Data Laundering: The Dirty Business of Stealing and Reselling Your Most Valuable Data

6 Mar

Hackers are stealing your most prized data, cleaning its illegal origins, and reselling it through legitimate channels – a growing threat to your critical operations

Cyber attackers have been going after data for as long as there have been computers to hack. Whether they are stealing, destroying, manipulating, or blocking access to data, hackers know there is money to be made with your information. As cyber criminals become more sophisticated, they are moving up the data food chain, targeting your most critical and valuable information.

Today’s Smash-and-Grab Hacking

The most popular kind of data being targeted now is PII (Personally Identifiable Information), PHI (Personal Health Information), and PCI (Payment Card Industry). Hackers know where to look for this information and what to do with it once they steal it. There are established markets and mechanisms to quickly create fake credit cards, drain your accounts, steal your identity, commit fraud, and a conduct a whole host of other lucrative exploits.

As popular as this data is to steal (last year over 27 million healthcare records were stolen), it has become a high-volume, low value market. On the cyber black market, you can buy a social security number for $1, credit card data for as little as $7, and medical information for $10-$50.

Evolution of the High-End Data Market

Beyond this high volume market, there is a high-end market that targets much more sophisticated and sensitive data. Often called the “crown jewels” of your organization, these are critical secrets that you need to operate and gain a competitive advantage. This market focuses on data such as intellectual property, legal proceedings, financial strategies, and sales bidding information. The right information, in the right hands could easily be worth multi-millions.

Although potentially very lucrative, it can be difficult to operate in the high-end data market. It’s not because the information is well protected. Often, this information is exposed (we’re looking at you, senior executives, with your crown jewels sitting on your laptops). It is because 1) the information is hard to identify and interpret, 2) it is hard to identify a buyer, and 3) it is very high risk. Most cybercriminals can identify PII and PHI, but ask them to interpret a corporate earnings report, or an acquisitions strategy, and they’ll likely run for the hills.

The high-end cyber crime market has traditionally been the purview of large nation-states. It took larger state-sponsored organizations to understand, target, and use corporate secrets. However, even state-sponsored actors have been finding the high-end market too hot to handle. In 2015, China and the US entered an agreement to not to conduct economic cyber espionage, which included the theft of intellectual property from corporations to help their own companies compete. As a result, the number of breaches attributed to China-based groups has plunged by 90% in the past two years.

Data Laundering Takes the Risk Out of Buying Your Crown Jewels 

What if you could steal high-end data, erase any trace of how you obtained it, repackage it, and then sell it to the companies and organizations that wanted it most? This would take the risk out of the equation for the buyer and open up large profits for you. This is the essence of data laundering.

Similar to money laundering, data laundering involves the setting up of a number of fake companies or organizations. Data is then passed through these and “cleaned” of any trace  of its illegal origins.

Data Laundering can take many forms, but for simplicity, they generally follow a basic flow. A hacker steals high end data from a victim company, let’s say plans for a new kind of microchip. The information is then divided up into smaller parts and run through several fake companies. In our scenario, these are fake research companies. A final fake company repackages the information and sells it to the end buyer. In our case, it is a consulting company that surprisingly has a great idea for a new kind of microchip. The fake companies can be located in different countries, making it harder to investigate.

This same scenario could be used to clean almost any sort of key data, from merger strategies, to details of legal proceedings, to bid details. By lowering risk, data laundering has the potential to open up high-end markets.

The Dark Data Broker

Currently, data laundering is not wide-spread. As we stated above, the high-end market is difficult because the information is hard to identify, it’s hard to find buyers, and it’s risky. Data Laundering takes care of the risk, but there still isn’t someone to link the hacker, to the high-end information, to the buyer.

This is where Dark Data Brokers come in. They specialize in instructing hackers on what to take, setting up the data laundering operation, and selling to the end buyers. If they are really good, the end buyers won’t even know that the data was ever dirty. The brokers don’t need to be technically savvy. Rather, they specialize in knowing what type of information is most valuable, where to find it, and how to sell it.

With Data Brokers facilitating the process, the hackers can focus on what they do best, the buyers can purchase information at a low risk, and the market for high-end data will expand.

Data Laundering Is Reshaping the Threat Environment

The growth of Data Laundering has the potential to reshape your threat environment. With the right motivation and direction, cyber criminals will more aggressively go after your most critical information. They will also increase their focus on specific areas where they can obtain high-end information, such as legal counsel, executives, and financial organizations.

Companies will also need to pay close attention to the information they receive. They might unwittingly purchase stolen information. If it can be proven that the information was illegally obtained, they could be exposed to legal and regulatory repercussions.

Organizations often talk about protecting their “Crown Jewels.” However, few understand what those jewels really are, where that information lives, and how to protect it. Your threats are evolving, and as they get more sophisticated, they are going to get better at targeting your most critical information. For more guidance on how to protect your corporate crown jewels see our blog.

You need to be ready before you get taken to the cleaners.

Leave a Reply

Your email address will not be published. Required fields are marked *