Your data is for sale: The price tag hackers put on you

How much is your life worth?  Not in a philosophical sense. I mean, literally, if someone stole your email password, your National ID number, or your medical history, what would they fetch for it on the dark web? Because make no mistake, your data already has a price tag. And someone, somewhere, is bargaining over it.

Most Ugandans imagine hackers as shadowy figures targeting “big people”, CEOs, ministers, bankers. Ordinary citizens believe they are too small to matter. That illusion is the first thing criminal’s exploit.

Let me take you inside the underground market where you are the commodity.

The Gulu cybercafé incident

In late 2022, police in Gulu quietly arrested two young men running a seemingly innocent internet café. Customers thought they were just selling printing services and internet access. But when our investigators were called in, the story twisted.

The café was a front. Behind the counter, the men had installed keylogger software on every computer. Every person who logged into email, Facebook, or mobile money left behind their credentials.

1. A boda rider’s Airtel Money PIN.
2. A nurse’s work email and password.
3. A student’s login to Makerere University portal.

These were packaged into neat spreadsheets, encrypted, and sold in WhatsApp groups for as little as UGX 3,000 per login.

Think about that. Your entire financial life, on sale for less than the price of a Rolex on Jinja Road.

Why data is valuable

To hackers, data is currency. Each piece unlocks multiple fraud opportunities:

1. National ID number (NIN): Used to register SIM cards for fraudulent loans. Price: about UGX 5,000.
2. Mobile money PIN: Direct theft. Price: varies, UGX 20,000 to UGX 50,000.
3. Email + password: Gateway to bank logins, cloud drives, and identity theft. Price: UGX 10,000–15,000.
4. Medical records: Used for blackmail (“Pay or we leak your HIV status”) or fake insurance claims. Price: UGX 100,000+.

When you add it up, an average Ugandan with three SIM cards, a bank account, and a social media presence represents over UGX 200,000 in resale value. Multiply by thousands of compromised users, and you see why hackers salivate.

The invisible marketplace

The dark web isn’t some Hollywood movie set. It’s messy, low-tech, and often conducted right here on familiar apps, Telegram, WhatsApp, and even Facebook groups disguised as “Forex traders” or “online hustlers.”

In 2023, investigators infiltrated one such group. What they found was chilling:

Lists of fresh NINs stolen from a poorly secured database.

Bank statements of customers were emailed in unencrypted form by careless bankers.

Hospital lab results from clinics still using unsecured Gmail accounts.

Each document carried a price tag. A bank statement with balances over UGX 50 million was “premium,” going for UGX 250,000. The hacker joked, “Rich clients are more fun.”

The buyers? Not just criminals abroad. Local fraudsters, loan sharks, and even debt collectors are desperate for leverage.

How Ugandans leak their own data

Most data theft in Uganda doesn’t happen through “advanced hacking.” It happens because people give it away cheaply.

1. Free Wi-Fi traps. That “Free Wi-Fi” at a café in Wandegeya? It’s often a rogue hotspot. The moment you connect, every password you type flows to the hotspot owner.
2. Phone repairs. You drop your smartphone at a repair shop in Kisekka. The technician copies your contacts, WhatsApp chats, and photos before fixing the screen. You think the risk was cracked glass. The real risk was your digital diary.
3. Social media oversharing. Birthdays, schools, pets, and innocent posts become gold for hackers crafting password guesses. “Lisa2010” isn’t hard to crack if you just posted “Happy 14th birthday, Lisa!”
4. Paper carelessness. At one Kampala bank, customers still throw old ATM receipts into dustbins outside. Hackers pick them up, reconstruct transaction histories, and phone-scam clients pretending to be bank staff.

Your data doesn’t always get stolen. Sometimes, you hand it over.

The insurance scam

In 2024, a Kampala insurance company was rocked by a scandal. Customers began receiving strange calls: “We see from your medical history that you recently tested positive for X. For privacy reasons, we can help you delete this record for a small fee.”

The data was genuine. How did criminals get it? An insider, a claims officer, was photographing customer files and selling them via Telegram. For each record, he earned UGX 30,000.

By the time we intervened, over 12,000 medical files had been leaked. The reputational damage was catastrophic. The company lost two major international partners.

Small fees for the insider. Big disaster for the firm.

Why your data is never “too small”

You may think: “But I’m just a teacher in Mbale. I have nothing hackers want.” Wrong.

Your SIM card can be used to borrow money you’ll never see.

Your photo can be edited into pornography and sold.

Your medical record can be used to blackmail you.

Your identity can be swapped with a criminal’s, leaving you to answer for their crimes.

Even the smallest trail of data, an email, a birthdate, or a bank balance of UGX 50,000, can be weaponized. In the data economy, everyone is valuable prey.

Why companies fail to protect you

Ugandan companies are often complicit in this market, not out of malice, but negligence.

1. Weak passwords: Staff still use “12345” as login credentials.
2. Email insecurity: Client statements are sent in plain PDF without encryption.
3. Lack of staff training: Employees click phishing emails daily.
4. Outdated systems: Hospitals running Windows XP with no patches.

When breaches happen, companies hush them up. No public disclosure. No accountability. Customers remain in the dark, literally.

Red flags you are already compromised

You may already be a victim if:

1. You receive calls from strangers quoting personal details only you gave to a bank, hospital, or telco.
2. Your email or Facebook suddenly demands a password reset.
3. You notice small deductions from your mobile money wallet.
4. Friends receive strange messages from your account asking for “urgent help.”

These are not coincidences. There are signs your data is already circulating on underground markets.

Lessons for leaders and citizens

For individuals

1. Stop using the same password across multiple accounts.
2. Don’t trust “free” Wi-Fi.
3. Shred or burn documents with personal information.
4. Use two-factor authentication, always.

For companies

1. Encrypt customer data at rest and in transit.
2. Train staff on phishing and insider threats.
3. Implement access controls; no one person should access everything.
4. Disclose breaches early. Silence is complicity.

For regulators

1. Enforce Uganda’s Data Protection and Privacy Act with real penalties.
2. Mandate breach notification.
3. Audit high-risk sectors, banks, telcos, and hospitals.

In Uganda, we sell land. We sell goats. We sell matooke. But now, without realizing it, we are selling ourselves, our identities, our families, our dignity, one login at a time.

The market is ruthless. Hackers don’t care if you’re rich or poor. To them, you are a line item with a price tag.

And until leaders treat data with the same seriousness as money, we will continue to bleed silently. Because in today’s world, your greatest asset is no longer your bank balance. It is your data.

And right now, your data is for sale.

Copyright Institute of Forensics & ICT Security, 2025. All rights reserved.