Cybercrime violates individuals' privacy and the security of their data, particularly hacking, malware, identity theft, financial fraud, medical fraud, and certain offences against persons that involve the revealing of personal information, messages, images, and video and audio recordings without individuals' consent or permission (e.g., cyberstalking, cyberharassment, and cyberbullying discussed in Module 12 on Interpersonal Cybercrime).
Data is considered a commodity online and offline by both legal and illegal actors (Maras, 2016). For this reason, data is a primary target of cybercriminals. Data also plays an integral role in the commission of many cybercrimes, primarily because it is not adequately protected and can be illicitly accessed and obtained. Data breaches have resulted from lost or stolen encrypted flash drives and other storage devices (mainly laptop and smartphones), poor system and data security, unauthorized access to the database or the exceeding of authorized access to a database, and accidental disclosure, release or publication of data. Some notable examples of data breaches include:
Stolen passwords can cause harm beyond the compromised accounts as people often recycle passwords and use them (or parts of these passwords; for example, certain numbers) on more than one website, email account, app, and/or online platform.
Outside of breaches, medical, financial, and other personal data could be found on dedicated online carding forums (i.e., online sites dedicated to selling debit and credit card data) and darknet sites (located in the Deep Web) (discussed in Cybercrime Module 5 on Cybercrime Investigations; see also, Maras, 2014 or Finklea, 2017, in English, and Chatelain, 2018a, in French, for more information about the darknet and the Deep Web).
In addition to releasing this data for financial purposes, compromised data can (and has) been released to shame people and expose their real or perceived immoral actions and behaviours. A case in point is the posting of the personal information (e.g., names and email addresses) of approximately 37 million users of Ashley Madison, a website which connected users seeking extramarital affairs, online (Zetter, 2015).
The burden to secure data is often placed on the individuals whose data is stolen. These individuals are informed to minimize their "digital footprint" by updating security settings on apps, websites, social media, and other online platforms, and removing and/or reducing the amount of data about themselves that they make available to others (Maras, 2016). This victim-centred approach puts the onus of protection on the victims of cybercrime, and not the offenders and the companies whose systems were breached. The reality is that victims cannot protect their personal data when it is "stored in and stolen from third party databases far removed from… [their] control" (Maras, 2016, 289). It is also increasingly difficult to minimize one's "digital footprint" today. Fewer, if any, alternatives are available for individuals who opt out of the collection, analysis, and use of their data. For example, an individual who uses social media has one of two options: provide the minimum amount of required personal information to use the social media platform (which is essentially what the individual "pays" for using the service) or opt out of providing this information and not use the platform. There is no other alternative offered. Internet of Things (IoT) devices (discussed under Introduction) also require personal information in order to be used. Increasingly, new devices entering the market - even those not previously Internet-enabled, such as household appliances, jewelry, clothing, and toys - are Internet-enabled (Maras, 2015), leaving consumers with fewer options should they chose to obtain a device that does not have these capabilities.