Dark web markets are hungry for Australian identity data

Australians’ confidential financial, personal, and identity data is being channelled in large volumes through dark web marketplaces and is the second-most-expensive in the world, according to a new analysis that bodes poorly for the thousands of victims compromised in the recent hack of a key National Disability Insurance Scheme (NDIS) software provider.

Full identity sets relating to Australians are selling for $112.50 on the dark web market, which NordVPN security experts, who conducted the analysis in early April 2022, said has previously sold more than 720,000 pieces of data for $23.2 million.

That meant identity data is eight times more expensive than mobile numbers and emails—which are available online for an average $13.40 each—and far more costly than an Australian driver’s licence ($48) or passport ($16.50).

Indeed, Australian passports are the fifth cheapest in the world, while Czech, Slovakian, and Lithuanian passports are the most expensive, at $5,104 each.

The country whose identity details attract the highest price online is Ireland, whose citizens’ identity sets are selling online for an average of $305.52 each.

Significantly, login details for cryptocurrency wallets and investment accounts are more expensive on the site than credentials for payment processing or bank accounts, with accounts from Binance costing $530.55 on average, Kraken accounts costing $515, and Crypto.com accounts selling for $470 each.

“The broad scope of the data offered on these criminal markets shows the importance of taking charge of your security and privacy online,” NordVPN cybersecurity expert Adrianus Warmenhoven said in a statement, noting that “the online market is just the tip of an iceberg. … there are over 30,000 websites on the dark web at the moment.”

The unnamed market used in this analysis, which was conducted along with third-party cybersecurity researchers, was chosen because it was used by some big hacker groups in the past, including those that moved to sell 70 million personal details said to have been stolen from AT&T by hacking group ShinyHunters last year.

More data for cybercriminals

Given the potential returns in dark web markets where personal data is the product, the cybercriminals providing that product are working continuously to keep supplies fresh.

That makes major breaches such as the recent compromise of Sydney-based software provider CTARS—whose cloud-based client management system is used to track the details of clients and their carers, management plans, progress reports, financial details, and other data—instantly provide new financial opportunities for cybercriminals who can successfully compromise their data-rich targets.

An “unauthorised party” gained access to CTARS systems on the evening of 15 May, the vendor explained in its public notification about the incident, with that party claiming to have “taken a large volume of data”.

Six days later, CTARS learned that a sample of the data had been posted on a deep web forum. “Although we cannot confirm the details of all the data in the time available to be extra careful we are treating any information held in our database as being compromised [including] documents containing personal information relating to our customers and their clients and carers,” CTARS said in a statement.

CTARS stores so much data that the company said that it is “unable to confirm exactly what personal information … was affected” by the 15 May 2022 data breach.

However, the agency had engaged identity-theft support agency IDCare to look after NDIS members whose identity data had been compromised in the breach—a common step after data breach incidents where personally identifiable information has been compromised.

The theft of sensitive data has become commonplace as cybercriminals continue to expand their strategies for attacking target companies.

So-called ‘double extortion’ attacks see cybercriminals sharing samples of stolen data to prove the veracity of their claims to have compromised their targets, with further publication threatened if ransoms are not paid.

Although there has been no confirmation about whether CTARS was also breached by ransomware, the technique has become so effective that many companies are paying increasingly large ransoms to prevent the publication of data and restore business operation.

The average ransom payment by Australian companies reached $1.3 million during the first five months of 2022, Palo Alto Networks’ Unit 42 security arm recently revealed, representing a 71% increase over last year and triple the average payment in 2020.