In the course of routine monitoring, you may find proprietary company information on the dark web. So should you try to buy it back? The short answer is that in most cases, the legal and reputational risks outweigh the benefits of buying information. Here’s a closer look at eight of those risks.
One day I received a call from Sarah*, the in-house counsel of a large financial institution. “Amua [information security] The team did a routine search and found a list of our employee passwords being sold on the dark web,” he told me. “Businessmen want to buy it back. What should we do? Should we buy it ourselves? Are there any drawbacks?”
I get calls like this all the time, and the short answer is that in most cases, the legal and reputational risks outweigh the benefits of buying information. Cybercriminals often use the dark web – a hotbed of criminal and illegal activity – to sell data from companies they have gained unauthorized access to through credential stuffing attacks. , phishing attacks, hacking, or even leaks from a company insider.
Legal and reputational risks include:
This raises the price of your company’s data and puts a target on your back.
If you buy your company’s data, not only can the data itself become more expensive – you also risk gaining a reputation as a company that will pay, making you a more desirable target for future cyber extortion. and ransomware attacks.
Even if cybercriminals don’t know that your company is the buyer, they can still notice that the data is being sold. If they find out that your company is the buyer, they may announce it to their own teams, putting your company at further reputational risk.
You don’t know what you get or that data.
Buying data from the dark web is really dangerous, because you often buy it from unreliable characters – either threat actors or someone who buys it illegally from hackers. The data may have malicious code in it and/or contain a Trojan horse that could potentially give cybercriminals unauthorized access to company systems.
The data may contain confidential or proprietary information from other companies.
Vendors may offer your company data in combination with data from other sources, including your competitors or business partners. You won’t know it until it’s too late. The owners of that data may claim that your company violated confidentiality agreements or other laws (misappropriation of trade secrets or worse, receipt of stolen property).
Your purchase can be made triggers notification obligations and increased regulatory risk.
Purchasing data can provide you with evidence that your data has been exfiltrated, triggering reporting requirements to consumers and regulators, opening you to the risk of litigation and enforcement actions. At best, you are put in the difficult position of determining whether regulatory notices are triggered or take the chance that a regulator will later admit that it should have been notified.
Your purchase potential even in violation of US sanctions.
Because it is difficult to ascertain the identity of the seller, purchasing the data may open your company to liability for violating Treasury Department rules if the threat actors are affiliated with sanctioned countries. The US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) brings enforcement actions against businesses that make payments to threaten actors when those payments constitute violations of US sanctions.
Even if you use a third party can be purchased, your company may still have exposure.
A third-party service has access to your company’s customer, vendor, and employee data, putting that data at increased risk. And you may still be open to payment management liability.
You can be sued by individuals whose DATA exposed.
You may be legally obligated to notify individuals that you have found their data on the dark web. These individuals may accuse your company of improperly safeguarding their data, perhaps unfairly assuming that the breach of the company’s systems or as a result of the company’s fault. This can lead to loss of business and possible lawsuits.
The information will be live on anger web.
Since you are dealing with cybercriminals or their associates, there is no guarantee that the purchase will bring data that is fully protected. The seller may not own or control all copies of your stolen data and therefore cannot prevent further sale or distribution. Or they may continue to sell your data to others themselves.
Buying data unrelated to your company’s business from the dark web is not advisable for many of the same reasons mentioned above. Your company will expose itself to the risk of receiving stolen information or even trade secrets of competitors, creating legal and reputational risk. There is no scenario where this can be good.
We understand that there may be certain circumstances where your company would still consider purchasing information from the dark web. These purchases should be rare and made with great care. In these circumstances, an OFAC analysis should also be performed to reduce the risk that you are purchasing data from an authorized country or individual.