Your personal data has value. Data brokers make billions from trading it. Hackers can make a fortune from stealing and selling it and even sites, such as Facebook and Google, gain billions on it through advertising. In fact, data continues to be one of the fastest growing industries in the world.
Recently published research exploring the size of the data markets in the UK economy from 2015 to 2020 found that data was expected to have added £322 billion to the British economy during this period. In fact, most of the biggest new companies of the last decade have all based their business model on the value of data and how to utilise it – Google, Facebook, Uber and Airbnb, to name a few.
Our data breach team, who specialise in supporting clients who have had their data lost, shared or leaked, investigate the different routes of data sharing, as well as some simple steps you can take to protect your personal information online.
If you use the internet, there’s no doubt you will have seen an advert that is specifically targeted to you. Whether it was via a social channel such as Facebook, or a banner advert on another website, it’s likely you’re seeing eerily relevant adverts every single day.
You could also be receiving masses of spam email and junk mail in the post which, by comparison, is completely irrelevant to you and your interests. Both ends of the spectrum will likely have used a data broker to gather information on you.
Data brokering is a multi-billion pound industry made up of companies who collect consumer data, such as preferences, lifestyle, stage of life and various other attributes, and sell it to other companies, usually for marketing purposes.
Just imagine the price advertisers will pay to get your attention with a product they know is likely to be of interest to you.
But, how do they access this information? Over 1,400 “leading brands” sell information from store loyalty cards to data brokers, meaning that if you’ve ever signed up for a loyalty or store credit card, there’s a good chance the data you provided was sold to a broker. On many occasions this is specified in the terms and conditions. However, unfortunately, we’re seeing more and more cases of companies selling users personal data to advertisers without their permission. In 2019, parenting club Bounty was fined £400,000 for selling users’ data, after the company illegally shared 34.4 million records with 39 companies. At CEL, we are currently pursuing a group legal action against Bounty (UK) Ltd to help those affected by the breach receive compensation.
Understanding the value of data to hackers is a little more complicated. Although one thing is clear, if data didn’t have a high value, cybercriminals wouldn’t bother to steal it.
First, there are hackers who target businesses. They will often hack data lists and use them to sell on to data brokers, as explained above. However, if the data they’re obtaining is bank details, health records or other more personal information, then the value of this data could soar – both financially and personally.
Alternatively, they could be hacking data to use for ransom and blackmail purposes, as we saw with the Transform Hospital Group Data Breach. The cosmetic surgery chain suffered a data breach when cybercriminals hacked its IT systems and downloaded sensitive medical information including images of their clients’, pre and post-surgery. They then threatened to publish the images online if they weren’t paid a ransom.
Hackers may also be directly selling information or using bank details to access individual or corporation funds. If the hacker is looking to sell the data, basic credit card details (name, card number, expiry date) are not worth much, but if they are able to obtain the owner’s address and email, then its value becomes somewhere between $20 and $25. That has a similar market value to a driver’s licence. So, one debit card, two credit cards and a driver’s license, plus your email and physical address commands a price of $100.
However, of course, cyber-criminals may also be attempting to directly steal money. Official data shows that while the total stolen from a UK fraud victim is generally small, in almost a quarter of cases, it can result in between £500 and £40,000 stolen.
It’s extremely difficult to put an exact sum against your personal data – but an interesting experiment by Federico Zannier does shed some light on its potential value.
Zannier wanted to raise public awareness of the fact people’s personal information was being traded by big data brokers, such as Acxiom and Epsilon. He chose to sell his digital footprint for $2 per day over one month using Kickstarter to see how much he could earn. He sold particularly personal data including keystrokes, mouse movements, frequent screenshots of online activity with timestamps and even a folder of webcam photos taken every 30 seconds. He earned $2,733 in one month – which was five times his original estimate of $500.
In today’s digital world, your personal data is a valuable product. If it falls into the wrong hands, it can have serious consequences, including financial losses, emotional distress and loss of privacy. The bulk of stolen sensitive information often comes from large-scale data breaches that have hit countless businesses over the years, from Sandicliffe Car Dealership to Babylon Health.
A large portion of these breaches are a result of negligent business processes, human error or cybercrime meaning users’ personal details aren’t as protected as they should be. But there are multiple, simple steps that you can also take online to protect yourself:
• Look out for phishing attacks that prey on your log-in credentials or credit card details
• Choose strong and unique passwords for each account
• Use two-factor authentication whenever it is available
• Do not use unsecured Wi-Fi networks to access accounts that have sensitive data
• Use data breach notification services to learn if your details have been stolen in a known data breach
If your financial or personal data has been exposed due to security failures by an organisation that you trusted to keep your information safe, then you have a right to claim compensation.