In this blog post I will explain to you what identity theft is, which order of mangnitude it has, how the data getst stolen, how you can check whether your data has been stolen and how to best protect yourself against identity theft.
What is identity theft
Identity theft is at the rise since years. There are billions of stolen identities publicly available and a huge portion of them with user name and password in clear text.
How largeis the problem? Huge! But we do not really know the exact numbers. Identity theft happens in the dark, the data is traded in the dark web and only every now and then huge data sets become publicly available. On the other hand not every company detects that they have been breached and which data has been stolen.
There are a few indicators somehow depicting the order of magnitude of identity thefts that happened in the past and they are truly alarming:
- According to Gemalto’s Breach Level Index 2018, around 15 billion stolen identities have been recorded between 2013 and 2018.
- The provider Constella is reporting, that 42 billion exposed records of consumers and employees were detected circulating in dark markets in 2021.
- The US provider haveibeenpwned currently has close to 13 billion individual breached accounts in its database and the German Identity leak checker from Hasso Plattner Institute has close to 14 billion breached accounts in its database.
Knowing that 4 billion persons are online, this means that in average every person was affected nearly 4-10 times by identity theft so far. So the likelihood that you are affected as well is quite high.
What data is stolen
- Personal data (PII): Name, User, Email, Password, Phone, Address, Date of birth, Social Security Number
- Financial data: Bank account number, credit card number, paypal login data, …
- Documents: passport number, id number, …
- Business data: company, position, …
- Medical data: insurance number, diagnosis information, …
According to Constella, 60% of all breaches contain PII information and 72% of these breaches contain passwords.
How much is my data worth
After stealing your data, the hackers either use them for their own purpose or they offer it for sale in the dark web. You might wonder how much your data is worth. According to the Dark Web Price Index from PrivacyAffairs, stolen credit card data with pin is worth around 15-35 USD, stolen Paypal credentials are worth around 200-300 USD, hacked social media accounts cost around 50-75 USD and a hacked gmail account is worth around 150 USD.
How does my data get stolen
First of all “stolen” might not be the correct term as many breaches happen unintentionally either by accident or because the provider does not adopt appropriate security measures to protect your data.
So let’s structure the topic a bit into three aspects: (1) Who is behind the data breach, (2) What is the attack target and (3) Tactics / methods used.
(1) Who is behind the data breach
What a lot of people don’t know is that great part of data breaches happen through insiders or internals of a company you are interacting with. I found some statistics that approx. 30% happen via insiders and 70% via company externals. Who are those insiders or externals?
Company Internals
- Employees intentionally
- Employees unintentionally
- 3rd party providers intentionally
- 3rd party providers unintentionally
Company Externals
- Hackers
- Malware authors
- Organized crime
- Governments / nations
- Activists
(2) What is the attack target
The attack target can be you as a single person or the company / provider you are interacting with.
(3) Tactics / methods used
- Phishing (see my blog post)
- Malware
- Unauthorized Access
- Exploition of vulnerabilities
- Unprotected servers and databases (4IQ found in 2018 around 14000 unsecured devices containing more than 9 billion data sets)
- Brute Forcing
- Credential Stuffing
The biggest data breaches
According to tech.co, the biggest data breaches in history so fare were
- Yahoo (2013) – 3 billion
- First American Corporation (2019) – 885 million
- Facebook (2019) – 540 million
- Marriott International (2018) – 500 million
- Yahoo (2014) – 500 million
- Friend Finder Network (2016) – 412 million
- Exactis (2018) – 340 million
- Airtel (2019) – 320 million
- Truecaller (2019) – 299 million
- MongoDB (2019) – 275 million
Measures to protect against identity theft
Bad message first: great part of data breaches happen on provider side (intentionally or unintentionally) and there is nothing you can do to prevent this other then selecting trustworthy providers which is a challenge in itself as even big companies fail in securing your data properly (see chapter biggest data breaches above).
On the other side there is still much you can and should to in order to protect hackers from gathering the data from you directly.
My recommended measures are
- Select a trustworthy and good antivirus solution and regularly check your system for viruses
- Activate your firewall
- Ensure that the Software of all your devices is always up to date. Ensure to install OS updates and app and driver updates. Updates often fix vulnerabilities and with an up to date system you ensure that the fixed vulnerabilities cannot be exploited anymore.
- Be aware of phishing ans social engineering. Read my blog post to learn how to best protect against phishing.
- Secure your online accounts with good password management. Read my blog post with my recommendations about good password management.
- You can use an identity scanner to inform you about known breaches. There are multiple providers on the market both free and paid ones (free: haveibennpwned, HPI Identity Leak Checker, paid: e.g. Avira Identity Assistant). The challenge I see with these products is that the data typically gets public long after it has been harvested in the dark web. But it is definitely an additional safety mechanism to make you aware that your data was stolen and to trigger actions on your side.
Depending on the country you live in there is even more you can do: in some countries there are insurance companies offering insurance packages to secure against identity theft. You can furthermore ask for regular credit reports to see whether your stolen identity data has been used to claim a new loan which affects your credit score negatively.