Over the past decade, the increase in highly sensitive data breaches has saturated the underground marketplace with stolen identities and consumer data, providing a continuous flow of commodities that encourages and sustains fraudulent activity and identity theft.
Analysis by Bitdefender’s Digital Identity Protection service shows that 39.71% of users have between two and 11 personal data entries exposed online, and nearly 57.57% have more than 12 data points publicly available.
Although the severity of personal data exposures varies from one individual to another, the overwhelming shift to digital platforms that require creation of a user profile generates a seemingly perpetual hunting ground for cyber crooks.
The data entry points left behind during the creation and use of platforms are highly exploitable by scammers and fraudsters who take advantage of careless exposure of personal data to conduct highly profitable attacks on unsuspecting victims.
Here’s a look at the top trends in data point exposure, according to the latest Bitdefender telemetry analysis:
- 26.40% for URLs
- 20.54% for jobs
- 20.02% for home or physical address
- 7.43% for names
- 6.93% for gender
- 5.58% for education
- 4.61% for usernames
- 3.01% for emails
- 2.67% for date of birth
- 1.53% for phone numbers
- 1.27% for user IDs
Check if your personal information has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool, only with your e-mail address and phone number. The dedicated online privacy service proactively scans the web for data related to the information provided in the onboarding process so that you can start taking more privacy-focused decisions to protect against fraudulent attempts.
From data breach to dark web marketplace
Stolen personally identifiable information (PII) is primarily traded over the internet via auctions and private sales on the dark web. A free market economy for consumer identities is of particular interest to fraudsters specializing in identity-theft related schemes via hijacked Social Security numbers, bank accounts, and credit card numbers.
For example, valid bank account numbers with balances between $11,000 and $19, 770 currently sell for $58 and $98, respectively, on one marketplace. These underground shops promoting stolen personal data have also evolved among the fraud community, offering a fully fledged shopping experience complete with shopping carts, customization options and even customer reviews.
However, more than just highly sensitive data is up for grabs on the dark web. The underground retail market caters to any malicious needs, monetizing everything and anything from publicly available phone numbers and birth dates to Netflix accounts and gift cards selling like hotcakes.
Of course, the value of stolen information is determined by how generous and ‘fresh’ the data is, as it can be monetized long-term. Furthermore, stolen PII has no expiration date, and can remain indefinitely on the dark web, being sold and resold to the highest bidder. Its value may diminish over time, but victims are at permanent risk.
The identification and pursuit of a profitable target can be challenging and time-consuming for the criminal. However, fresh batches of PII are always available for purchase or perusal in every nook and cranny of underground marketplaces.
The chronic acceptance of data breaches
Even though 11 billion records have been exposed in data breaches over the years, consumers’ response against incidents does not suggest a meaningful improvement.
Users have become accustomed to data breach exposure at an alarming rate over the past decade, often ignoring the risks and enabling opportunistic threat actors to exploit their information with little hassle.
An analysis of the Digital Identity Protection community revealed that 21.46% of users have appeared in one to five data breaches since 2010. Moreover, 14.26% of users have had personal information exposed in six to 10 data breaches, while 19.28% were compromised in more than 10.
Pandemic-driven data breach crisis
While the pandemic wreaked havoc in all law-abiding industries, cybercrime flourished as opportunistic scammers and fraudsters took advantage of newly created digital identities and the overall increase in use of online platforms.
People confined in their homes became increasingly reliant on the internet to work, entertain themselves, shop and communicate with friends and family. Phishing attacks and pandemic-related scams became the norm, as malicious actors capitalized on the anxiety and fear surrounding COVID-19.
Threat actors exploited stolen identities to the fullest, using a victim’s identity to conduct further malicious acts, continuously extending the pool of targets. Under the guise of their newly obtained identities, cybercriminals can navigate on the dark web, avoiding legal consequences and consolidating their business.
Unfortunately, many identity theft-related crimes remain undetected for months or even years. By the time victims notice a red flag, financial, legal and reputational wellbeing is thoroughly compromised. Potential effects include a damaged credit score, tax debt, corrupted medical records, interrupted medical care and criminal records.
Victims must endure months or years of panic and frustration with no magic bullet or quick fix to get back on track.