What happens to data after a breach?
Bitglass undertook an experiment geared towards understanding what happens to sensitive data once it has been stolen. In the experiment, stolen data traveled the globe, landing in five different continents and 22 countries within two weeks.
Overall, the data was viewed more than 1,000 times and downloaded 47 times; some activity had connections to crime syndicates in Nigeria and Russia.
Threat researcher programmatically synthesized 1,568 fake names, social security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the Bitglass proxy, which automatically watermarked the file.
Each time the file is opened, the persistent watermark, which survives copy, paste and other file manipulations, “calls home” to record view information such as IP address, geographic location and device type. Finally, the spreadsheet was posted anonymously to cyber-crime marketplaces on the Dark Web.
The experiment offers insight into how stolen records from data breaches are shared, bought and then sold on the black market. During the experiment, crime syndicates in Nigeria and Russia emerged via clusters of closely-related activity. Traffic patterns indicate the fake data was shared among members of the syndicates to vet its validity and subsequently shared elsewhere on the Dark Web, beyond the original drop sites.
In 2014, 783 data breaches were reported, which represents a 27.5 percent spike over the previous year. Data breaches continue to spike in 2015 – as of March 20, 174 breaches, affecting nearly 100 million customer records were reported. While many are suffering from data-breach fatigue, this experiment sheds light on how cybercriminals interact with pilfered data and thus helps enterprises understand why visibility is critical when it comes to limiting the damage of breaches.
The falsified data was placed on Dropbox as well as on seven Dark Web sites believed to be frequented by cybercriminals. The result of the experiment found that within 12 days the data was:
- Accessed from five continents – North America, Asia, Europe, Africa and South America
- Accessed from 22 countries – United States, Brazil, Belgium, Nigeria, Hong Kong, Spain, Germany, the United Kingdom, France, Sweden, Finland, the Maldives, New Zealand, Canada, Norway, the Russian Federation, the Netherlands, the Czech Republic, Denmark, Italy, Turkey
- Accessed most often from Nigeria, Russia and Brazil
- Viewed 1,081 times, with 47 unique downloads.