We’ve grown accustomed to it by now — a few million accounts broken into here, another hundred million there. After a company data breach, what happens to all the data? Where does it go? And how does this impact your vulnerability analysis?

In June 2020, stolen Facebook user data suddenly popped up for sale on an online forum. By April 2021, a massive data set of 500+ million Facebook profiles became free for download. After making some cash, cybercriminals often give away data hauls to boost their egos and popularity.

This breach affected up to 20% of Facebook’s users. The leaked data included user mobile phone number, Facebook ID, name, gender, location, relationship status, occupation/employer, date of birth and email addresses.

That’s a lot of info to be giving away for free. This makes big data security more critical than ever.

Have I Ever Been Involved in a Data Breach?

You can easily check if your email has been exposed. I have an old Yahoo! email, so I checked it on the have I been pwned site. It told me my email has been pwned in data breaches nine times.


It gets worse. In the explanation section about each breach, the first one reads like a horror story. This email has actually been involved in 2,844 Unverified Separate Data Breaches. In February 2018, a huge collection of almost 3,000 alleged data breaches was found online. The compromised data included email addresses and passwords. Yikes.

You can also check Intelligence X for info about personal data breaches. But what about the big data security breaches? What happens to the company data? Let’s follow the breadcrumbs.

Where Does Data From a Company Data Breach Go?

Back in 2015, a fascinating report gave an inside look at where stolen data goes. The researchers created an Excel spreadsheet with 1,568 fake employee credentials. This bait was then posted on anonymous dark web file-sharing sites. Then, the researchers sat back and waited. They didn’t have to wait long.

The researchers began to track the data. They had embedded a hidden watermark in the file, which alerted them whenever someone opened the document. This revealed access information including geolocation, IP address and device type.

In a few days, the data from the fake data breach had reached over five countries and three continents with 200+ views. In less than two weeks it had 1,081 hits and expanded to reach 22 different countries on five different continents. So, stolen information goes everywhere.

Deeper analysis uncovered a high rate of activity amongst two groups of frequent viewers. This suggested two cyber crime syndicates, one working in Nigeria and the other in Russia.

Thriving Black Market of Data

The dark web is as organized as many above-board online marketplaces. And the data sold between faceless criminals is carefully commoditized.

Information sales and trading are highly professional. Dark web customers looking for the spoils of a data breach demand reliable transactions. Some brokers even offer guarantees to win buyer trust. For example, if the buyer of stolen credit card data claims they were unable to make a purchase, the dealer may offer to provide another set of card data for free.

More sophisticated sellers will compile data breach information from a variety of sources. For instance, they may get an email from one source and credit card data from another. Other information, such as social security number, date of birth and address, could be retrieved from a separate vendor. Finally, with stolen medical data, attackers can generate comprehensive profiles about people for various types of synthetic identity theft.

How Much Does Stolen Data Cost?

If you browse the dark web for stolen data for sale, you might see some prices like this (2021 data according to Privacy Affairs):

Credit Card Data

Cloned Mastercard with PIN


Cloned American Express with PIN


Cloned VISA with PIN


Credit card details, account balance up to $1,000


Credit card details, account balance up to $5,000


Scroll to view full table

Payment processing services

Stolen PayPal account details, minimum $100


Stolen PayPal account details, minimum $1,000


Scroll to view full table

Crypto Accounts

Coinbase verified account


USA verified LocalBitcoins account


Scroll to view full table

Social Media

Facebook account


Instagram account


Twitter account


Gmail account


Scroll to view full table

In the dark web, it’s not at all strange to find vendors selling stolen personal data. Some have over 1,000 sales and hundreds of positive reviews. And there are hundreds of vendors involved in this type of activity.

What Attackers Want From a Data Breach

Learning the threat actor’s motivation often reveals where the data ends up.

According to Verizon’s 2020 Data Breach Investigations Report, financially motivated breaches are six to seven times more common than espionage breaches. To make money, threat actors typically ask for a ransom and/or sell the data on the dark web. Much less common motives include mischief, ideology or grudges.

