refunds stolen by fraudsters

• Long-term credit score damage

• Years of effort to clear fraudulent records

For the business, the outcomes are equally grim:

• Expensive litigation and potential settlements

• Regulatory fines under state or federal breach notification laws

• Loss of trust from customers, employees, and partners

• Long-term reputational harm that impacts recruiting and retention

• Potential to be targeted in recurring attacks hoping to capitalize on your weak security posture

The takeaway for business leaders

Cybersecurity is not just about protecting your systems. It’s about protecting real people, your employees and customers, from becoming victims of the criminal economy of stolen identities. If your organization suffers a breach that exposes Social Security numbers, financial account details, or other identifiers, that data will almost certainly fuel Fullz packages.

You don’t want your company’s name attached to that. Strong cybersecurity controls, rigorous monitoring, and prompt breach response are not optional. They are essential. Because once your employees’ or customers’ data slips into the Fullz market, the damage is lasting, and your liability may only be beginning.

Protect your business before it’s too late

At ThreatLocker, we help businesses shut the door on the kinds of attacks that lead to breaches like this. From Application Allowlisting to Ringfencing™ and privileged access management, our tools are built to stop cybercriminals before they get anywhere near your sensitive data. Because the only good Fullz is the one that never gets created.

Schedule your personalized demo today.

‍