Put your imagination caps on folks, it’s scenario-imagining time. What if someone were to break into your home, steal your belongings and leave them somewhere with a sign in front stating “Stolen Goods”? Someone else walks by, sees the stuff and takes it all despite the Stolen Goods warning. No blurred lines here — clearly the second Mr. or Mrs. Sticky Fingers broke the law. At least in the U.S., the receipt of stolen property may be a federal offense.

Ashley Madison: A Real-World Data Problem

You can take your caps off now and we’ll take a look at a real-world scenario. Hmm, what about the massive data breach affecting the controversial dating site Ashley Madison? Let’s break this complex scenario down:

  1. Malicious individuals leaked more than 10 GB of stolen Ashley Madison data onto the Internet. Ashley Madison is a Canadian-based company. Hacking is an illegal act in Canada.
  2. Many “researchers” around the globe rushed out to it in droves in order to download, review and analyze the stolen data dump. Is this a legal or illegal act in their given country?

All of a sudden I need glasses because the legal implications got real blurry once we jumped from physical robbery to cyber theft. Does it have to be blurry, though? From my hypothetical scenario above, substitute “download” with “receipt of” and “stolen goods” with “stolen data.” Now things are much more interesting.

Are there any legal ramifications for those that research stolen data and the companies they may work for? If not, should there be?

Treading on Thin Ice

As we shift our discussion from physical to digital theft, ambiguities in the law arise. The uncertainty surrounding the legality of researching data dumps places security professionals and the companies they work for in a precarious spot. One could argue that responsible research and information sharing should be conducted on exposed data; the bad guys have access, so should the good guys. In a utopia, the federal authorities would perform the research and share findings with the private sector, but that’s unfortunately not always the way these cases unfold.

What constitutes as responsible research anyway? In the Stolen Goods scenario, if an independent investigator stopped by that same stolen property, dusted it for fingerprints and then sent the information to law enforcement, would that be illegal? Similarly, if researchers are solely using stolen data for analysis and responsible information sharing purposes, should it be considered within their legal rights to do so? If yes, how is this regulated? Should it really be a free-for-all? After all, this is personally identifiable information (PII) and should be handled with significant care.

Other Gray Research Activities

It’s important for the InfoSec community to have conversations around what researchers can and can’t do. For instance, a lot of research is conducted in the Dark Web to understand what types of attacks are emanating from this world of anonymous networks. Visiting the Dark Web may be permitted, but conducting transactions for research could result in investigation from law enforcement.

In another example, hanging out in the AnonOps (Anonymous Operations) chat room may be permissible, but conspiring to conduct a cyberattack to obtain details for a research project could lead to unwanted consequences.

Data Dump Best Practices

A word of caution to amateur researchers: Not all data dumps posted online are genuine or legitimate. Some data dumps may only contain partially correct information (i.e., the name or email is made up), resulting in inaccurate conclusions drawn. Reporting on information that is purportedly associated with a particular organization without fact-checking is irresponsible and contributes to information rumoring instead of sharing.

This probably aids attackers, because while we’re too busy pouring over nonsense, they’re using their time wisely to plan their next attack. There have also been cases where faux data dumps actually contained malware — another reason that analysis of these data dumps is best left to professionals assigned to the case.

If you or your organization are not part of the investigation team hired by the compromised company and aren’t with a government agency, then best practice would be to not partake in researching stolen data. Legalities surrounding this action are blurry at best, and security researchers and companies should be cautious when engaging in research activities that could be considered illegal.

Data + More Data = More Attacks

In terms of future exploitation, the victims of data breach dumps potentially have a long battle ahead of them. Identity theft is a concern, as are spear phishing attacks. The fallout from these data dumps affects not only the individual but also provides fodder for more sophisticated attacks against enterprises. Data from one dump could be used in conjunction with information scoured from others or data purchased on the Dark Web.

Now would be a good time to remind employees about spear phishing campaigns. Although always a potential issue for corporations, this type of threat is exacerbated following a data dump incident. Why? The attacker has all the information needed to construct the perfect spear phishing message and know where to send it. No need to mine social media sites such as LinkedIn or Facebook. It’s all right there!

Spear phishing campaigns are also tried-and-true attack tools for delivering ransomware and were the initial attack step in the Dyre Wolf campaign. These messages can contain a weaponized document that exploits application vulnerabilities or a link to a phishing website.

Similarly, drive-by downloads result in malware infection and allow attackers to activate keylogging functionality to capture the users’ login credentials. Compromised credentials allow the attacker to gain fraudulent access to the corporate network and resources. Ensure your security program provides capabilities on three fronts: zero-day exploitation prevention, data exfiltration and credentials protection.

There is no question that information sharing among researchers and public and private entities is needed to effectively respond to cyberthreats. However, organizations should be cautious of the methods used to derive this information to avoid falling within what may be considered a gray area.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…