We’ve grown accustomed to it by now — a few million accounts broken into here, another hundred million there. After a company data breach, what happens to all the data? Where does it go? And how does this impact your vulnerability analysis?
In June 2020, stolen Facebook user data suddenly popped up for sale on an online forum. By April 2021, a massive data set of 500+ million Facebook profiles became free for download. After making some cash, cybercriminals often give away data hauls to boost their egos and popularity.
This breach affected up to 20% of Facebook’s users. The leaked data included user mobile phone number, Facebook ID, name, gender, location, relationship status, occupation/employer, date of birth and email addresses.
That’s a lot of info to be giving away for free. This makes big data security more critical than ever.
Have I Ever Been Involved in a Data Breach?
You can easily check if your email has been exposed. I have an old Yahoo! email, so I checked it on the have I been pwned site. It told me my email has been pwned in data breaches nine times.
It gets worse. In the explanation section about each breach, the first one reads like a horror story. This email has actually been involved in 2,844 Unverified Separate Data Breaches. In February 2018, a huge collection of almost 3,000 alleged data breaches was found online. The compromised data included email addresses and passwords. Yikes.
You can also check Intelligence X for info about personal data breaches. But what about the big data security breaches? What happens to the company data? Let’s follow the breadcrumbs.
Where Does Data From a Company Data Breach Go?
Back in 2015, a fascinating report gave an inside look at where stolen data goes. The researchers created an Excel spreadsheet with 1,568 fake employee credentials. This bait was then posted on anonymous dark web file-sharing sites. Then, the researchers sat back and waited. They didn’t have to wait long.
The researchers began to track the data. They had embedded a hidden watermark in the file, which alerted them whenever someone opened the document. This revealed access information including geolocation, IP address and device type.
In a few days, the data from the fake data breach had reached over five countries and three continents with 200+ views. In less than two weeks it had 1,081 hits and expanded to reach 22 different countries on five different continents. So, stolen information goes everywhere.
Deeper analysis uncovered a high rate of activity amongst two groups of frequent viewers. This suggested two cyber crime syndicates, one working in Nigeria and the other in Russia.
Thriving Black Market of Data
The dark web is as organized as many above-board online marketplaces. And the data sold between faceless criminals is carefully commoditized.
Information sales and trading are highly professional. Dark web customers looking for the spoils of a data breach demand reliable transactions. Some brokers even offer guarantees to win buyer trust. For example, if the buyer of stolen credit card data claims they were unable to make a purchase, the dealer may offer to provide another set of card data for free.
More sophisticated sellers will compile data breach information from a variety of sources. For instance, they may get an email from one source and credit card data from another. Other information, such as social security number, date of birth and address, could be retrieved from a separate vendor. Finally, with stolen medical data, attackers can generate comprehensive profiles about people for various types of synthetic identity theft.
How Much Does Stolen Data Cost?
If you browse the dark web for stolen data for sale, you might see some prices like this (2021 data according to Privacy Affairs):
Credit Card Data
|
Cloned Mastercard with PIN
|
$25
|
|
Cloned American Express with PIN
|
$35
|
|
Cloned VISA with PIN
|
$25
|
|
Credit card details, account balance up to $1,000
|
$150
|
|
Credit card details, account balance up to $5,000
|
$240
|
Scroll to view full table
Payment processing services
|
Stolen PayPal account details, minimum $100
|
$30
|
|
Stolen PayPal account details, minimum $1,000
|
$120
|
Scroll to view full table
Crypto Accounts
|
Coinbase verified account
|
$610
|
|
USA verified LocalBitcoins account
|
$350
|
Scroll to view full table
Social Media
|
Facebook account
|
$65
|
|
Instagram account
|
$45
|
|
Twitter account
|
$35
|
|
Gmail account
|
$80
|
Scroll to view full table
In the dark web, it’s not at all strange to find vendors selling stolen personal data. Some have over 1,000 sales and hundreds of positive reviews. And there are hundreds of vendors involved in this type of activity.
What Attackers Want From a Data Breach
Learning the threat actor’s motivation often reveals where the data ends up.
