Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

How much is your stolen data worth on the dark web?

Globally, there were 362 million data breaches in 2022, and 83% of organisations experienced more than one data breach. In the first half of 2023, 154 million breaches have already been recorded. But how much could your stolen data be sold on for on the dark web? And where in the world was most impacted?

The price of your data on the dark web

Research revealed that a piece of stolen personal data costs an average of £289 on the dark web. This price varied depending on the type of data and whether it was physical (e.g. a forged document) or digital (e.g. credit card information). In the UK, an individual’s stolen data was worth an average of £4,335 based on the number of stolen data points.

Different categories of stolen data, including credit card data, crypto accounts, social media accounts and more, were included in research by news website Privacy Affairs. The average cost to purchase a single stolen data point was £289 – but price differed vastly by category. The most expensive data point was a forged physical Maltese passport, which cost £5,089 on the dark web:

Category

Average cost

Most expensive data point in category

Cost

Credit card data

£27

Credit card details, account balance up to $5,000 (£3,917)

£94

Payment processing services

£187

Verified Stripe account with payment gateway

£783

Crypto accounts

£158

Bitit.io verified account

£313

Social media

£15

Hacked Gmail account

£51

Hacked services

£10

Bet365 account

£31

Forged documents (scans)

£77

Alberta, CA driver's licence

£129

Forged documents (physical)

£1098

Maltese passport

£5,089

Email database dumps

£86

10 million USA email addresses

£94

Malware

£990

'Premium' quality malware, per 1000 installs

£4,309

DDoS attacks

£242

Unprotected website, 10-50k requests per second, 1 month

£666

How much is your stolen data worth on the dark web
How much is your stolen data worth on the dark web

Countries with the most stolen data per person

As for the countries most impacted by data breaches, research by Surfshark showed that the US came top of the list with an average of 32 stolen data points per person between 2020 and 2023, or 9 per year. Data points include personal information such as email addresses, usernames, passwords, phone numbers, addresses, IP addresses, city, country and more.

Russia and France weren’t far behind, with 26 and 21 stolen data points per person respectively. The UK came in at joint fifth alongside Singapore, Australia, Portugal and Canada, with 15 stolen data points - meaning that each UK resident’s stolen data could be worth over £4,000 on the dark web.

View the top 10 countries in the table below:

Rank

Country

Stolen data points per person

Average worth on dark web

1

US

32

£9,248

2

Russia

26

£7,514

3

France

21

£6,069

4

South Sudan

16

£4,624

5

Singapore

15

£4,335

=

UK

15

£4,335

=

Australia

15

£4,335

=

Portugal

15

£4,335

=

Canada

15

£4,335

10

Netherlands

13

£3,757

How much is your stolen data worth on the dark web

Countries with the most data breaches per person

The rankings were similar when we looked at the average number of data breaches impacting each person. Russia saw the highest numbers – a staggering 16 breaches per person – followed by the US, South Sudan and France with eight:

Rank

Country

Data breaches per person

1

Russia

16

2

US

8

=

France

8

=

South Sudan

8

5

Czech Republic

6

=

Germany

6

=

Singapore

6

8

UK

5

=

Australia

5

=

Netherlands

5

=

Portugal

5

=

Canada

5

Countries with the most data breaches per person

What should you do if your data has been leaked in a breach?

If you suspect that your data (or your business’s data) has been compromised in a data breach, it's important to act quickly and strategically to safeguard your personal information. Start by verifying the breach through reputable sources such as the affected company's official communications or trustworthy news outlets.

If you discover that your data has been stolen, consider the following steps:

Change your passwords

Start by changing your passwords for any compromised accounts. Use strong, unique passwords including lower case letters, upper case letters, numbers, special symbols, even a string of unrelated numbers and letters. You should also consider using two-factor authentication (2FA) to add an extra layer of security to your accounts.

Monitor financial activity

Keep an eye on your financial accounts for any suspicious transactions. Immediately report any unauthorised or suspicious activity to your bank or credit card issuer.

Place fraud alerts

Contact credit reporting agencies like Equifax, Experian and TransUnion to place fraud alerts on your credit reports. This can make it harder for identity thieves to open new accounts in your name.

Review your privacy settings

Check your online accounts' privacy settings to ensure you're sharing only necessary information. Limit the amount of personal information you make publicly available.

Update security software

Make sure your devices have up-to-date security software, including antivirus and anti-malware programmes. Regularly update your operating systems and applications – this helps to patch possible vulnerabilities.