One of the most high-profile grudge attacks was the 2014 Sony breach. It’s believed the attackers used a Server Message Block Worm Tool. Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool and destructive target cleaning tool. The intent was to gain repeated entry, extract information, cause destruction and remove evidence of the attack.

The database security breach included several terabytes of personal information about Sony employees and their families, company emails, executive salary figures, copies of then-unreleased Sony films, plans for future Sony films and movie scripts.

During the attack, the Guardians of Peace gang demanded that Sony withdraw its then-upcoming film “The Interview”, a comedy about a plot to assassinate North Korean leader Kim Jong-un. The group also threatened terrorist attacks at cinemas screening the film. Many U.S. theater chains opted not to screen the movie. Eventually, Sony canceled the film’s mainstream release.

What Happens to Stolen Documents?

The Sony company data breach trove ended up being released online anyway. The documents were mostly hard-drive images converted into common compressed file formats, easily downloadable from file-sharing sites such as BitTorrent. It was all packaged in spreadsheet-like directory trees or run via memory-taxing searches — that is, very hard to digest.

No worries, WikiLeaks tidied it all up in a searchable database. By the way, the video content has been redacted, so you can’t watch Daniel Craig as James Bond in “Spectre” on WikiLeaks.

This is a tough lesson learned for many corporations or anyone that gets breached. Even if you pay the ransom, your data could still end up out there.

What about the cost of a data breach? It’s reported that it cost Sony $35 million for IT repairs, plus $8 million for current and former employees’ identity-theft losses, preventative measures and related legal fees.

More Important Lessons About Ransomware

There’s a common misunderstanding about ransomware. Some believe that it simply involves locking down (encrypting) files. You simply pay the Bitcoin ransom, get the decryption key and you’re back online. Unfortunately, it’s not that easy.

Doxware is a crypto-ransomware where victims are threatened with not only losing access to their files but also having their private files and data made public through doxing. Even if the attackers say your data is safe, they could be harvesting it to sell later.

Should You Pay Ransomware Ransoms?

If you think like an attacker, the most lucrative scheme is to collect the ransom and sell the booty. In fact, trends show the threat of data exfiltration after paying a ransom (“double extortion”) is becoming more frequent. For this reason, IBM and many other data security firms generally advise not to pay ransomware ransoms.

Even if it’s just vanilla crypto-ransomware (no data theft), there’s no guarantee criminals will provide the decryption code after payment.

If you do pay the ransom and the attacker sends you the decryption key, keep in mind that decrypting files is a manual task. Each one must be decrypted individually, which can be difficult and time-consuming. Even with the decryption key, recovery efforts may be just as complex and strenuous as re-imaging machines. In the end, the cost might be as much as if the ransom had not been paid.

Also, an advisory from the Treasury’s Office of Foreign Assets Control (OFAC) on October 1, 2020, served notice about potential fines for anyone involved in aiding payments to attackers from sanctioned countries, which include Russia, North Korea or Iran.

Evolving Data Breach Threat Landscape & Response

When it comes to data protection, application security and vulnerability assessment, the chief information officer’s posture has evolved. The popular line of thought used to be ‘not if, but when will we get attacked?’ Now, they’re asking what comes next.

You can even boil it down to a cost reduction exercise. Some stats from the IBM Cost of a Data Breach Report 2021 reveal in concrete terms what this means for business (average costs):

  • $1.76m – Cost difference in breaches where mature zero trust was deployed versus no zero trust
  • $3.81m – Cost difference where security AI and automation was fully deployed versus not deployed
  • $2.3m – Cost difference for breaches with high versus low levels of compliance failures.

When it comes to a data breach response plan, end-to-end preparedness is critical. Preventative measures alone aren’t enough. Your ransomware defense should include realistic readiness, response and remediation steps. Even despite the risks and uncertainty, not all is lost. Establish a comprehensive plan and remain vigilant.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today