According to Verizon’s 2020 Data Breach Investigations Report, financially motivated breaches are six to seven times more common than espionage breaches. To make money, threat actors typically ask for a ransom and/or sell the data on the dark web. Much less common motives include mischief, ideology or grudges.
One of the most high-profile grudge attacks was the 2014 Sony breach. It’s believed the attackers used a Server Message Block Worm Tool. Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool and destructive target cleaning tool. The intent was to gain repeated entry, extract information, cause destruction and remove evidence of the attack.
The database security breach included several terabytes of personal information about Sony employees and their families, company emails, executive salary figures, copies of then-unreleased Sony films, plans for future Sony films and movie scripts.
During the attack, the Guardians of Peace gang demanded that Sony withdraw its then-upcoming film “The Interview”, a comedy about a plot to assassinate North Korean leader Kim Jong-un. The group also threatened terrorist attacks at cinemas screening the film. Many U.S. theater chains opted not to screen the movie. Eventually, Sony canceled the film’s mainstream release.
What Happens to Stolen Documents?
The Sony company data breach trove ended up being released online anyway. The documents were mostly hard-drive images converted into common compressed file formats, easily downloadable from file-sharing sites such as BitTorrent. It was all packaged in spreadsheet-like directory trees or run via memory-taxing searches — that is, very hard to digest.
No worries, WikiLeaks tidied it all up in a searchable database. By the way, the video content has been redacted, so you can’t watch Daniel Craig as James Bond in “Spectre” on WikiLeaks.
This is a tough lesson learned for many corporations or anyone that gets breached. Even if you pay the ransom, your data could still end up out there.
What about the cost of a data breach? It’s reported that it cost Sony $35 million for IT repairs, plus $8 million for current and former employees’ identity-theft losses, preventative measures and related legal fees.
More Important Lessons About Ransomware
There’s a common misunderstanding about ransomware. Some believe that it simply involves locking down (encrypting) files. You simply pay the Bitcoin ransom, get the decryption key and you’re back online. Unfortunately, it’s not that easy.
Doxware is a crypto-ransomware where victims are threatened with not only losing access to their files but also having their private files and data made public through doxing. Even if the attackers say your data is safe, they could be harvesting it to sell later.
Should You Pay Ransomware Ransoms?
If you think like an attacker, the most lucrative scheme is to collect the ransom and sell the booty. In fact, trends show the threat of data exfiltration after paying a ransom (“double extortion”) is becoming more frequent. For this reason, IBM and many other data security firms generally advise not to pay ransomware ransoms.
Even if it’s just vanilla crypto-ransomware (no data theft), there’s no guarantee criminals will provide the decryption code after payment.
If you do pay the ransom and the attacker sends you the decryption key, keep in mind that decrypting files is a manual task. Each one must be decrypted individually, which can be difficult and time-consuming. Even with the decryption key, recovery efforts may be just as complex and strenuous as re-imaging machines. In the end, the cost might be as much as if the ransom had not been paid.
Also, an advisory from the Treasury’s Office of Foreign Assets Control (OFAC) on October 1, 2020, served notice about potential fines for anyone involved in aiding payments to attackers from sanctioned countries, which include Russia, North Korea or Iran.
Evolving Data Breach Threat Landscape & Response
When it comes to data protection, application security and vulnerability assessment, the chief information officer’s posture has evolved. The popular line of thought used to be ‘not if, but when will we get attacked?’ Now, they’re asking what comes next.
You can even boil it down to a cost reduction exercise. Some stats from the IBM Cost of a Data Breach Report 2021 reveal in concrete terms what this means for business (average costs):
- $1.76m – Cost difference in breaches where mature zero trust was deployed versus no zero trust
- $3.81m – Cost difference where security AI and automation was fully deployed versus not deployed
- $2.3m – Cost difference for breaches with high versus low levels of compliance failures.
When it comes to a data breach response plan, end-to-end preparedness is critical. Preventative measures alone aren’t enough. Your ransomware defense should include realistic readiness, response and remediation steps. Even despite the risks and uncertainty, not all is lost. Establish a comprehensive plan and remain vigilant.
Freelance Technology Writer