Contact Us

The 5 Ways Our Personal Data is Stolen

Go Back

Have you ever wondered how cyber criminals get hold of our personal data and what they then use it for? I’m glad you asked…read on!

The 5 Ways Our personal data is stolen

  • Company Security Breaches
  • Personal Security Breaches
  • Personal Data ‘Gifted’ to Cyber Criminals

o Insecure Websites
o Social Engineering
o Social Media & ‘Doxing’

Company Security Breaches

It is unfortunate fact that failings in security within the companies we use every day, often household names, enable cyber crooks to commit crimes like financial fraud and identity theft against us. These kinds of breaches are happening all the time and some are on a colossal scale. Instagram in 2017 got hacked and lost 6 million records containing personal information of their users. Even more worryingly, Equifax who is one of the three credit reference agencies, had 143 million US customers’ data stolen in early 2018. Adult Friend Finder had 412 million stolen in 2016, DailyMotion 85.2 million, Ebay 145 million, Sony 77 million, Target Stores 500 million, the list goes on. Even Uber, one of the most innovative and leading technology firms in the world got hacked and despite foolishly paying $100,000 to the hackers to not leak the data, it still got leaked, compromising 57 million customer records.

These are only the data breaches that companies know about and have publicly confessed to. Many industries don’t require data breaches to be formally disclosed and most companies quite frankly don’t have the monitoring and detective capabilities to even know when they have been breached. I know – I’ve worked in them. Symantec in their latest Internet Security Threat Report, suggest it is now an accepted practice for businesses not to disclose breaches at all. They report that whilst the number of disclosed breaches increased last year by 23%, the number of those undisclosed rose even more by 85%! This situation should be helped by the introduction of the General Data Protection Regulation (GDPR) which came into effect for all European countries (including a Brexit Britain) on 25th May 2018. I suspect though that the effect of this will only be a drop in the ocean as regulators have limited resources and cannot simply investigate and fine everyone.

To demonstrate how easily accessible some companies often make our sensitive information to hackers, let’s take the example of dating website Ashley Madison...

Case Study: Ashley Madison (Adultery / Dating Website)

In July 2015, a hacking group called the ‘Impact Team’ attacked the Ashley Madison website accusing them of unethical business practices (the website provides a dating platform for people looking to have an affair, so fair play I guess…). It actively encourages adultery and even once marketed “Life is short…have an affair!” If the website wasn’t shut down, the hackers threatened to release millions of personal details of those who had registered (and by deduction, the vast majority having or at least looking for an affair)…

Ashley Madison didn’t relent to the blackmail and called the hackers bluff…As a result, 32 million adulterers’ personal details were posted publicly online. The details included names, residential addresses, credit card information and sexual preferences. You can even use certain websites to check if your partner was registered on the site! France24 reported that over 1,200 Saudi Arabian people were registered on the website. In Saudi Arabia, adultery can be punished with death. Police forces around the world have also reported that numerous suicides have occurred as a direct result of the Ashley Madison breach. You can now start to see how cyber-attacks can start to have a very real impact on ‘real life’.

Unfortunately, as is often the case for cybercrime victims, it didn’t stop there. Their personal information was now public, so other cyber criminals jumped on the bandwagon and started blackmailing them. One customer was contacted by an anonymous person who said; “How much is your marriage, standing in community and reputation at work worth to you? Your countdown has started”. He was asked to pay £1,000 and if he didn’t, he was going to contact all of his friends, family and work colleagues on social media and expose him.

There are hundreds of examples like these and they all demonstrate how out of our hands the security of our personal data is.

The scale of corporate data breaches is now occurring at such a rate that just during the time it took you to read to this paragraph, 19,280 personal data records have been lost somewhere . The unfortunate cold hard fact is this - we must accept that we must entrust our sensitive information with corporations who don’t have the money, skills or resources to sufficiently protect it. As such, we must accept that it is inevitable that at some point our personal information will, through no fault of our own, get into the wrong hands. We therefore need to put a few things in place to be alerted when our data is breached so we can do something about it. I explore a few ways we can monitor our personal information in a post here on it.

Personal Data Stolen From Us

There are a few avenues cyber criminals steal our personal data directly from our devices, without our knowing. Typically, this is via the use of malware that extracts our personal information from our device (e.g. financial data, social security / national insurance numbers, dates of birth, etc.) and covertly sends it back to the cyber criminals. Often people think malware is just irritating as it slows down our devices and causes system crashes. But think about it, how would criminals monetise malware if it were simply ‘annoying’? They couldn’t. But if they steal our personal data to then sell it on the black market to other cyber criminals or use it to directly defraud us, then they can make a pretty buck out of it! For these reasons alone, it is imperative to have a decent anti-virus program installed on all your devices.

Personal Data ‘Gifted’ to Cyber Criminals

Why go to all the effort of hacking into people’s devices or distributing malware to do it on your behalf, if you can convince people to just give it to you? This is exactly how cyber crooks think. There are a number of ways that criminals coerce us into unwittingly giving them our personal data. By the time we’ve realised what we’ve done, it’s too late.

Insecure Websites
One way they do this is via insecure or fake websites. Identity thieves notoriously target online shopping websites where they can intercept and steal our personal information whilst we make transactions online. For example, they create fake advertisements on your google search results. If you click these third-party advertisements you will likely download malware onto your computer, designed to steal your personal information. Or, they create a fake website that look identical to legitimate ones so that you submit your personal data through their bogus website. For example, they might create www.johnllewis.com (instead of www.johnlewis.com) under the knowledge that some people won’t notice the extra “L” in the website URL and use this fake website for their usual online shopping. When we enter our details into the fake site, we are unwittingly sending our sensitive data directly to the fraudsters.

