What happens after a data breach?
Discovery of a data breach is only the tip of the iceberg. Even as companies complete their initial incident response and begin their recovery, trying to minimise the leak and reduce the damage, the chances are that the stolen data has already been passed onto the next stage of its journey. One of these stages are data breach brokers who might sell that data on the dark web.
As 2020 drew to a close, that is exactly what happened. Data breach brokers began to sell 368.8 million stolen user records from 26 companies on a hacker forum. What is interesting is that eight of the companies whose data is being sold had not disclosed a data breach to the authorities, and in some cases were not even aware that they had been breached.
Data breach brokers – the shady middle men
Just like in the physical world, where people may sell their possessions to a broker who in turn will sell it at the second hand market, getting them the best possible price, data breach brokers help cyber criminals sell their stolen data. Data breach brokers will market and sell the stolen data for them, allowing them to profit from their hacking exploits but remain under the radar at the same time.
Data breach brokers market and sell stolen data records on the dark web to hacker groups or other forms of criminals, who will then use the data for their own purposes, including hacking into accounts, identity theft, or fraud. The price each stolen database will receive depends on the information contained within them. In this case, databases are being priced at between $1,800 to $4,000. Each database can be sold multiple times, bringing in a tidy profit for both the hackers and the brokers.
It should be noted that these data breach brokers are not the majority of data brokers who operate in legitimate areas such as Equifax, Experian, and Oracle. These brokers operate within the privacy laws of the countries they work in, and sell anonymised data that may be useful for other organisations to use in their marketing, advertising, or other targeting activities.
What happens to the companies who are hacked?
The information data breach brokers post on the dark web is usually accurate – meaning that the records will contain the information that the data breach brokers claim is in them. For eight companies on the list published last month, this seems to be unwelcome news.
The recent SolarWinds attack in the United States demonstrated that not all breaches are detected quickly. The average dwell time for undetected breaches is upwards of six months, before they are discovered or they decide the time is right to attack. Many hackers are extremely good at covering their tracks. Other hackers get lucky, or are able to discover organisations with weaker perimeter security, which means they can get in and out of systems without discovery.
These eight companies now face the hard work of completing their incident response programme after their breach was discovered by a third party. They will need to understand where the breach occurred, identify what data was stolen, and figure out the overall damage in terms of both money and reputation.
Keep your data out of the hands of data breach brokers: Data protection tips
No matter how careful you are, data breaches happen. They are a real risk for organisations of all sizes and in all industries. Every organisation needs to take steps to protect their data at all times. These steps can include:
1. Ensure that network security defences are configured correctly, and set up to notify you when there is an attempt to breach them.
2. Monitor your networks continually, collecting incident logs in a secure, centralised location. Ensure that these logs are kept safe and can’t be altered.
3. Create an update schedule that ensures that all systems, software, and applications are kept up to date, and that crucial security patches are applied in a timely manner. Automate updates that are safe, and test updates that could potentially harm systems.
4. Conduct threat modelling exercises to examine the resilience of your systems and infrastructure, and make sure that you are aware of, and on top of, the specific threats to the confidentiality, integrity, and availability of your data, and have effective controls in place.
5. Apply multi factor authentication for employees and users to strengthen passwords and make sure that they don’t inadvertently create a breach.
6. Implement a data backup and recovery policy, that includes checking that it is possible to recover properly from the backups created, and keep it up to date to minimise damage and interruptions should a breach occur.
7. Encrypt databases to ensure that even when stolen they are of limited value to a hacker.
8. Get your employees involved by training them in their cybersecurity responsibilities, from safe development, to avoiding falling for phishing attacks.