Need to know
- The first order of business for cybercriminals is often to extort ransom payments from corporate data hack victims
- Buying and selling stolen data on the dark web is often a secondary objective, but it can have far-reaching consequences
- CHOICE talks to two cybersecurity experts about what goes on in the netherworld known as the dark web
When Medibank began informing customers that their personal data had been released on the dark web following a major hack of the health fund late last year, few would have known quite what to do with the information.
What, after all, is the dark web? And what's going to happen to your data if it ends up there?
The cybercriminals made off with the names, dates of birth, addresses, phone numbers and email addresses of around 5.1 million current and former Medibank customers and the health claims data (potentially revealing diagnoses and procedures) of about 160,000 customers.
How much of this has been posted on the dark web, and where, remains unclear.
Paul Haskell-Dowland, a professor of cyber security practice and associate dean for computing and security at Edith Cowan University, tells CHOICE there is no firm definition of the term dark web, but generally it means websites that are hidden away and can't be googled.
It's perfectly easy to access these sites in a web browser, it's just that you've got no idea how to find them
Professor Paul Haskell-Dowland, Edith Cowan University
That loose definition covers a lot of territory.
"The internet is this massive network of computers all over the globe, serving up all kinds of content," Haskell-Dowland says.
"And only a very small proportion of it really fits into that definition of what we think of as the internet, the public web, the stuff that we browse."
"When people generally talk about the dark web, they are referring to that dangerous, illicit place where drugs are sold, and data is traded, and criminals chat with each other," Haskell-Dowland says.
"But things on the dark web can be quite innocent. They can just be websites that aren't indexed, that have not been made easily accessible."
He likens the innumerable websites on the dark web to telephone numbers that are not listed in the directory. If you know the number, you can access the website.
"A lot of the dark web is just like that. It's perfectly easy to access these sites in a web browser, it's just that you've got no idea how to find them," Haskell-Dowland says.
Terminology referring to the dark web can vary. Unindexed content is also known as the 'deep web', and the dark web can be defined as sites that exist on 'dark nets' that can only be accessed using special networks and browsers. One of these is known as the Tor browser, which uses layers of encryption, or 'onion routing', to hide the source and destination of information accessed on the web. Tor is also used for legitimate purposes.
Criminal 'chat channels'
So where is the data stolen in the recent Medibank breach being held? Medibank and the Australian Federal Police (which is investigating the incident) are keeping this confidential lest they tip off the hackers.
But Haskell-Dowland suspects that when Medibank says the dark web, it means the "chat channels" cybercriminals access through special browsers on hidden networks.
"They will list the data on these sites so they can make it clear to their victims that they have the data and the means of dissemination."
Resorting to plan B
In the Medibank case, the cybercriminals were hoping for a reported $15 million ransom payment in exchange for agreeing to not release the data on the dark web, probably the easiest way for the criminals to monetise the hack.
But, in line with a growing trend among corporate hack targets, Medibank refused to pay, not least because trusting criminals to hold up their end of the bargain and delete the data is a dicey prospect.
That leaves the cybercriminals with the probably less lucrative option of selling the data to other criminals, and probably taking payment in bitcoin or another cryptocurrency.
In November 2022, Home Affairs Minister Clare O'Neil told media outlets that the government was considering a ban on ransom payments to cybercriminals.
They don't really care for the data – they care for the money. They want to get in, get the money, and get out
Cyber security expert Nigel Phair, UNSW Canberra
UNSW Canberra cyber security expert Nigel Phair says the dark web is a messy place full of "streams of information" without the user-friendly design elements of the visible web. You need to be a pretty good cybercriminal to know what to do with the stolen data.
"The criminals didn't get the money they wanted, so the next best way of monetising the customer data would be to sell it to other criminals – probably for a dollar or less per credential – or use it themselves. And there's such a large volume of data. It depends where you are in the value chain and what you want. For some criminals, having lots of credentials is great because they can use it for identity theft and those sorts of things."
But, for cybercriminals in general, the first priority is to extort money from their victims as quickly as possible, Phair says.
"They don't really care for the data – they care for the money. They want to get in, get the money, and get out."
Cybercrime affects people in ways that can be hard to predict, and the harms can continue indefinitely.
Identify theft and scams
One of the primary concerns around hacked data is identity theft – criminals using stolen data to take out credit cards and loans in other people's names, for instance.
But criminal organisations also use the data to set up convincing scams. Having a person's real name, address, birth data and other data can go a long way toward pulling off an email or phone scam and gaining access to a victim's bank account or other assets.
"If you're running a call centre scam operation, the data is valuable because it's got information you can use to verify that you're purportedly someone legitimate," Phair says.
These criminal gangs that engage in illicit cyber activities are every bit as organised and every bit as capable as big businesses and big industry
Professor Paul Haskell-Dowland, Edith Cowan University
And if you're a big criminal organisation that collects and keeps stolen data, you can bring a level of sophistication to scams that significantly increases their effectiveness.
Financial data is relatively short-lived, since people can cancel credit cards and open up new bank accounts. But real names, birth dates, email addresses and other more permanent data can have a long shelf life, which is why victims of data hacks (along with everyone else) should always be on guard. There's no telling what it might be used for in the years to come.
"These criminal gangs that engage in illicit cyber activities are every bit as organised and every bit as capable as big businesses and big industry," Haskell-Dowland says. "They employ people and have divisions within their organisations. Many of them will have their own websites, and in some cases they'll have their own PR teams."
Better consumer protections
"Consumers are the real victims of corporate cybercrime," says CHOICE consumer data advocate Kate Bower. "They are the ones who live with the consequences of scams, identity theft or the daily worry of not knowing who has your data and what they might do with it."
CHOICE welcomes the increase in penalties for serious and repeated breaches of the Privacy Act introduced in late 2022 by the federal government. But Bower believes more should be done to protect consumers and their data and to hold businesses accountable when cybersecurity incidents occur.
Consumers are the real victims ... the ones who live with the consequences of scams, identity theft or the daily worry of not knowing who has your data and what they might do with it
CHOICE consumer data advocate Kate Bower
"The Privacy Act review is the perfect opportunity to reassess the threshold for breaches of the Act," Bower says.
"Currently, only 'serious or repeated breaches' of the Act incur a penalty, meaning that very few businesses are ever held to account for unlawful behaviour that harms consumers. CHOICE is campaigning for a stronger regulator with more powers, as well as changes to the wording of the Act that would mean any breach of the Act could attract a penalty or enforcement action."
How people find out their data has been used against them
A November 2022 bulletin published by the Australian Institute of Criminology, a government agency, lays out a number of ways by which cybercrime victims have discovered that criminals were using their stolen data. They include:
- unauthorised activity on a bank account, credit card or credit report
- receiving credit cards in the mail they didn't apply for
- calls from debt collectors about unpaid bills that they didn't recognise
- an unsuccessful credit application when the victim's credit history is good
- receiving goods in the mail (such as mobile phones) that they didn't order
- losing mobile phone service because it was transferred to an unknown device
- getting a medical bill for a service they didn't receive
- having a health claim rejected because they had unexpectedly reached their benefit limit
- being unable to file taxes because a return had already been filed in their name.
Stay on guard if your data was hacked
- Don't respond to emails, texts or phone calls that appear to be from an organisation that you do business with, even if they include personal details that make them look legitimate. Instead, contact the organisation yourself to see if the communications are valid.
- Don't pay up in the event of an extortion attempt, where criminals threaten to publish personal details or photos of you unless you hand over your money.
- If you think you've responded to a scam communication, fill out a get help form from the government-funded service ID Care.
Stock images: Getty, unless otherwise stated.