August 26, 2015 By Michelle Alvarez 4 min read

Put your imagination caps on folks, it’s scenario-imagining time. What if someone were to break into your home, steal your belongings and leave them somewhere with a sign in front stating “Stolen Goods”? Someone else walks by, sees the stuff and takes it all despite the Stolen Goods warning. No blurred lines here — clearly the second Mr. or Mrs. Sticky Fingers broke the law. At least in the U.S., the receipt of stolen property may be a federal offense.

Ashley Madison: A Real-World Data Problem

You can take your caps off now and we’ll take a look at a real-world scenario. Hmm, what about the massive data breach affecting the controversial dating site Ashley Madison? Let’s break this complex scenario down:

  1. Malicious individuals leaked more than 10 GB of stolen Ashley Madison data onto the Internet. Ashley Madison is a Canadian-based company. Hacking is an illegal act in Canada.
  2. Many “researchers” around the globe rushed out to it in droves in order to download, review and analyze the stolen data dump. Is this a legal or illegal act in their given country?

All of a sudden I need glasses because the legal implications got real blurry once we jumped from physical robbery to cyber theft. Does it have to be blurry, though? From my hypothetical scenario above, substitute “download” with “receipt of” and “stolen goods” with “stolen data.” Now things are much more interesting.

Are there any legal ramifications for those that research stolen data and the companies they may work for? If not, should there be?

Treading on Thin Ice

As we shift our discussion from physical to digital theft, ambiguities in the law arise. The uncertainty surrounding the legality of researching data dumps places security professionals and the companies they work for in a precarious spot. One could argue that responsible research and information sharing should be conducted on exposed data; the bad guys have access, so should the good guys. In a utopia, the federal authorities would perform the research and share findings with the private sector, but that’s unfortunately not always the way these cases unfold.

What constitutes as responsible research anyway? In the Stolen Goods scenario, if an independent investigator stopped by that same stolen property, dusted it for fingerprints and then sent the information to law enforcement, would that be illegal? Similarly, if researchers are solely using stolen data for analysis and responsible information sharing purposes, should it be considered within their legal rights to do so? If yes, how is this regulated? Should it really be a free-for-all? After all, this is personally identifiable information (PII) and should be handled with significant care.

Other Gray Research Activities

It’s important for the InfoSec community to have conversations around what researchers can and can’t do. For instance, a lot of research is conducted in the Dark Web to understand what types of attacks are emanating from this world of anonymous networks. Visiting the Dark Web may be permitted, but conducting transactions for research could result in investigation from law enforcement.

In another example, hanging out in the AnonOps (Anonymous Operations) chat room may be permissible, but conspiring to conduct a cyberattack to obtain details for a research project could lead to unwanted consequences.

Data Dump Best Practices

A word of caution to amateur researchers: Not all data dumps posted online are genuine or legitimate. Some data dumps may only contain partially correct information (i.e., the name or email is made up), resulting in inaccurate conclusions drawn. Reporting on information that is purportedly associated with a particular organization without fact-checking is irresponsible and contributes to information rumoring instead of sharing.

This probably aids attackers, because while we’re too busy pouring over nonsense, they’re using their time wisely to plan their next attack. There have also been cases where faux data dumps actually contained malware — another reason that analysis of these data dumps is best left to professionals assigned to the case.

If you or your organization are not part of the investigation team hired by the compromised company and aren’t with a government agency, then best practice would be to not partake in researching stolen data. Legalities surrounding this action are blurry at best, and security researchers and companies should be cautious when engaging in research activities that could be considered illegal.

Data + More Data = More Attacks

In terms of future exploitation, the victims of data breach dumps potentially have a long battle ahead of them. Identity theft is a concern, as are spear phishing attacks. The fallout from these data dumps affects not only the individual but also provides fodder for more sophisticated attacks against enterprises. Data from one dump could be used in conjunction with information scoured from others or data purchased on the Dark Web.

Now would be a good time to remind employees about spear phishing campaigns. Although always a potential issue for corporations, this type of threat is exacerbated following a data dump incident. Why? The attacker has all the information needed to construct the perfect spear phishing message and know where to send it. No need to mine social media sites such as LinkedIn or Facebook. It’s all right there!

Spear phishing campaigns are also tried-and-true attack tools for delivering ransomware and were the initial attack step in the Dyre Wolf campaign. These messages can contain a weaponized document that exploits application vulnerabilities or a link to a phishing website.

Similarly, drive-by downloads result in malware infection and allow attackers to activate keylogging functionality to capture the users’ login credentials. Compromised credentials allow the attacker to gain fraudulent access to the corporate network and resources. Ensure your security program provides capabilities on three fronts: zero-day exploitation prevention, data exfiltration and credentials protection.

There is no question that information sharing among researchers and public and private entities is needed to effectively respond to cyberthreats. However, organizations should be cautious of the methods used to derive this information to avoid falling within what may be considered a gray area.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today