How Do Companies Know If They’re Using Stolen Data?

The total cost of cybercrime for the global community is $500 billion and climbing, whereas a data breach can cost a single company on average about $3.8 million. We don’t need to tell you that’s a lot of money in lost profits.

Perhaps more alarming is the fact that ransomware attacks increased by 36 percent in 2017.

Ransomware, if you don’t already know, is a particularly nasty form of malware that will seize control of a system and its data, purporting to provide access only after a small fortune is paid.

Unfortunately, access is rarely given back after a paid ransom. The unscrupulous parties usually make off with the compromised data anyway and sell it on the black market — the dark web — for an additional profit.

That brings up a very alarming revelation: all stolen data is eventually sold to someone.

It’s entirely possible that a legitimate company could get its hands on stolen data or purchase stolen data on a third-party marketplace without even meaning to. It’s a frightening prospect, but one that is cemented in reality.

How can you be sure you’re not using, purchasing or acquiring stolen data from one of your sources?

1. Do the Research

Unfortunately, we live in a digital landscape, which means an endless stream of data is coming and going to nearly every individual, every organization and every system offline or online.

This makes it extremely difficult to pinpoint sets of data that may or may not be stolen, especially when they’re bundled with additional content. When you buy data from a marketplace, after all, you usually buy in bulk.

The best and only way to know for sure whether or not the data you’re dealing with is stolen is to do the research. There are tools and services that can help you reference this sort of thing.

Hold Security, for example, offers a Deep Web monitoring service that can also be used to check for stolen data. Of course, there are a variety of other tools at your disposal, as well.

2. If You Must Buy, Buy From Legitimate Sources Only

Similar to cheap goods and services you see online, a potentially lucrative set of data may look enticing, but you should only go through with the purchase if you can verify the integrity of the source and the seller.

Do not use the Dark Web and similar platforms to purchase rare or highly-sought-after data. It’s not just a bad idea — it’s incredibly dangerous.

That doesn’t mean you have to go with all the major providers, because there are plenty of obscure and lesser-known data marketplaces out there. Just be sure the channel you choose is trustworthy and legitimate.

Finally — and it goes without saying — don’t buy data stores that are missing attribution or source information.

3. Manage, Maintain and React

If and when you do accidentally acquire stolen data, it may come to light after you’ve already done the initial research. Believe it or not, data breaches and attacks often go unreported by organizations for some time.

That’s why it’s important to stay on top of the data you have and continuously check and verify the integrity of what you will be using.

Make sure you incorporate it as part of your data management process so this doesn’t hinder performance or productivity. If it’s a regular part of your routine, you’re less likely to take the hit for using stolen data, at least for an extended period of time.

You can identify compromised data quickly and take action sooner, which is better for everyone.

A great example of data maintenance is taking a cold call list and comparing it to known databases like the National Do-Not-Call Registry. If you do this regularly, you should be able to pinpoint compromised data fairly early. This allows you to verify that the list is trustworthy and decide whether or not you should avoid that seller in the future.

4. Stick to Your Own Content

Yes — sometimes it is absolutely necessary to acquire external or third-party data. This may or may not be because you don’t have access to the same clientele, systems or analytics tools.

Whatever the case, the point is not to cut down on the use of third-party services completely. Instead, the goal is to migrate toward using your own content and your own sources as much as humanly possible.

If you have the resources and time to collect the necessary data on your own, why not do that instead of acquiring someone else’s unverifiable content?

The short and easy way is alluring, but it isn’t necessarily the best or most secure route. Keep that in mind when dealing with alternate data sources and third-party content going forward.

The Only Defense Is a Smart Process

Data breaches happen, stolen data is passed around more often than anyone would like to admit, and the likelihood of acquiring compromised data from an external source is real.

The best way to handle problems like this is not to sweep them under the rug. Instead, be present, be vigilant and, most importantly, be smart.

Before deploying a new set of data, do the research. Afterwards, continue to maintain and verify the authenticity. Never purchase from an illegitimate source or party you cannot trust.

Finally, even just for the sake of your own data, be sure to scour the Dark Web every so often for signs of stolen content.

As long as you incorporate these methods as part of your regular data management and security process, you should be just fine.

Image by Markus Spiske