So, your data’s been put up for sale by hackers. Here’s what you should (and shouldn’t) do

If you’re in the business of selling stolen data, one thing is certain: Business is booming. The estimated haul across 30 darknet markets reached over $140 million in the eight-month period between September 2020 and April 2021, according to a recent study by academic media outlet The Conversation. What’s less clear is what, if anything, an organization that finds their data bundled for sale on a darknet forum can do about it.

Unfortunately, in many cases, the answer is not much. Paying to have data taken off the market is certainly an option, but could also make the situation worse.

So, your data’s been listed. Alex Boyd, a shareholder at law firm Polsinelli’s technology transactions and data privacy practice, told IT Brew that step one is investigative—finding out where the data came from, if it’s real, and if it’s the product of an ongoing breach.

“You want to make sure, first and foremost, [the data] didn’t come from you [and] you don’t have an active threat or compromise,” Boyd said. “You should assume that it’s probably [in] lots of places already, lots of organizations already have it.”

If the breach appears legit, according to Boyd, organizations should notify police and start considering how to notify affected parties.

Nice data you got there…shame if someone were to leak it.Boyd said that next comes determining whether to reach out to the threat actor in question, either directly or via a cybersecurity vendor. There’s inherent risks to doing so—often the listing will mention that the data will be deleted after sale and transfer, and its real purpose is attracting attention and extortion payments from the original victim. But potential benefits to reaching out include being able to ask for proof the stolen data is real or for the threat actor to take down the data temporarily.

“We always caution in situations where you’re paying someone just for the promise to delete the information, that promise is not worth a whole lot in many cases because you have to presume that that information is all over the place,” Boyd told IT Brew. “Legally, it’s very unlikely that’s going to change your legal position; you’re probably gonna have to notify individuals and regulators anyway.”

Factors that might go into an organization’s decision include how dangerous the data would be to employees or customers in the wild, or if obtaining it would be useful to the breach investigation, Boyd said. (There’s also the risk of breaking the law if the attacker is a US government-sanctioned entity.)

What not to do. Threatening attackers with legal action is risky. In 2016, LinkedIn slapped data breach reseller LeakedSource with a cease and desist order, which actually appears to have worked. In a more recent case involving one of Mexico’s biggest banks, legal notices dispatched to the admin of a cybercrime forum were returned with threats.

Boyd said it’s unlikely that legal letters will result in action, unless it’s to a third party, like a hosting provider or cybercrime hub operator known to be responsive to such warnings. Further, angering an attacker is a bad idea and can lead to them deciding not to move on to fresher targets, Boyd said.

“Sometimes you want to let sleeping dogs lie,” Boyd warned. “These can be very emotional situations for individuals and companies involved in it. And it’s very natural to be angry at them for doing this. Responding to them with an email or something like that, you’re not going to do yourself much good at all.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.