What happens to stolen data on the dark web?

We talked to two cybersecurity experts about what happens to stolen data:

From the article:

How people find out their data has been used against them

A November 2022 bulletin published by the Australian Institute of Criminology, a government agency, lays out a number of ways by which cybercrime victims have discovered that criminals were using their stolen data. They include:

• unauthorised activity on a bank account, credit card or credit report
• receiving credit cards in the mail they didn’t apply for
• calls from debt collectors about unpaid bills that they didn’t recognise
• an unsuccessful credit application when the victim’s credit history is good
• receiving goods in the mail (such as mobile phones) that they didn’t order
• losing mobile phone service because it was transferred to an unknown device
• getting a medical bill for a service they didn’t receive
• having a health claim rejected because they had unexpectedly reached their benefit limit
• being unable to file taxes because a return had already been filed in their name.

Stay on guard if your data was hacked

• Don’t respond to emails, texts or phone calls that appear to be from an organisation that you do business with, even if they include personal details that make them look legitimate. Instead, contact the organisation yourself to see if the communications are valid.
• Don’t pay up in the event of an extortion attempt, where criminals threaten to publish personal details or photos of you unless you hand over your money.
• If you think you’ve responded to a scam communication, fill out a get help form from the government-funded service ID Care.

Medibank customers have been informed that their hacked data has been released on the dark web

I think this statement is misleading because it’s not entirely true.

• An initial tranche of customers had their data released on the dark web because the perps need to demonstrate that they have real data.
• Subsequent tranches (maybe 2 tranches) of customers had their data released on the dark web because the perps wanted to ramp up pressure on the source company to pay a ransom.

In this case the company refused to pay the ransom.

At that point, the perps don’t just throw up their hands and release all the remaining data on the dark web. That would be throwing away an asset that has value. Instead the perps try to find a buyer for some or all of the data. If they find a buyer, the data will still not be released on the dark web. It will be copied to the buyer. (The beauty of data though is that it can be sold over and over. Finding one buyer does not preclude finding another buyer for the same data. Hold an auction but don’t sell to the highest bidder. Sell to all the bidders. And then, also, buyers can become sellers - as your data passes through various malicious hands.)

We don’t know whether a buyer has been found. The AFP may know. Other LEAs may know. But they aint telling us. They aint telling us whether they know and what they know.

So as an exploration of “What happens to stolen data on the dark web?” the article is spot on - and of course what to do about it if your data has been involved in a breach.

I used a unique email address for Medibank Private, i.e. only given to them and never used anywhere else. Just before Christmas I received some spam to that exact address. It had never received any emails other than legitimate ones before. The data, or some of it, is out there.