What Happens in a Data Breach? From Hack to Dark Web
The complete lifecycle of a data breach — how attackers infiltrate systems, exfiltrate data, monetise it on the dark web, and why victims are often the last to find out.
The complete lifecycle of a data breach — how attackers infiltrate systems, exfiltrate data, monetise it on the dark web, and why victims are often the last to find out.
Data breaches begin with an attacker gaining unauthorised access to a system. The entry points vary: exploiting unpatched software vulnerabilities in web servers or database systems; credential stuffing (using previously leaked username/password combinations to log in to systems where employees reused passwords); phishing attacks targeting employees to steal credentials or deploy malware; social engineering of IT support staff to gain access; supply chain attacks (compromising a software vendor whose product is trusted by the target organisation); and in some cases, insider threats from current or former employees.
Once inside a network, sophisticated attackers often remain undetected for extended periods — moving laterally through the network, escalating privileges, mapping the environment, and identifying high-value data stores. The 2023 IBM Cost of a Data Breach Report found the average time to identify a breach was 204 days, and the average time to contain it was an additional 73 days. This means the average breach victim organisation is compromised for nearly 10 months before detecting the intrusion — during which the attacker has full access to everything in scope.
For Hong Kong organisations, the most common breach entry points documented by the HKPF and PCPD include: phishing emails targeting finance and IT staff; exploitation of unpatched vulnerabilities in internet-facing systems (web applications, VPN gateways, email servers); compromised third-party vendors with access to HK systems; and misconfigured cloud storage (publicly accessible S3 buckets or Azure Blob Storage containing customer data). The HKMA also reports that targeted attacks against financial institutions frequently begin with spear phishing of employees with privileged access.
Once an attacker has identified and accessed valuable data, the exfiltration phase begins. Large databases are typically compressed, encrypted, and transferred out of the compromised network in ways designed to avoid triggering data loss prevention (DLP) systems — using legitimate file transfer protocols, cloud storage services, or encrypted channels that blend with normal traffic. Exfiltration may happen in a single bulk transfer or in small increments over time to avoid anomaly detection.
After exfiltration, the monetisation strategy depends on the data type and the attacker's profile. Nation-state actors typically use the data directly for intelligence purposes — building profiles on individuals, extracting trade secrets, or establishing access for future operations. Criminal groups have several monetisation paths: selling the entire database in bulk on dark web markets (typically to the highest bidder in a private transaction or public auction); selling in smaller lots by data type (just the credit card numbers, or just the login credentials); using the data directly for fraud; or using it as the basis for targeted phishing campaigns against the affected individuals.
The dark web price structure for stolen data is fairly established. Freshly stolen credit card data (with CVV, billing address, and card number) typically sells for $5-20 USD per card, with premium pricing for cards from high-balance or premium accounts. Email/password combinations from consumer services sell for $1-5 USD per 1,000 records in bulk. Full identity packages ("fullz" in criminal terminology — including name, date of birth, HKID, address, and bank account details) command $10-50 USD each. Medical records are the most valuable, selling for $250-1,000 USD each due to their utility for medical identity fraud.
The discovery of a data breach can come from multiple sources, and the victim organisation is often not the first to identify it. Security researchers scanning the dark web may find the data on sale before the breached company knows it's gone. Cybersecurity journalists investigating criminal forums may surface the breach. Have I Been Pwned's Troy Hunt receives frequent breach data submissions from sources that include security researchers, law enforcement, and occasionally the criminals themselves. Victims themselves reporting fraudulent activity can trigger an investigation that reveals a breach.
When a breached organisation discovers an incident, it typically engages forensic investigators and legal counsel before making any public disclosure. This internal investigation phase — determining the scope, timing, and nature of the breach, and whether regulatory disclosure obligations apply — can take weeks or months. In Hong Kong, the PDPO does not mandate breach notification in all cases, meaning organisations may choose not to publicly disclose a breach unless required by their industry regulator (e.g., HKMA for financial institutions) or until a formal data leakage complaint is filed with the PCPD.
Breach notifications, when they do arrive, are often vague about the nature and extent of the exposure. Legal liability concerns lead organisations to phrase notifications carefully, sometimes making it difficult for individuals to assess the actual risk. Critical information to extract from any breach notification: which data types were exposed (password hash vs plain text; whether HKID or financial data was included); when the breach occurred (not when it was discovered); what the company is doing to remediate; and what specific actions they recommend affected users take.
When you receive a breach notification or discover through monitoring that your data has been exposed, the response should be swift and systematic. The specific actions depend on what data types were exposed, but the general priority order is: protect your financial accounts first, then secure your email (the master recovery pathway), then update credentials for other services. Don't wait for "more information" — act on the data types you know are exposed immediately.
If the breach involved your password: change it immediately on the breached service, and on every other service where you used the same or similar password. This is the critical step — password reuse transforms a single service breach into a credential stuffing toolkit that can be used across banking, email, and other services. Enable 2FA immediately on the breached account if not already active. If the breach notification says passwords were stored in plain text (rather than hashed), treat the exposure as critical-priority and change the password on all services where you may have reused it within 24 hours.
If the breach involved financial data (credit card numbers, banking credentials, account numbers): contact your financial institutions directly (HSBC, Hang Seng, or your bank's fraud line) to report the exposure and request card replacement or account security enhancement. Request enhanced monitoring on your accounts and ask about transaction alert settings. File a report with the HKPF CSTCB (18222) if you believe fraud has occurred or is likely — this creates a record and enables investigation. Monitor your TransUnion credit report for any unauthorised credit applications in the months following the breach.
