Stolen UK consumer data up for sale on sale online

Data Breach
(Image credit: Shutterstock)

Cybercriminals are selling stolen data pertaining to UK consumers on the dark web, according to new research by Which?

An investigation by the consumer choice brand has found that account details acquired from data breaches are being offered cheaply online.

Among the personal data up for sale on the dark web are thousands of stolen Tesco Clubcard accounts, as well as details connected with fast-food chains and high-end hotels. In the case of the Tesco data, Which? found that individual accounts, which contain usernames, passwords and loyalty card balances, were sometimes available for just 42p each when purchased in bulk.

“Our research has found a treasure trove of stolen data being traded by criminals on the dark web, highlighting the danger of companies acting carelessly with their customers’ sensitive personal information,” Kate Bevan, Which? Computing editor, commented. 

“The [UK’s Information Commissioner's Office] must be prepared to issue heavy fines against companies that leave customers’ personal data exposed to cybercriminals and breach data protection law, so that they are incentivised to prevent breaches.”

Data for sale

Which? was unable to ascertain how the stolen Tesco data was acquired – or even if it was legitimate – but the supermarket chain did confirm in March last year that a database of usernames and passwords stolen from other websites had been used in an attempt to access Clubcard accounts. At the time, it claimed that its own systems had not been hacked and that affected accounts had been notified and blocked.

In addition to the Tesco data, Which? researchers also found account details connected to Deliveroo, McDonald’s and the MGM Resorts hotel chain available to purchase. Prices varied depending on the information being offered but, regardless of the efficacy of the stolen data, the details could be used by cyberattackers to engage in follow-up attacks, including spear-phishing campaigns.

In addition to tougher action by the Information Commissioner’s Office, Which? also called for consumers to be granted an easier route to financial compensation when they are affected by a data breach.

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.