How much does your personal information cost in deep web markets?
Data leaks are commonplace and billions of records are stolen worldwide every year. Most media coverage of data breaches tends to focus on how the breach occurred, how many records were stolen, and the financial and legal implications of the incident for organizations and individuals affected by the breach. But what happens to the data stolen during these incidents?
The destination of the stolen data depends on who is behind the data leak and why they stole a particular type of data. For example, when data thieves are interested in embarrassing a person or organization, detecting suspected wrongdoing, or improving cybersecurity, they tend to release data accordingly.
In 2014, North Korean-backed hackers stole data from Sony Pictures Entertainment employees, such as social security numbers, financial records and payroll information, and emails from senior executives. The hackers then posted emails to embarrass the company, possibly in retaliation for a comedy about a conspiracy to assassinate North Korean leader Kim Jong-un.
Sometimes, when data is stolen by national governments, it is not disclosed or sold. Instead, it is used for espionage. For example, the hotel company Marriott was the victim of a data breach in 2018 when personal information of 500 million guests was stolen. The main suspects in this incident were hackers supported by the Chinese government. One theory is that the Chinese government stole this data as part of an intelligence-gathering effort to gather information on US government officials and CEOs.
Stolen data is often sold online on the deep web. For example, in 2018, hackers put more than 200 million records of Chinese personal information on sale. This includes information on the 130 million customers of the Chinese hotel chain Huazhu Hotels Group.
Where does the stolen data go?
Buyers use stolen data in several ways. Credit card numbers and security codes can be used to create clone cards for fraudulent transactions. Social security numbers, home addresses, full names, dates of birth, and other personal information can be used to steal identity. For example, a buyer can apply for a loan or credit card on behalf of the victim and file fake tax returns.
Sometimes stolen personal information is acquired by marketing firms or companies that specialize in spam campaigns. Buyers can also use stolen emails for phishing and other social engineering attacks, and to spread malware.
Hackers have long been using personal information and financial data because they are easy to sell. Health data has become a big attraction for data thieves in recent years. In some cases, the motivation is extortion.
If you are a victim of a data breach
If you are a victim of a data breach, you can take the following steps to minimize the impact: Inform credit reporting agencies and other organizations that collect data about you, such as your healthcare provider, insurance company, banks and credit card companies , and change the passwords for your accounts.