Globally, there were 362 million data breaches in 2022, and 83% of organisations experienced more than one data breach. In the first half of 2023, 154 million breaches have already been recorded. But how much could your stolen data be sold on for on the dark web? And where in the world was most impacted?
The price of your data on the dark web
Research revealed that a piece of stolen personal data costs an average of £289 on the dark web. This price varied depending on the type of data and whether it was physical (e.g. a forged document) or digital (e.g. credit card information). In the UK, an individual’s stolen data was worth an average of £4,335 based on the number of stolen data points.
Different categories of stolen data, including credit card data, crypto accounts, social media accounts and more, were included in research by news website Privacy Affairs. The average cost to purchase a single stolen data point was £289 – but price differed vastly by category. The most expensive data point was a forged physical Maltese passport, which cost £5,089 on the dark web:
Category |
Average cost |
Most expensive data point in category |
Cost |
Credit card data |
£27 |
Credit card details, account balance up to $5,000 (£3,917) |
£94 |
Payment processing services |
£187 |
Verified Stripe account with payment gateway |
£783 |
Crypto accounts |
£158 |
Bitit.io verified account |
£313 |
Social media |
£15 |
Hacked Gmail account |
£51 |
Hacked services |
£10 |
Bet365 account |
£31 |
Forged documents (scans) |
£77 |
Alberta, CA driver's licence |
£129 |
Forged documents (physical) |
£1098 |
Maltese passport |
£5,089 |
Email database dumps |
£86 |
10 million USA email addresses |
£94 |
Malware |
£990 |
'Premium' quality malware, per 1000 installs |
£4,309 |
DDoS attacks |
£242 |
Unprotected website, 10-50k requests per second, 1 month |
£666 |
Countries with the most stolen data per person
As for the countries most impacted by data breaches, research by Surfshark showed that the US came top of the list with an average of 32 stolen data points per person between 2020 and 2023, or 9 per year. Data points include personal information such as email addresses, usernames, passwords, phone numbers, addresses, IP addresses, city, country and more.
Russia and France weren’t far behind, with 26 and 21 stolen data points per person respectively. The UK came in at joint fifth alongside Singapore, Australia, Portugal and Canada, with 15 stolen data points - meaning that each UK resident’s stolen data could be worth over £4,000 on the dark web.
View the top 10 countries in the table below:
Rank |
Country |
Stolen data points per person |
Average worth on dark web |
1 |
US |
32 |
£9,248 |
2 |
Russia |
26 |
£7,514 |
3 |
France |
21 |
£6,069 |
4 |
South Sudan |
16 |
£4,624 |
5 |
Singapore |
15 |
£4,335 |
= |
UK |
15 |
£4,335 |
= |
Australia |
15 |
£4,335 |
= |
Portugal |
15 |
£4,335 |
= |
Canada |
15 |
£4,335 |
10 |
Netherlands |
13 |
£3,757 |
Countries with the most data breaches per person
The rankings were similar when we looked at the average number of data breaches impacting each person. Russia saw the highest numbers – a staggering 16 breaches per person – followed by the US, South Sudan and France with eight:
Rank |
Country |
Data breaches per person |
1 |
Russia |
16 |
2 |
US |
8 |
= |
France |
8 |
= |
South Sudan |
8 |
5 |
Czech Republic |
6 |
= |
Germany |
6 |
= |
Singapore |
6 |
8 |
UK |
5 |
= |
Australia |
5 |
= |
Netherlands |
5 |
= |
Portugal |
5 |
= |
Canada |
5 |
What should you do if your data has been leaked in a breach?
If you suspect that your data (or your business’s data) has been compromised in a data breach, it's important to act quickly and strategically to safeguard your personal information. Start by verifying the breach through reputable sources such as the affected company's official communications or trustworthy news outlets.
If you discover that your data has been stolen, consider the following steps:
Change your passwords
Start by changing your passwords for any compromised accounts. Use strong, unique passwords including lower case letters, upper case letters, numbers, special symbols, even a string of unrelated numbers and letters. You should also consider using two-factor authentication (2FA) to add an extra layer of security to your accounts.
Monitor financial activity
Keep an eye on your financial accounts for any suspicious transactions. Immediately report any unauthorised or suspicious activity to your bank or credit card issuer.
Place fraud alerts
Contact credit reporting agencies like Equifax, Experian and TransUnion to place fraud alerts on your credit reports. This can make it harder for identity thieves to open new accounts in your name.
