Is It Ethical To Buy Breached Data?

Research that’s done on malicious breaches of data presents a unique conundrum for the security professionals who are doing the investigating: should access to sets of breached raw data become available to public users and, if so, how?

In light of the pandemic, the acceleration toward location-distributed work has the potential to raise similar questions about the cybersecurity posture of companies and the ethics behind commercial sources of stolen data that inadvertently become available after breaches. In this day and age when nearly 70% of consumers outright distrust companies who claim to ethically sell personal data, these questions are more important to answer than ever before.

AWS Builder Community Hub

To answer the questions raised about subscriptions and access to raw data from breaches, we need to first discuss how companies should respond to leaked data to improve profitability and competitiveness, and discuss the ethical and legal concerns surrounding those who purchase leaked data. Let’s take a quick look at how users acquire leaked data and then explore the ethics behind purchasing breached data.

Consider Purchase Intent

There’s often a fine (and not well-defined) line that security practitioners need to toe when cleaning up a mess after a data breach incident. In no scenario is this fine line better exemplified than in the takedown of breached data search service WeLeakInfo in January 2020. The incident gained attention after it was confirmed that WeLeakInfo had sold breached data to security companies as well as to groups of individual users.

Security firms’ use of services like WeLeakInfo suggests that the threat intelligence community is searching for lower-cost access to breached data that may only be available via a gray market. In this case, the intent behind the purchase can arguably influence the legality and ethical integrity behind the purchase of breached data. It appears that, similar to malicious hackers, security practitioners and data vendors can monetize data in gray markets for their benefit.

For many businesses who need to maintain a cybersecurity posture of their own and, at the same time, sell sets of breached or compromised data, vulnerability management software may be the right solution. According to cybersecurity expert Barbara Ericson of Cloud Defense, “Some of the best vulnerability management solutions will integrate additional security tools and functions. This can be cost-effective for your organization and improve ease of use for your IT security team.” The biggest functions and features that security practitioners should look for include intrusion and threat detection with response functionality, as well as data classification for any gathered vulnerability data.

Avoid the Dark Web

Location-distributed remote work has undoubtedly weakened the cybersecurity posture of certain companies. Skeptical about that statement? You’ll find plenty of proof on dark web marketplaces that host trades with illegally obtained corporate network logins and whose legal access to data sets for sale is dubious, at best.

The purchase of breached data unquestionably wades into questionable ethical territory when it occurs via the dark web. That’s because transactions of breached data sets on the dark web are often possible because of hackers who use Transport Layer Security (TLS) certificates that are fake, stolen or compromised to get around TLS encryption protocols. This makes it impossible for the information exchanged between security practitioners who want to purchase data and their customers to remain private and prevent access by other malicious parties.

If an individual or business finds themselves in possession of data that is confirmed to have been purchased from the dark web, there are methods available to mitigate or eliminate subsequent risks to security posture. Most notable are options that fall somewhere between antivirus and anti-malware; the first of which can stop online viral infections from happening and remove infected files while the second handles threats such as trojans, viruses and worms. Both of these software solutions are crucial if you suspect that the data you may have accidentally received from a dark web source poses a threat to your cybersecurity posture.

Determine the Vendor’s Preferred Market

The security breach and subsequent data leaks from the 2020 WeLeakInfo incident revealed that the online vendor appealed to two distinct markets. Prior to its takedown, WeLeakInfo collated and normalized breached data in convenient formats for both legitimate security practitioners and pen testers as well as nefarious threat actors interested in executing cybercrime.

Although both markets found something of value in WeLeakInfo’s offerings, it became clear that WeLeakInfo favored the criminal market, in light of the fact that it was found to have 24,000 records for sale that included identifiable information about other hackers.

Of course, it’s not always simple to determine a vendor’s preferred market. In the case of WeLeakInfo, data dumps available on the site were public and offered a shorter path to acquisition for security professionals, pen testers and practitioners compared to other avenues they could have used to acquire such data.

Anybody, in theory, could have accessed WeLeakInfo’s data dumps via advertisements hosted on hacker forums and unsecured public sites. The best way to vet legitimate from questionable sources of breached data that you find online can be through passive security measures that respond to potential threats on public networks.

Often, even those who would purchase breached data sets must do so via a public network, and this requires taking extra precautions to access these data sets. Unfortunately, it’s well-known that public WiFi networks can pose a serious risk to your online privacy. And we’re not just talking about advertisers tracking you; there is also individual and sensitive business information to worry about. So, what should you avoid if you have to connect to public WiFi to access the breached data sets?

Always avoid unsecured websites that don’t use a Secure Socket Layer (SSL).It’s also a good idea to enable the most up-to-date version of the firewall of your choice, as well as to turn off file sharing and Airdrop features whenever possible.

The ethical and legal concerns that surround services such as WeLeakInfo are almost guaranteed to remain relevant in a remote and location-distributed business landscape. The value of data access in a post-COVID-19 world is greater than ever, but can come at the cost of ethical and legal integrity regarding the purchase of data. Security practitioners and data vendors must do what they can to maintain their cybersecurity posture while enabling and profiting off of access to sets of breached data.

Always consider the nature of a customer’s purchase intent when they buy data, avoid marketplaces such as the dark web that host illicit transfers of breached data and practice good security hygiene when browsing for and purchasing sets of breached data over public and unsecured networks. The ethics and legality behind the purchase of breached data may at least become clearer when individual users and businesses keep these precautions and considerations in mind.