Should Companies Try to “Buy Back” Their Stolen Data?

Next: Security is Dead. Long Live Security.
Previous: The Truth About Dark Web Pricing
Writer Li B.
September 24, 2018

Li is an Analyst at Terbium Labs. When she is not lurking on the dark web and putting everything into spreadsheets, she can be found cooking and baking, monkey wrangling, or taking naps.

Data is always at risk. In 2018 alone, industry giants such as Macy’s, British Airways, and Panera are only a few of the many that have fallen prey to a breach. Once a data breach occurs, a mad dash to figure out what went wrong soon follows: determine where the vulnerabilities are, where the stolen data is going, and what actions to take next. Businesses need to maintain vigilance about protecting their data and not become complacent just because a single breach has not directly impacted them.

Breaches have become a weekly occurrence and cybercriminals on the dark web thrive as a result. Vendors sell stolen data ranging from customer or employee personal information to proprietary company data to payment cards. In an attempt to address this issue, companies will sometimes look for and attempt to buy back their own data or pay a third party to do so. Initially, this approach may seem like the best way to protect sensitive data because it is removed from dark web markets, however, in the process, companies are giving fraudsters exactly what they are after: money and market validation. Companies that buy back their own data fill the coffers of fraudsters and inadvertently bolster the cybercriminal economy by adding to the demand for stolen data. While this practice may seem harmless, the profits could fund other criminal and even terrorist activity.

A seller of stolen data gets paid regardless if the buyer is is another criminal, the original data owner, or a third party. There is also nothing guaranteeing that hackers won’t still sell this stolen data even after a company buys it back. In the case of the Uber breach, the company went to great lengths buy back their data, find the hackers, and attempt to get them to sign a nondisclosure agreement. Data, as a digital good, is a commodity on the dark web that can be sold multiple times. In many cases, personal data such as email addresses, physical addresses, dates of birth, and Social Security numbers are sold multiple times as they are unlikely to change. Since that data can be repeatedly exploited, buying it back is effectively futile.

Simply because a company buys back their stolen data does not mean that it is legal or ethical to buy it. The challenge is knowing when stolen data comes directly from a company breach versus data from a third party. Vendors on the dark web rarely advertise the source of the data they are selling, making it almost impossible to pinpoint a specific breach or origin for the stolen data and therefore impossible to know who the data belonged to in the first place. Terbium Labs treats any sensitive data detected on the dark web as stolen; rather than purchasing to try to “remove” from the economy, Terbium helps its customers understand their exposure and relies on rapid detection to mitigate risk.

With the constant stream of data breaches, fatigue and complacency are natural consequences for companies and consumers, especially if a particular breach doesn’t directly result in an incident or direct legal consequence for the individual or company. Since personal data can be exploited in numerous ways (e.g., account takeover or phishing attacks), the security of an organization can depend on the protection of personal accounts; it only takes one employee falling victim to a phishing attack to open up an entire company to a potential breach.

Criminals are constantly coming up with new ways to exploit data and companies would be wise to take proactive measures so that they can detect when their data is at risk immediately rather than leaving their data exposed. Reactive measures, such as buying back stolen data, do not protect from third party breaches, may not be effective, and can actually be detrimental in the long run.

Buying back stolen data is a practice that contributes to demand for stolen data, it does not protect data from being sold again, and is ethically and even legally problematic. With so much stolen and leaked data in circulation, a company may struggle to understand its exposure. Terbium Labs works with customers to proactively monitor for sensitive data to and provide a baseline exposure of sensitive data, which allows the organization to determine when something unusual happens and, at times, detect a breach in a timely way rather than leaving data exposed for longer. As sensitive data remains at risk, organizations can more effectively deploy resources like Matchlight to assess and manage it.

RELATED ARTICLES
analysis July 09, 2018
The Terbium Take: Synthesizing Academia's Insights on Stolen Data

In an industry lacking a shared understanding of or framework for digital assets, we at Terbium Labs appreciate the analytical contributions from the academic and policy communities. In this post, we examine three papers...

events May 24, 2018
Cyber Fraud Summit: How to Fight Fraud by Eliminating Easy Targets

While the essence of fraud is constant, criminals are constantly finding new methods and tools. People across all three of the main fields—law enforcement, finance, and information security—were represented at the International Association of...