FACT: On average, it takes organizations 204 days to identify a breach (IBM).
There are lots of ways data breaches happen, like leaked credentials, phishing scams, and malware infections.
However, regardless of the specific vulnerability exploited, that fact remains that millions of records and sensitive data are leaked every day.
Knowing what to do if your company’s data ends up on the dark web is the first step to mitigating the impact of the breach.
In this post, we’ll cover what to do if your data ends up on the dark web, your removal options, and how to prevent a breach in the first place.
What is the dark web?
The dark web refers to a 'hidden' part of the internet that can only be accessed using specialized software like the Tor browser. It operates on an encrypted network that conceals the identities and online activities of its users, providing anonymity. The dark web hosts websites with .onion addresses that are not indexed by regular search engines and can only be accessed with special browsers.
While the dark web itself is not illegal, a significant part of it hosts illegal marketplaces for breached data, drugs, weapons, and other illicit goods and services. However, there are also legitimate uses of the dark web, like bypassing censorship, protecting political dissidents, allowing whistleblowing, and enabling anonymous communication.
RECOMMENDED READING: Is dark web monitoring worth it
What kind of data is available on the dark web?
The dark web is often associated with illegal activities, like buying and selling breached data. The following types of data are often targeted:
- Personal Information: This can include names, addresses, phone numbers, email addresses, and other personal details that can be used for identity theft or fraud.
- Login Credentials: Usernames and passwords for various online services (email accounts, social media, online banking, etc.) can be used for unauthorized access or identity theft.
- Financial Information: Credit card numbers, bank account details, and other financial information can be sold for use in fraudulent transactions.
- Health Records: Medical histories, prescriptions, insurance information, and other health-related data can be valuable for various illicit purposes.
- Sensitive Corporate Data: Trade secrets, intellectual property, internal communications, and other confidential business information can be targeted for corporate espionage or blackmail.
- Government and Military Information: Classified or sensitive government and military documents can be leaked or sold for espionage or political purposes.
- Educational Records: Student records, academic transcripts, and other educational information can be used for identity theft or fraudulent academic credentials.
The dark web is not easily searchable through standard search engines which makes finding your company’s data difficult. However, there are steps you can take to locate your company’s exposed data:
- Dark Web Monitoring Services: There are companies that offer dark web monitoring services specifically for businesses. They continually scan and crawl the dark web, hacker forums, and criminal marketplaces, looking for your company’s data. Services like Breachsense, SpyCloud, and ZeroFox can alert you if your employees’ credentials, customer data, or other proprietary information are found on the dark web.
- Internal Monitoring: Your company’s information security team can manually search and monitor the dark web, forums, and markets for any signs of your data being sold or discussed by threat actors.
- External Cybersecurity Consultants: Cybersecurity companies often have expertise and experience navigating the dark web. They may be able to conduct comprehensive searches to identify if your company’s data has been compromised.
RECOMMENDED READING: How to Find Data Breaches
One last note: when your company’s data is breached, it’s important to respond quickly to minimize the impact. Having an incident response plan in place before a breach happens is critical.
If you discover that your company’s data has been leaked on the dark web, time is of the essence. Here are some steps you can take to mitigate the impact:
- Identify the Breached Information: Determine what specific information has been exposed. This could be personal information, financial data, login credentials, or other sensitive data.
- Change Passwords and Security Questions: Immediately change the passwords for any affected accounts, terminate leaked session tokens, and update relevant security questions and answers. Use a password manager to generate strong, unique passwords company-wide and enable two-factor authentication where possible.
- Notify Affected Parties: If customer or employee data has been compromised, notify them as soon as possible and provide guidance on what steps they should take to protect themselves.
- Monitor Accounts and Credit Reports: Keep a close eye on bank accounts, credit card statements, and credit reports for any unauthorized activity. Where relevant, consider placing a credit freeze on your credit file if financial information has been exposed.
- Report to Authorities: Report the incident to law enforcement agencies, such as the local police or the relevant cybercrime unit in your country. They may be able to investigate and take action against the attackers.
- Engage External Cybersecurity Consultants: Consider hiring a cybersecurity firm to conduct a thorough incident response investigation, assess the extent of the breach, and implement defenses to prevent future incidents.
- Review and Strengthen Security Defenses: Conduct a comprehensive review of your security protocols and practices. Implement additional security measures where needed, such as dark web monitoring, EDR and regular pen testing, to protect against future breaches.
- Develop a Response Plan: Create a detailed plan for responding to future incidents, including communication strategies, roles and responsibilities, and steps for mitigating damage.
- Educate Employees and Users: Provide training and resources to employees and users on how to protect their information and recognize potential threats.
- Legal and Regulatory Compliance: Ensure that you comply with any legal and regulatory requirements related to data breaches, such as reporting obligations and consumer protection measures.
It is extremely difficult, if not impossible, to remove your information from the dark web once it has been leaked.
The dark web is designed to be a decentralized and anonymous network.
This makes it very challenging to track down the sources distributing the data or force its removal.
This is why preventing a breach in the first place is so important.
Having said that, there are a few steps that you can take to mitigate the risks after the fact:
- Monitor for exposure: Use dark web monitoring services like Breachsense to continuously scan for your company data on the dark web, forums, and marketplaces.
- Change compromised credentials: If login credentials like passwords, session tokens or financial information have been exposed, change them immediately across all associated accounts and services.
- Freeze credit/finances: If financial data or PII (personally identifiable information) have been compromised, freeze your credit with the major credit bureaus and monitor your financial accounts for any fraudulent activity.
- Report illegal activity: While removal may not be possible, report any illegal sale or distribution of your data to the appropriate authorities and internet providers hosting the content.
- Hire negotiation services: Specialized companies offer data leak negotiation services, where they negotiate on your behalf to have the threat actors delete or not release sensitive data.
- Legal action: As a last resort, you may be able to pursue legal action against the sources/individuals selling or distributing your data illegally on the dark web if they can be identified.
Due to the difficulty of removing data from the dark web, the best approach is to be proactive and prevent the breach in the first place.
Here are some proactive steps you can take to prevent your company’s sensitive data from getting breached:
- Use a password manager to generate strong, unique passwords and enable two-factor authentication wherever possible. This prevents credential-stuffing and phishing attacks that could lead to account takeovers.
- Be very cautious about sharing personal or sensitive information online or over unsecured channels. The less exposed, the lower the risk.
- Keep all software up-to-date and use reputable anti-virus/anti-malware protection. Many data breaches start with infostealer malware infections.
- Use a virtual private network (VPN) to mask your IP address and help add anonymity.
- Monitor your accounts and credit reports regularly for any signs of unauthorized access or identity theft.
- Educate employees on cybersecurity best practices like spotting phishing emails, social engineering scams, and other common attack vectors.
- Have an incident response plan in case a data breach does occur at your organization.
- Properly configure all security settings and access controls for cloud services, databases, and other systems that store sensitive data.
- Work with a reputable penetration testing company to perform periodic testing and review your security settings.
- Use dark web monitoring services that alert you when your data surfaces on the dark web or criminal marketplaces.
Exploiting leaked credentials and LOTL (Living Off The Land) techniques are very common tactics used by threat actors to gain access and avoid detection on your network. If you need visibility into your organization’s leaked data, book a demo to see how Breachsense can help.