Stolen personal data of UK citizens is selling for as little as £10 on the dark web, offering hackers all the information needed to carry out online fraud and identity theft, The Independent has discovered.
So-called fullz – hacker slang meaning a “full ID” package – of UK citizens are being listed on several popular online black markets. A full ID package typically contains an individual’s name, address, online passwords, banking data and other key identifying information.
Security researchers say the illicit trade of such data is being fuelled by a seemingly ceaseless succession of high profile hacks. In 2018 alone hundreds of millions of people’s data was exposed through breaches at firms including British Airways, Marriott hotels and Facebook.
Stolen information is posted on to the dark web – a hidden section of the internet only accessible using specialist software – where cyber criminals are able to buy and sell the data.
One seller operating on a popular dark web marketplace listed personal data of UK citizens for just £10 of bitcoin – the semi-anonymous cryptocurrency commonly used to carry out transactions.
The vendor offered a sample of the data available, providing the name, address, occupation, date of birth, maiden name and other details of a Polish-born woman who resides in Bristol.
Dark web analyst Simon Migliano describes fullz as “the key to online fraud” and warns demand for such data appears to be on the rise.
“This information on its own can be used to open lines of credit, such as credit cards and loans, which are then drained by cyber criminals,” he told The Independent. “There’s a whole spectrum of pricing for fullz, depending on the likelihood of profit from using that information.”
As the head of research at the security firm Top10VPN, Mr Migliano monitors the illicit trade of such information through the dark web market price index. Other data available on dark web markets include login credentials for dating apps, streaming services, online shopping sites and social media profiles.
Adding the value of all hacked data, he estimates that a person’s entire online identity would be worth around £820 if they were to have accounts at all the sites listed on the index.
Potential hackers are even able to seek out guides on these dark web marketplaces that provide information on carrying out crimes, such as a £6 “How to obtain loans guide”, which gives step-by-step instructions on how to take out a loan using stolen data.
The creator of the guide claims it can be used worldwide and does not require “special skills” to follow the instructions.
Prices for personal data can vary significantly from seller to seller, though generally the most valuable is that of bank accounts and other financial services such as PayPal login credentials. But more significant than the individual prices such data is listed at, according to one dark web researcher, is the scale of the overall problem.
“Talking about pricing distracts from the broader issue: data is for sale, everywhere, all the time, often for incredibly low prices,” said Emily Wilson, a researcher at dark web monitoring firm Terbium Labs. “We should be talking about the ease of access fraudsters have in exploiting this data, and about how the public has little to no sense of how much of their data has been compromised – precisely because of the amount of effort that goes into identifying the individual prices of identity data over addressing systemic insecurities.”
Cyber experts frequently warn that it is not a question of whether a person has been hacked, but how many times. Checking your email address on a site such as Have I Been Pwned – an online database of public data breaches, leaks and hacks – often uncovers several instances of personal information being compromised.
“Sadly, in the current age and time, no one is immune to the theft of personal data,” said Andrei Barysevich, a researcher at threat intelligence firm Recorded Future.
“In the same way we learned to accept the dangers of flu viruses and developed simple approaches to minimise the risk, we must learn very simple, yet effective cyber hygiene practices.”
Such practices include using different passwords for all websites and apps, enabling two-factor authentication on accounts that support it, and signing up for credit monitoring services that provide notifications of any changes to credit profiles.
“There’s no point in worrying about your data being stolen and sold on the dark web. It’s probably already happened,” dark web analyst Mr Migliano said.
“The key is to be sensible in your online behaviour, minimise risks and take prompt action when something does happen. The sooner you deal with compromised personal data, the easier and less painful it will be.”
How can you stay safe online?
Most web users can take a number of simple steps to avoid the possibility of having their identities stolen online.
Monitoring who you accept into your social media circles can prevent fraudsters accessing personal information stored on your profile.
Phishing emails are also a common method used by scammers in order to obtain sensitive information over the internet. If you receive an email you believe to be suspicious, the best option is to avoid clicking any links within it or opening any attachments within the message.