A series of cyber attacks across the UK has compromised the personal information of hundreds of thousands of Britons, making it susceptible to online criminals. M&S confessed that hackers accessed personal data, though not payment details or passwords, in a cyber attack at the end of April. Recent breaches at the NHS and Legal Aid have also resulted in the theft of sensitive information.
Hacking activities, especially ransomware and phishing scams, are increasing, with nearly 4,000 breaches in the retail sector last year compared to under 1,500 in 2019. Cyber criminals predominantly focus on ‘basic personal identifiers’ like names, dates of birth, or addresses during data attacks. The Information Commissioner’s Office reports that over 40% of data breaches in the past five years involved such information, with health data breaches comprising another 15% and financial data breaches just under 10%.
The data obtained is sold on the dark web, with an “entire ecosystem” of vendors and intermediaries engaging in these transactions, as explained by Ted Cowell, head of UK cyber security at S-RM. This includes forums and community groups where credentials and sensitive information are traded. Cowell notes the involvement of ‘initial access brokers’ and hackers for hire who pay for data to facilitate further attacks or commit identity fraud. Spencer Starkey, executive VP of Europe at SonicWall, highlights that the value of basic details lies in the difficulty of changing them, giving them longevity.
Data containing more than basic information, like medical or legal records, is “extremely valuable” on black markets, according to Cody Barrow, CEO at EclecticIQ. Once acquired, data is used for various purposes; medical or legal information is particularly valuable when used for phishing scams or identity theft. Basic information, though seemingly less valuable, is instrumental in launching targeted phishing campaigns and social engineering attacks. Tim Grieveson, chief security officer at Thingsrecon, emphasises the potential of seemingly harmless data to contribute to identity theft or fraud.
If passwords are stolen, credential stuffing attacks are common, involving the testing of known passwords across multiple platforms to access accounts, says Marshall Erwin, security officer at Fastly. He warns that technical breaches are not isolated incidents, stating that data in criminals’ hands can fuel long-term social engineering attacks, often starting with credential theft or malicious bot activity.
Hackers also utilise a strategy of holding data hostage to extract payment from individuals or companies. This can involve ransomware attacks, where access to computer systems is withheld until a ransom is paid, as seen in the M&S incident. Additionally, ‘extortionware’ attacks threaten to publicly release sensitive information unless payment is made. Cowell mentions the trend of public ‘leak sites’ maintained by established groups, which publicise victims’ data if ransoms are unpaid.
A study by Opinium indicates that two-thirds of UK consumers are altering their online shopping habits due to retail cyberattacks, with over half concerned about previous data thefts. Grieveson advises customers to be wary of unsolicited communications, avoid suspicious links, and consider changing passwords if reused across platforms. He also stresses the importance of two-factor authentication (2FA) and identity monitoring services. At workplaces, caution is essential; nearly two-thirds of UK workers have experienced a cyberattack at work, yet only 11% feel responsible for preventing one.
