When it comes to corporate data stolen by hackers, the analogies that most often turn up are of barn doors left open or genies let out of bottles. Once the data is gone, in other words, it is gone.
Conventional wisdom tells us that repossessing stolen data shouldn’t be part of a company’s incident response. Rather: they should focus on assessing the impact of the hack, determining which data was taken and then taking steps to make sure it doesn’t happen again.
But a couple recent reports suggest that, in fact, companies may be paying to get their data back more often than we’d think.
First: the San Francisco Chronical reported last week on payments by high tech firms like PayPal to cyber criminal groups to acquire data advertised as stolen on the cyber underground. The report, by Sean Sposito of the Chronicle, said that the purchases are seldom discussed publicly and are often handled through third party firms.
The Chronicle interviewed current and former senior executives at major Silicon Valley mainstays and cyber security vendors, who described how companies acquire stolen data as part of counterintelligence investigations. Those companies include “top technology firms” and banks that had purchased stolen credit and debit card numbers after the breach at Target in 2013. The purchases were made after third party firms infiltrated criminal ecosystems such as chat rooms and underground marketplaces. The payments were small and mostly escaped attention.
While it might sound odd for sophisticated firms like PayPal or banks to buy stolen information that is being fenced in a criminal marketplace, there is a method to the madness. A Paypal spokeswoman said the practice helps “identify larger sets of compromised accounts that can be used to support law enforcement investigations and to protect customer accounts.”
And while the Chronicle report suggested that the payments to criminals were insignificant, the findings of a survey by the Cloud Security Alliance suggests that might not always be the case. The CSA surveyed executives and information technology pros at 209 companies and found that a quarter of respondents would pay ransoms to prevent the release of sensitive corporate data, with around 7 percent (14 of 209) saying they’d be willing to pay more than $1 million to hackers to prevent a sensitive data leak.
That doesn’t even scratch the surface of business payments to cyber criminals, however. Sites like online retail and betting operations are known to regularly pay criminals who threaten them with denial of service attacks during key periods. Then there is the scourge of ransomware, in which critical IT assets are encrypted and data held for ransom. Those scams are sophisticated enough that companies who have not taken adequate protections (such as backing up data) are advised to pay ransoms rather than try to crack the criminals' encryption or otherwise defeat the ransomware.
The moral of the story: cyber criminals may be having more luck against private sector firms than we know. While massive data leaks and theft of credit cards make headlines, the Chronicle report and the CSA survey suggest that an even longer tail of small scale cyber extortion and racketeering may be sustaining a healthy criminal underground. Overall, the cost of this activity is borne by everyone.