Beware of phishing attempts

Be cautious of emails, messages, or calls that ask for personal information. Verify the identity of the requester before sharing any information. Find out more about phishing scams in our report.

Stay informed

Keep up to date on information about the breach and its potential impact. This will help you to make informed decisions about your accounts.

Freeze your credit

If you believe your personal information has been seriously compromised, you might consider freezing your credit. This prevents new accounts from being opened in your name, but it can also limit your ability to apply for new credit.

Report to authorities

Depending on your jurisdiction, report the breach to local law enforcement or the appropriate authorities responsible for cybercrimes.

Ed Bartlett, CEO at Hicomply, said: “Ultimately, taking swift action, staying vigilant, and adopting security best practices are essential for minimising the potential consequences of a data breach. While you may not have control over the breach itself, a proactive response can significantly reduce its impact on your personal and financial security. For businesses, integrating HR and information security processes is a good first step.”

How can businesses prevent successful data breaches?

Preventing data breaches requires a comprehensive and proactive approach from businesses. Here are key strategies to consider:

Robust cybersecurity infrastructure

Invest in strong cybersecurity measures, including firewalls, intrusion detection systems, and encryption protocols to protect sensitive data from unauthorised access.

Regular security audits

Conduct routine security audits to identify vulnerabilities and address them quickly. Regular assessments help maintain a strong defence against evolving cyber threats.

Employee training

Educate employees about cybersecurity best practices, including recognizing phishing attempts and following secure data handling procedures.

Access controls

Implement strict access controls, granting employees access only to the information necessary for their roles. This minimizes the risk of internal breaches.

Vendor risk management

Assess the security practices of third-party vendors and partners who handle your data. Weak links in the supply chain can lead to breaches.

Patch management

Keep software and systems up to date with the latest security patches. Many breaches exploit known vulnerabilities that could have been prevented with timely updates.

Data encryption

Encrypt sensitive data – even if breached, encrypted data is much harder to exploit.

Incident response plan

Develop a comprehensive incident response plan outlining steps to take in case of a breach. A well-prepared response can mitigate the damage and reduce downtime.

Employee offboarding

Ensure proper procedures for revoking access to data when an employee leaves the company. Former employees should not retain access to sensitive information.

Regular backups

Regularly back up critical data and test restoration procedures. This helps in case of ransomware attacks or data loss incidents.

Monitoring and detection

Implement advanced monitoring tools to detect unusual or suspicious activity, enabling swift responses to potential breaches.

C-suite involvement

Cybersecurity should be a priority at the executive level. Allocate resources and create a culture of security from the top down.

All of the above elements are also key components of an ISO 27001-certified information security management system, or ISMS.

Compliance to international information security standards like ISO 27001, SOC 2, and GDPR can help your organisation reduce the risk of data breaches, protect sensitive customer information and ensure you have a strategy in place should a breach be successful.

Sources

Number of data breaches, Surfshark: https://docs.google.com/spreadsheets/d/1KthuXmVMk5GuPTyiIjJi5MHuzLP-YuJ1BtVHaFurG_M/edit#gid=1855326442

Dark web price index, Privacy Affairs: https://www.privacyaffairs.com/dark-web-price-index-2022/

Population figures, UN: https://population.un.org/wpp/Download/Standard/MostUsed/

Average data breach cost estimates, IBM Cost of a Data Breach: https://www.ibm.com/downloads/cas/E3G5JMBP

World Map Vector by Vecteezy

Methodology:

Data points

Researchers at Hicomply used data from Surfshark’s Data Breach World Map and population data from the UN to find the countries with the highest number of stolen data points per person.

This was calculated by dividing a country’s total number of stolen data points by total population. The team repeated this method to find out the countries with the most data breaches per person.

Data’s worth on the dark web

Hicomply used data from Privacy Affairs’ Dark Web Price Index 2022 to find:

  • The most expensive data point in each category
  • The average cost of a data point in each category
  • The average cost of a data point overall, by dividing the total average cost of a data point by 10 (the number of categories).

Note: Original prices were in US dollars. They were converted to English pounds using Google in August 2023.

The team then found the average worth of a person’s data on the dark web by multiplying the average cost of a data point by the number of stolen data points per person, e.g. for the US the team multiplied 289 by 32 which gave us £9,248.

More Insights

ISO27001
The great AI regulation debate. Here’s what you…
ISO27001
Integrate your ISMS with your HR Platform for…
ISO27001
Helping organisations stay strong and drive…