What to do if your data is being sold online

Credit card security

Around 600,000 people in the UK had their personal details stolen over the last year and the staggering thing is, criminals are able to buy information including email addresses, passwords, card details and even bank account details for around 19 a pop.

Over the last few weeks, protecting your information has been a particular talking point, with news that TalkTalk's customers may have had their data stolen. Although it doesn't include financial information according to the company, a lot of damage can still be done with email addresses and passwords.

But how can you find out if your data is being stolen and what should you do if you feel your identity is at risk?

How to find out if your data is being sold online

"People need to understand the world we're living in is insecure," explained Stephen Ward, senior director of marketing at iSight Partners. "Even though companies have a responsibility to protect your data, they likely can't. It's time to harden our minds against the idea and become your own watchdog of your personal credit."

The average time it takes for a company to detect a breach is 6-9 months, but some companies have taken two or three years to find out data has been stolen. Therefore, it's most likely that you will find out your data has been stolen and is being sold online by using third party tools to monitor your information online.

"There are a number of measures you can take to keep ahead of fraudsters when it comes to keeping your personal data safe, getting a copy of your credit file would be first step as it would give you an overview of all existing credit agreements," said Lisa Hardstaff, Equifax credit information expert.

Equifax's WebDetect will alert you if your data is found around the web or anything on your credit file changes. It promises to send notifications within 24 hours of the change so you can react as fast as possible.

"As part of that process, individuals can also sign up to a 24/7 ID monitoring solution that would alert them to potential unauthorised trading of their personal information. The service proactively scans suspected underground Internet trading sites of up to 10 credit/debit card account numbers provided and would then receive alerts if the information submitted is found on suspected Internet trading sites where identities maybe be sold," Hardstaff explained.

Similarly, Experian's CreditExpert service allows you to track when your sensitive data such as email address and mother's maiden name, or password are found together. It'll alert you if it finds your information for sale on the Dark Web or if anything changes to your details that it considers to be suspicious.

What data is being sold?

If you've had a notification that your personal data has been stolen, you'll probably want to know what data is available to criminals, but even this could be a tricky task.

Most alert services will only tell you that your data has been stolen and the type (for example, your password or secret question), but most people will be using multiple passwords or multiple secret questions to secure their hundreds of different accounts, so finding the exact company responsible for a data leak, or the data that has been leaked is nigh on impossible.

Unless you have been told by a vendor you're using that your data has been stolen, or you are able to find a specific transaction on your credit card or bank statement revealing the source of the leak, you're unlikely to be able to find out where the information came from.

Where is your data?

Actually finding out where your data is can be a minefield too. There are hundreds of thousands of personal data marketplaces on the Dark Web and more often than not, as iSight's Steve Ward explains, different people will hold the information and there isn't a way you can find it or claim it easily.

"You can't go out in the underground and buy your data to reclaim it," he said. "The way the underground works, your data may be compromised in lots of different places. People are selling their gains to multiple users, which could be many type of clients and distributors.

"Although you can't close Pandora's Box, what you can do is provide a level of protection. Close accounts, use ongoing monitoring, be judicious about passwords and do not re-use them across accounts you have."

How serious?

It's less concerning when your email address and password or other non-financial information is stolen Ward explained, because there's only limited damage that can be done with these.

"When a criminal gets access to a mass email database, they are only able to launch downstream financial scams rather than setting up financial accounts in your name," he said.

"They will be looking to get you to download a keylogger so then they can grab the credentials you use to log into your banking, for example. They may also run phishing scams."They're typically not looking to do anything malicious from just the email and password, he reassured, making major database heists less of a concern than a big leak including financial data.

What to do in the short term

First, apply for a fraud alert to be placed on your credit file. This means if anyone tries to get credit in your name, you will be notified immediately, before the credit is granted. Although it doesn't mean you're completely safeguarded from people being able to take details from online services that may be storing financial or other sensitive details, it means you can hopefully be protected against anyone trying to embezzle money in your name.

What action you need to take will depend on what sort of data has been stolen and is up for sale. One place to start, though, is changing all your passwords to something completely unique (after all, even if you use multiple passwords for different services, you won't know which one is the culprit). You should also change your security question, such as mother's maiden name if you are able to, because although you can change your password, this is one piece of information that never changes.

Long term solutions

There are a number of things you should do (or should not do) in order to prevent criminals stealing your identity. Of course, many of these things are common sense and others are unavoidable, but taking this key steps can make it harder for criminals to access your information:

Passwords: "While it can seem an impossible task, it is so important to have secure unique passwords for as many online accounts as possible." an Experian spokesperson told IT Pro. "At the very least, have a unique password for each type of service provider such as financial services, retails services, social media and email."

The company said you should always avoid using words from the dictionary, instead use the first letter of each word in a sentence and a mixture of lower and upper case letters as well as numbers. You should also change your passwords on a regular basis.

Keeping track: If you're worried about losing track of all the different passwords and services you're using, try out a password manager like LastPass that will allow you to login to your individual accounts without having to remember every single one.

Whenever you sign up to a new service, add it to your password manager so if you find out one of the services has been compromised, you can easily change your password for just that website.

Email: Email addresses and email passwords are regularly stolen and are also readily available on the internet. Therefore, it's important to consider what information is available in your email inbox, should criminals be able to access it.

"Don't store account names and passwords or digital pictures of your passport," Experian advised. "Beware of phishing if an email seems suspicious, don't open it or click on any links within the email. A legitimate company will never ask for your account details via email. If contacts have received emails from you that you did not send, change all your online passwords immediately."

Social Networks: Social media sites can reveal your date of birth, maiden name, email address and enough information to help a fraudster identify possible PIN and/or passwords. Consider how much you really need to share and never reveal any information that could be used to hack into other accounts, because many sites, and Twitter especially, are open for anyone to see.

Mobile devices: Consider how much information is stored on your phone including emails that can be accessed without a password. Also remember that public networks and open Wi-Fi hotspots are riskier than private networks, so be conscious of the information you access via mobile networks. Experian suggests securing your smartphone and tablet with antivirus to try and prevent malware attacks.

Credit Monitoring: "Fraudsters operate to make money and therefore, one of the first places people notice that they have been the victim of fraud is by spotting changes to their credit report if credit has been applied for under false pretences," Experian said. It's therefore important you monitor this and also check your bank statements regularly to help you spot any suspicious activity as early as possible to avoid financial loss.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.