Mitigating Risk of Data Leaks in Investigations

The Department of Justice in June announced seizure of SSNDOB Marketplace, a network of websites that for years offered for sale as many as 24 million Social Security numbers to malevolent actors looking to commit identity theft and fraud.

The news was largely overlooked as only the latest in a string of stories about leaked datasets—belonging to Sony, the Democratic National Committee, Equifax, Facebook, Uber, and even the CIA, among others—that found their way online or into the wrong hands.

In today’s digitized world, personal data is collected, packaged, sold, and resold globally by data brokers and social media giants, and corporate data is consolidated into massive databases, linked to vendors and customers. These datasets are valuable and often vulnerable—some degree of leaking is inevitable.

What does this trend of ever-leaking data mean about broader risk and risk mitigation?

Traditionally, investigators identify and understand risk by reviewing public documents—court filings and criminal records, regulatory, licensing, and real property records, corporate and domain ownership information, news articles and industry publications, and social media posts and other online sources.

Today, leaked data has become one more layer on top of the ocean of open-source and freely shared information in the public domain. Leaked data sets have become, in effect, a new public record, albeit one that must be approached skeptically and handled ethically.

Leaked Data Is Open-Sourced

Leaked data can be challenging to analyze given the diversity and complexity of the information it includes, ranging from massive listings of customer data to archives of emails, files, and text messages. Some leaked data is available online for only the briefest moment, while other data sets proliferate, copied from site to site. Some leaked data can be accessed with a Google search. Other times a subscription to a specialized vendor or use of a particular tool or technique is required.

The ethical calculations are equally complex. Leaked information that has made it into the public domain is one thing, while stolen proprietary information offered for sale on the dark web another. For each situation, the legal implications of acquiring access must be assessed. And whenever data with an unknown provenance, provided by a source with unknown motives, is encountered, caution is warranted and substantiation is required.

Despite these challenges, leaked data cannot be ignored. It can reveal links between individuals, expose embarrassing truths, or indicate tax evasion or other malfeasance.

It has been used to harm people and entities, slander whistleblowers, and target former romantic partners. In more cases than not, it translates into real-world risk. And while enforcement actions like the SSNDOB Marketplace seizure are important, they will never eliminate the threat.

Strategies and Questions to Ask

Organizations that navigate this landscape need to ensure they have strategies in place to minimize their own chance of leaking, prepare for the leaks that will inevitably occur, and learn from those that already have.

Organizations need to start by assessing what sensitive data they generate, collect, and process.

Do they have adequate controls to safeguard it? Do they carefully evaluate who is provided access to it? Do they have a data loss prevention system to detect attempts to exfiltrate it? Do they have an insider threat program to monitor for anomalous employee behavior? Do they audit their information security and data privacy programs against appropriate regulatory requirements and industry best-practices?

Proactively, organizations need to review their exposure. Do they monitor the dark web for indications threat actors are targeting their systems? Do they search available breach repositories for leaks of their corporate email credentials?

Do they examine the public availability of home addresses and other personal information of their executives and their families to protect against doxing attacks? Would they detect a malicious actor selling their intellectual property in an online forum?

Going forward, organizations need to incorporate this new data source into every decision they make. Do they search deep web and dark web data repositories when investigating their supply chain, prospective acquisition targets, or adverse external parties?

Do they review leaked data for reputationally adverse information on prospective hires or partners? Do they examine the cyber security record of prospective joint venture partners before putting their own networks and employees at risk?

Organizations will rarely have the internal expertise to do all these things on their own. They will need partners and investigators who have updated their approaches and who pair traditional open-source research methods with tools and techniques that enable them to probe and monitor this new public records landscape of leaked data.

These risks will remain invisible unless you know where to look for them, even if, like the SSNDOB Marketplace, they operate hidden in plain sight for years.

This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Write for Us: Author Guidelines

Author Information

Chris Ribeiro is a managing director with global investigations firm Nardello & Co. He leads complex investigations for government agencies, law firms and multinational corporations, and was formerly an intelligence analyst with the CIA and the New York City Police Department.

Liam Hanlon is an associate managing director with Nardello. He manages investigations involving white-collar crime, reputational due diligence, asset tracing, and corporate control contests.