Privacy Week:
When Your Data Becomes Someone Else’s Asset

Most breach notifications tell you what happened to the company. Very few tell you what happens to you. Your data has a value, a journey, a buyer and the impact on you can last years after the breach headline fades.

In this CyberCuration, we focus on the impact a breach has on a person – what your data is worth, where it goes, who buys it, how they use it against you, and what you can do to protect yourself beyond the standard company advice.

​

You might think your data is not valuable. Attackers disagree. Every person caught in a breach has multiple data types that trade for real money in criminal markets – and the combination of those types is worth far more than the sum of their parts.

​

• Financial data: credit card details sell for $5–$30 each. Full identity packages (card + name + address + DOB) fetch $50–$200. Bank login credentials trade for 10% of the account balance.

• Identity & credentials: email/password pairs enable account takeover. Corporate credentials unlock access to your employer. Government IDs enable fraud and synthetic identity creation.

• Your role and seniority: an executive’s details command a premium. A finance officer, IT admin, or anyone with system access is especially high-value. Even junior staff are useful as entry points.

​​

You are not anonymous in a breach. You are a product with a price tag.

​

The Moment Data Is Stolen​

The data does not sit still. Within hours of a breach, stolen files are copied to attacker-controlled infrastructure – often hosted in jurisdictions with no extradition agreements. Russia, Iran, and North Korea are common destinations. Once copied, it cannot be retrieved or deleted.

​

It is also immediately duplicated. Multiple threat actors may have copies before the victim organisation even knows a breach occurred. A ransom demand does not mean the data is held exclusively – it almost certainly is not.

​

Ransom payment buys silence, not deletion. Your data has already left.

​

Leverage, Then Market

If ransom is not paid, the data moves to a dark web marketplace or leak site. The organisation’s data is published or auctioned. Your records – along with thousands of others – are now openly available to any criminal willing to pay.

Even when ransom is paid, data is routinely re-sold anyway. Criminals have no honour code. The same dataset may be sold multiple times to multiple buyers over months or years. Breach impact is not a one-time event – it is ongoing.

​

A breach notification email marks the start of your exposure, not the end of it.

​

Who Buys Your Data

Stolen data is not used by the people who stole it. It moves through a criminal supply chain. The initial attacker sells in bulk to brokers. Brokers sort, package, and resell to buyers. Each buyer has a specific use case for your specific data type.

​

Card fraudsters want financial data. Nation-state actors want corporate credentials and executive profiles. Scam operations want email addresses and phone numbers. Ransomware groups want active corporate logins. Each type of buyer knows exactly what they are looking for.

​

Your data does not expire. Records from five years ago are still actively traded today.

​

How they use it depends on who you are:

• Executive or senior role – spear phishing, email compromise, or pressure campaigns. Your name and title make you a high-value target.

• Finance, IT, or system access – credentials used directly to access corporate systems, initiate fraudulent payments, or plant ransomware.

• Junior staff – used as entry points, pressured or bribed to provide internal access, or exploited via credential stuffing against other accounts.

​​

Everyone in the breach is profiled. Your value is determined before the first contact attempt.

​

They Know More Than You Think

Before any attacker contacts you, they have already done their homework. Breach data is cross-referenced with LinkedIn, social media, previous breaches, and public records to build a detailed profile. By the time you receive a suspicious email or call, they already know your name, employer, role, and likely personal interests.

​

• Multiple breaches, one picture – attackers combine data from several breaches. Your email from one, your phone from another, your salary band from a third. The composite profile is far richer than any single record.

• Spear phishing – generic phishing targets everyone. Spear phishing targets you specifically, using your real name, employer, recent activity, and colleagues’ names to build a convincing message. Breach data is what makes this possible.

• Social engineering –They already know a lot about you. When they call, it is not a guess – it is a targeted operation built on your stolen data.

• Credential stuffing – your breached email and password are automatically tested against hundreds of other sites. If you reuse passwords, attackers will find which other accounts they can access.

 

The most dangerous attacks after a breach are not random. They are personalised, researched, and patient.

​

What You Could Do to Further Protect Yourself

Beyond the breach notification email, here is what actually helps protect you – steps the company cannot take on your behalf:

​

Act immediately on financial exposure:

• Cancel and replace any credit or debit cards linked to the breached account – do not wait for fraud to appear

• Place a credit freeze or fraud alert with credit bureaus (Equifax, Illion, Experian) to block new credit being opened in your name

• Change your password on the breached site and on any other site where you used the same password – use a password manager going forward

• Enable MFA on email, banking, and any account linked to the breached service – use an authenticator app, not SMS

• Set up alerts on your bank accounts and check haveibeenpwned.com to monitor whether your email appears in future breaches

​​

Be suspicious of unexpected contact in the weeks after a breach – calls, texts, and emails that seem to know things about you are not coincidental.

​

Your data has value, a market, and a buyer. Understanding what happens to it after a breach – and acting on that knowledge – is the difference between being a passive victim and an informed one.

​

We are a specialist group of senior security practitioners with a proven track record of delivery, built on insight, deep domain knowledge and experience.

​

If you want to make a difference instead of ticking boxes, get in touch with us.

​