Luckily, there are a number of things we can do to identify these types of website and protect ourselves from this kind of threat – see this specific post here on How to Stay Safe While Shopping Online.

Top Tip: Did you know the last letters in a URL (.co.uk, .uk or .com) provide you with a good indicator of the legitimacy of a website? There are some countries which are renowned for hosting fraudulent websites, including Western Samoa (.ws), Cameroon (.cm), Cocos Islands (.cc) and Oman (.om). If the letters at the end of your URL aren’t the commonly adopted ones (.com, .org, .edu, .co.uk, .uk) then be weary! The ‘Secure Browsing’ chapter explores this in more depth.

Social Engineering
This is where we unwittingly hand over our personal information directly to the cyber criminals. It usually occurs via email (phishing attacks), txt message (smishing attacks) and phone calls (vishing attacks).

  • Phishing (Email) Attacks - the most common of these three attack types is the fake emails we all get in our inbox from time to time. Long gone are the days when the Nigerian president will write you a very poorly worded email asking you directly for money! Phishing attacks have become much more complex and trickier to spot. Today, cyber criminals can find out who you bank with, then deliver you targeted fake emails that look identical to the emails you receive from your specific bank. They’ll almost indefinitely ask you to either click on a link (which will take you to a site where they collect some sort of personal data from you) or ask you to open an attachment (which will then install malware to steal your personal data on their behalf).
  • Smishing (Txt Message) Attacks – these are very similar to phishing attacks, just over text message. However, somehow because they are over txt message they tend to be much more successful for criminals.
  • Vishing (Phone Call) Attacks – these scam phone calls typically target the older generations and usually involve the attacker pretending to be someone from a reputable organisation like your bank fraud team, the police, your utilities company or something similar.

I’ve written a specific post here about how you can identify a fake email, txt message or phone call!

Social Media
Social media is another way we can inadvertently give cyber criminals our personal data. Social media is such a perfect reconnaissance tool for hackers that a practice known as ‘doxing’ has emerged. This is the practice of discovering as much personal information about someone from publicly available sources as possible, often by just starting off with something as simple as a name or email address. Have you ever ‘Facebook stalked’ an ex’s new boyfriend or girlfriend? Sure you have! This is a basic form of doxing. Often simply googling people who have open social media profiles can help attackers extract sensitive data. For example, some Facebook profiles still publicly display people’s actual date of birth which, in the UK, is used as a key security question for companies wanting to validate our identity.

Another example of where we divulge too much personal information is that of photos taken from smart phones. By default, smartphones nowadays typically append the GPS co-ordinates to the photos (within the metadata that sits behind the photo itself). Therefore if someone is trying to find out where you live, all they need to do is find a photo of you that was snapped whilst you’re at home and with some help from a website like metapicz.com they can extract your home address. Check out this post to find out how to disable this feature on your smartphone!

What do Cyber Criminals Do With Our Stolen Data?

The answer is simple, their either use that information directly for their financial gain (i.e. defraud us or via identity theft) or they sell it on the black market.

This black market is known as the ‘dark web’ and is often the place where our personal data ends up after it is stolen. Hold on, dark what? Normal search engines such as Google only index a small portion of the total information available on the internet, this is called the ‘Surface Web’ and is what we are all accustomed to when we browse the internet. A study published in Nature recently found that Google indexes only 16% of the surface web with any given search only returning just 0.03% of the related information that exists online . This gives you an idea of the real scale of the internet! Those parts of the internet which aren’t indexed by mainstream search engines like Google are referred to as the Deep Web. They aren’t featured on search engines mainly because they are hidden behind password protected portals, e.g. public libraries, governmental networks, corporate intranet sites and website admin pages.

The Dark Web is a part of the Deep Web where various nefarious and illegal activities take place. It can be a shadowy underground where cyber criminals and hackers exploit the anonymity it provides. It acts as a ‘black market’ for some very unsavoury things including drug smuggling, selling firearms, cyber-terrorism, hacking services, child molestation networks and human trafficking. You can even hire a hit man for around $45,000 or if the intended victim is in the public eye you’ll be expected to fork out around $180,000 …!

These online black-markets are now so mature they even have discount days, money-back guarantees, loyalty schemes and some even provide refunds on purchased stolen credit card information if they don’t work. Some have even attested that because there are user ratings and customer reviews, that drugs bought over the dark web are purer and of a higher quality than they would be being bought off the local street-corner drug dealer .

It is here that personal data is literally bought and sold. In a report by McAfee called The Hidden Data Economy , they found cyber criminals actually paying for our social media account credentials for around $5 each, stolen bank cards for $5-$30 (US), $20-$35 (UK) and $25-$45 (Europe). Unsurprisingly, online banking login credentials are especially valuable averaging around $190 for access to a bank account with a $2,200 balance.

You should now have an idea of how our personal data can get into the wrong hands and what happens to it once it is leaked. If you want to find out what you can do to prevent your data falling into the wrong hands, checkout this site here where I walk you through it step-by-step.

I hope you found this useful.


Hacked Social Media Recovery Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share some internet safety tips. You of course can unsubscribe at any time.

Free Protection Checklist!

Pop your email into the form below and we'll send you the link to your internet safety protection checklists!

We hate spam and won't send you mindless marketing emails. We share internet safety tips. You of course can unsubscribe at any time.

Free Cyber Bullying Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share some internet safety tips occasionally. You of course can unsubscribe at any time.

Free I've Been Hacked Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share internet safety tips. You of course can unsubscribe at any time.