Review your privacy settings
Check your online accounts' privacy settings to ensure you're sharing only necessary information. Limit the amount of personal information you make publicly available.
Update security software
Make sure your devices have up-to-date security software, including antivirus and anti-malware programmes. Regularly update your operating systems and applications – this helps to patch possible vulnerabilities.
Beware of phishing attempts
Be cautious of emails, messages, or calls that ask for personal information. Verify the identity of the requester before sharing any information. Find out more about phishing scams in our report.
Stay informed
Keep up to date on information about the breach and its potential impact. This will help you to make informed decisions about your accounts.
Freeze your credit
If you believe your personal information has been seriously compromised, you might consider freezing your credit. This prevents new accounts from being opened in your name, but it can also limit your ability to apply for new credit.
Report to authorities
Depending on your jurisdiction, report the breach to local law enforcement or the appropriate authorities responsible for cybercrimes.
Ed Bartlett, CEO at Hicomply, said: “Ultimately, taking swift action, staying vigilant, and adopting security best practices are essential for minimising the potential consequences of a data breach. While you may not have control over the breach itself, a proactive response can significantly reduce its impact on your personal and financial security. For businesses, integrating HR and information security processes is a good first step.”
How can businesses prevent successful data breaches?
Preventing data breaches requires a comprehensive and proactive approach from businesses. Here are key strategies to consider:
Robust cybersecurity infrastructure
Invest in strong cybersecurity measures, including firewalls, intrusion detection systems, and encryption protocols to protect sensitive data from unauthorised access.
Regular security audits
Conduct routine security audits to identify vulnerabilities and address them quickly. Regular assessments help maintain a strong defence against evolving cyber threats.
Employee training
Educate employees about cybersecurity best practices, including recognizing phishing attempts and following secure data handling procedures.
Access controls
Implement strict access controls, granting employees access only to the information necessary for their roles. This minimizes the risk of internal breaches.
Vendor risk management
Assess the security practices of third-party vendors and partners who handle your data. Weak links in the supply chain can lead to breaches.
Patch management
Keep software and systems up to date with the latest security patches. Many breaches exploit known vulnerabilities that could have been prevented with timely updates.
Data encryption
Encrypt sensitive data – even if breached, encrypted data is much harder to exploit.
Incident response plan
Develop a comprehensive incident response plan outlining steps to take in case of a breach. A well-prepared response can mitigate the damage and reduce downtime.
Employee offboarding
Ensure proper procedures for revoking access to data when an employee leaves the company. Former employees should not retain access to sensitive information.
Regular backups
Regularly back up critical data and test restoration procedures. This helps in case of ransomware attacks or data loss incidents.
Monitoring and detection
Implement advanced monitoring tools to detect unusual or suspicious activity, enabling swift responses to potential breaches.
C-suite involvement
Cybersecurity should be a priority at the executive level. Allocate resources and create a culture of security from the top down.
All of the above elements are also key components of an ISO 27001-certified information security management system, or ISMS.
Compliance to international information security standards like ISO 27001, SOC 2, and GDPR can help your organisation reduce the risk of data breaches, protect sensitive customer information and ensure you have a strategy in place should a breach be successful.
Sources
Number of data breaches, Surfshark: https://docs.google.com/spreadsheets/d/1KthuXmVMk5GuPTyiIjJi5MHuzLP-YuJ1BtVHaFurG_M/edit#gid=1855326442 Dark web price index, Privacy Affairs: https://www.privacyaffairs.com/dark-web-price-index-2022/ |
Population figures, UN: https://population.un.org/wpp/Download/Standard/MostUsed/ Average data breach cost estimates, IBM Cost of a Data Breach: https://www.ibm.com/downloads/cas/E3G5JMBP |
Methodology:
Data points
Researchers at Hicomply used data from Surfshark’s Data Breach World Map and population data from the UN to find the countries with the highest number of stolen data points per person.
This was calculated by dividing a country’s total number of stolen data points by total population. The team repeated this method to find out the countries with the most data breaches per person.
Data’s worth on the dark web
Hicomply used data from Privacy Affairs’ Dark Web Price Index 2022 to find:
- The most expensive data point in each category
- The average cost of a data point in each category
- The average cost of a data point overall, by dividing the total average cost of a data point by 10 (the number of categories).
Note: Original prices were in US dollars. They were converted to English pounds using Google in August 2023.
The team then found the average worth of a person’s data on the dark web by multiplying the average cost of a data point by the number of stolen data points per person, e.g. for the US the team multiplied 289 by 32 which gave us £9,248.