The digital identities of tens of thousands of Britons are available for sale on the darknet including ‘thousands’ stolen from government databases, senior officials have claimed.
An unnamed “Whitehall security official” told the FT that personal information, including all the bank details a fraudster could need to raid an individual’s account, were available for around $30 on average.
However, information gleaned from the government gateway—which includes potentially even more valuable personal tax and social security data—has been on sale for around $75.
It’s unclear when the digital identities of UK citizens were stolen from these government databases, although there have been signs in the past that not all breaches of the Data Protection Act get reported to privacy watchdog the ICO.
Back in June security firm ViaSat UK submitted Freedom of Information requests to all UK police forces and found that they dealt with at least 13,000 device theft cases between March 2014 and March 2015.
However, the ICO investigated just 1,089 breaches over the same period.
That led to calls for greater powers to be given to the watchdog to ensure all threats are reported and risks minimized.
The news comes as a major cyber-attack on ISP TalkTalk continues to make headlines.
It’s still unclear how many of the company’s four million customers have been affected, although the firm is now claiming that the breach is not as bad as at first feared and that the bank details stolen couldn’t be used to raid accounts.
It has risked the wrath of customers, however, by stating it will waive its termination fees only if affected users actually have money stolen from their bank account as a result of the breach.
What is certain is that TalkTalk is not the only company that has suffered such a breach of late—it’s likely that many more either don’t know they’ve been attacked or haven’t told their customers.
To this end, Symantec told the FT that details on over 600,000 customers were stolen from UK companies in 2014.
Given the nature of the dark web even that figure could only be the tip of the iceberg.
Richard Beck, head of cyber security at training firm QA, argued that the only way to reduce the risk of breaches is in improving employee awareness.
“Benjamin Frankly famously once described distrust and caution as the parents of security,” he added. “This, together with education, is key to reducing the chances of becoming a victim of today’s cyber security threats.”
RedSocks technology specialist, Karn Akpan, added that trying to protect every single entry point into a company’s data is futile.
“Of course, this doesn’t mean we shouldn’t try,” he added.
“It just means that we must focus our efforts and investments differently than in the past. The trick for controlling risks is to strike the right balance between prevention and detection and that’s an area that all companies need to seriously address.”