Notifiable data breaches are on the rise in Australia but most people don’t know where their stolen personal details end up or how much they’re worth, a cyber expert says.
To crooks, it’s the new gold: data in the form of Medicare numbers, bank account details, and social media passwords they can onsell.
Marketplaces have even been created on the encrypted portion of the internet known as the dark web to traffic personal information from as little as $20 for PayPal accounts to $4,500 for certain medical records.
Almost one thousand notifiable data breaches were reported in Australia last year.
The increase over the second half of 2021 alone was six percent, according to the Office of the Australian Information Commissioner.
Contact details are most commonly stolen (85 percent), followed by date of birth, passport and drivers licence information (40 percent), and financial data like bank account and credit card particulars (39 percent).
Almost 18 percent of all breaches target the health sector, with medical records the hottest commodity. A further 12 percent occur in finance and 11 percent in legal, accounting, and management services.
However most people don’t realise where their personal data ends up or how much it’s worth, says cybersecurity expert Lawrence Patrick from security firm Zirilio.
It’s most commonly stolen via a process called phishing, where hackers trick people into giving up access to company customer databases and then steal multiple personal files.
“Once the data is stolen, hackers sort the information into what is most valuable including details such as names, emails, passwords, personal identifiers, phone numbers, and addresses,” Patrick said.
“The data is then repackaged and sold to other hackers on the dark web on marketplace websites.”
Healthcare records sell for $400 or more, crypto account details up to $550, driver’s licences about $200, and even Facebook or Instagram log-ins $50 to 60.
Most of the data appearing on the dark web is thought to be harvested from hacks of large companies.
According to IBM’s 2021 Cost of a Data Breach Report, it takes organisations an average of 212 days to realise they’ve been hacked and 75 more to contain the breach.
“This means your personal information is out in the wild being bought and sold and traded by hackers for almost a year before the problem is fixed,” Patrick said.
So what to do?
Change passwords, Patrick says.
“It is likely your existing password has already been compromised and is being sold. Use strong passwords on your accounts and don’t re-use the same password everywhere.”
To check whether someone’s details are already in the hands of hackers, they can search haveibeenpwned.com/ or check support.apple.com/en-au/HT212195.
Phones or browsers can also issue alerts when details are leaked, while both Apple and Google have free built in password managers and there are several pay options with extra features.