"This a serious and regrettable situation."
Those were the words of Toll Group MD Thomas Knudsen upon addressing a cyber attack which stole data from a corporate server.
The stolen files contained information relating to past and present employees and included details such as name, residential address, age or birthdate and payroll information (including salary, superannuation and tax file number).
Some of this sensitive information was then published to the dark web.
Toll's attack is one of many that have occurred during COVID-19, where the trend in attacks is increasing as networks and users become vulnerable.
And according to cybersecurity research organisation Privacy Affairs, sensitive personal, financial and social media information is fetching as little as $12 on the dark web.
Looking to understand the value of stolen data on the dark web, the organisation sent its researchers to the 'other side' to determine the average price going for information such as a cloned Mastercard with PIN ($15), driving license (US), average quality ($70) and LinkedIn company page followers x 1000 ($10).
According to the research, alongside personal data, counterfeit notes are extremely common on the dark web, mainly in $20 and $50 denominations.
The Privacy Affairs researchers came across forged AUD, USD, EUR, GBP and CAD notes most often, with the "quality" ones costing around 30% of the banknote value.
Privacy Affairs cybersecurity expert, Miguel Gomez said that while the majority of people aren't looking to buy stolen data, it helps to know how data is valued by those who want to steal it.
"For the average person, underground market data isn’t necessarily going to provide much use as they most likely aren’t shopping around for stolen card data or PayPal accounts.
"Though this is true, the prices at which these items sell provide a powerful perspective.
"If someone gets their hands on your financial details or social media credentials, the prices mentioned above is basically what it’s worth to them.
"There’s a good chance that you value these things much more than they do, as to them you’re just another mark for a quick buck," he said.
Gomez added that often malware is used to steal credentials, which can make thousands of dollars for hackers.
"Malicious tools are installed on comprised systems (Windows, Android and others) which gives attackers access to the system. Initial installation is via fake online casino, FB/social networks and warez websites.
"Some forms of malware may simply use your computer’s resources for activities such as cryptocurrency mining.
"Others may be used to steal credentials as you enter them on a website.
"For each 1000 installs, hackers can often steal tens of thousands of dollars," he said.
While many businesses claim to have secure systems, COVID-19 has shown that cyber attackers can and do gain access to sensitive information on a regular basis.
Privacy Affairs recommends that everyone take the following precautions to protect their data:
- Don't give details over the phone: When answering your phone, make sure to never give sensitive information (such as your SSN, your debit card number, passwords) to anyone regardless of whether this is a requirement for some process. If it’s that important, do it in person.
- Check for an ATM skimmer: Skimmers read a card before it’s inserted into an ATM, providing a criminal with a clone of your card’s magnetic strip. This is enough to recreate your card from a “blank.” Press around the sides of the card port and see if anything feels loose. Skimmers are often made to imitate the material around the ports, but they’re delicately mounted so they’ll move when pressed with a small amount of pressure. Check for glue around the edges or tape. If you see any glue material, stay away from that ATM and call the bank. Similarly, if you have difficulty putting your card into the machine, stop trying and stay away from it.
- Check an ATM’s keypad: Fake keypads are sometimes placed over the legitimate one to record your PIN number. They’re often very loosely mounted. If it jiggles around a bit or if you notice the keypad is off-center, you should avoid using it.
- Check often for malware: Ensure that your data isn’t being recorded as you input it into your computer. Use anti-malware tool and make sure it’s set to automatically update.
- Avoid public or unsecured WiFi: If you must log into an account on a network you don’t 100% trust, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable if an attacker has administrative access to the network you’re using.
- Delete accounts you don’t think you’ll use anymore: Old accounts can be compromised and this leads to problems in the future. However, this is only really an issue if you use the same password for multiple accounts.
- Never use the same password for multiple accounts: This is the easiest way for an attacker to gain access. When a major list of account details is dumped on the dark web, your account details can be checked against other services such as email or banking, and you really don’t want them to have the same password.
- Use a password manager: You’ll always have super strong security for all your accounts but only need to remember one master password.
Businesses are encouraged to take the following steps to ensure that their systems are secure:
- Patch your internet facing devices promptly – ensuring any web or email servers are fully updated with the latest software
- Ensure you use multifactor authentication to secure your internet accessible infrastructure and cloud-based platforms
- Become an Australian Cyber Security Centre (ACSC) partner to ensure you get the latest cyber threat advice so you can take the earliest possible action to protect yourself online