Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
What your personal data is worth on the dark web
How much is your personal data worth? It all depends on what cybercriminals can get their hands on, and who they can sell it to. But any personal data has value, and there’s always a buyer for illicitly sourced personal data. While selling your personally identifiable information (PII) is just a quick buck for hackers, it can have disastrous consequences for you. Let's take a look at the going rate on the dark web for your passwords, credit card details and more. The prices may shock you.
Cybercrime and your personal data
If cybercrime hasn’t directly affected you, it will have touched someone you know. According to the Australian Institute of Criminology, 25% of Australians have suffered the misuse of their personal data, with 12% experiencing identity theft in the last year. Four out of five of those lost actual money – an average of just under $4,000.
This stolen information may be gleaned from scams directed at you, including phishing emails and malware. It can also come from attacks on companies who hold your data, with Uber and Services Australia recently reporting breaches.
Once criminals have the data, they’ll want to make a profit from it – and the best place to do that is on the dark web.
Introducing the dark web
The dark web is an unregulated, unlisted part of the internet that is only accessible via hidden networks such as Tor. Whistleblowing sites and social media exist on the dark web. But, thanks to encryption that keeps its users anonymous, so do marketplaces for stolen data, pornography and drugs.
On the dark web, cybercrime transactions are often brokered by faceless middlemen, who get reviews just like regular online traders – although that doesn’t stop them sometimes scamming the scammers and selling fake personal data. Given the nature of the dark web, prices can be hard to benchmark, but recent research reported by organisations such as Privacy Australia and Privacy Affairs reveals what the average prices are like – as well as what’s going up in value.
The cost of passwords and credit cards
At the bottom of the scale are social security details and common passwords, which used to sell for a few dollars, anywhere from $10-$25. Generally, passwords for banking or business accounts are higher, but recent trends are showing that the prices even for passwords not associated with financial sites are going up in value. Criminals understand that many people use the same password for online shopping and social media as they do for online banking – meaning your Instagram password could translate into a big payday for a seller. Gmail sign-in details can go for over $100, partly because many people access numerous sites with their account via Single Sign-On.
Credit card details can vary hugely – a simple card number with a CVV might cost $20 or less, but with more personal details that figure can easily triple, and cards with a credit limit of $5,000 can go for over $200. Rates for credit cards are rising slowly, and complete “fullz” – bundles that package credit card info along with also birth dates and social security numbers – are especially prized.
What’s the most expensive data?
Leaked documents remain highly-valued commodities. In May 2021, a NSW driving license scan was listed for $20, and a Russian passport scan at $100. Physical passports are typically on offer for between $2,000 and $7,000, making them the highest priced items on most marketplaces.
But digital accounts dominate. Paypal account details and transfers are among the most commonly listed products, with costs again linked to the account balance – a criminal might pay $30 for an account with hundreds of dollars in it, or $120 for one with $1000 or more. An Ebay account with a good reputation can easy go over a $1000. Cryptocurrency accounts are generally even more valuable, and a hacked Blockchain account can cost upwards of $300.
The value of Netflix and pills
Some hackers are especially eager to get their hands on medical records, large bundles of which can go for thousands of dollars. These are valuable both because they are packed with personal data that can be exploited, and because they're used to claim treatment, medicines and insurance payouts. We talk more about the implications of hacked medical info in episode #66 of the ‘Get Cyber Resilient Show’ podcast, given the recent breach of the Waikato District Health Board in New Zealand. More surprising items on offer on the dark web include subscriptions for everything from Adobe Creative Cloud memberships (around $150) to Netflix accounts ($50) and even digital newspaper subscriptions (under $10). Looks like there’s something for everyone on the dark web.
What your personal data is worth
The price a criminal pays for your data will rarely match its value to you. In some cases the theft may not directly affect you at all, especially if the data stolen is incomplete or garbled. Some hackers, meanwhile, will gather huge dumps of data, but only exploit a tiny amount of it.
In other cases your experience of cybercrime can be life-changing, and not in a good way. Huge sums of money can be stolen, and banks won’t always compensate you for your loss. Fraud also has an emotional and practical impact. You may be locked out of your accounts, and have to repeatedly convince banks and other institutions that you are who you say you are.
Simple measures that can keep you safe
Considered in this light, your data can be priceless. Yet hackers rarely target specific individuals – they’re just after what they can easily take and profit from. You can make yourself a much harder target by practicing basic cyber-hygiene and doing things like:
Changing your passwords regularly
Using different passwords for different sites, or a reputable password manager
Treating suspicious emails and websites with caution
Avoiding public wi-fi, especially if you’re checking your finances
Watching out for ATM skimmers, physical devices that let hackers read your cards
With practice, good cyber awareness can become second nature. Act with care, and you may never need to worry about what price your personal data could fetch.