Data Laundering Poses Privacy, Security Risks
Data laundering, like money laundering, is the act of acquiring data through an illegal means—whether that’s the dark web or a hacked/stolen database—and then taking that data and running it through a legitimate business or process in order to make the data seem authentic.
As both customer bases and companies adapt to modern technologies and new methods of conducting business, there are additional avenues to collect and leverage data, making data laundering a growing concern.
Chris Pin, PKWARE vice president of security and privacy, explained data is acquired in a few different ways: The data could be purchased from a dark web seller, or it could be siphoned from a company’s website or exposed from systems through malware, email phishing or even man-in-the-middle attacks.
“Once threat actors have the data, they typically run it through a randomizer, which is a data cleaning tool that helps randomize the missing or the valuable information in attempt to make the data seem more legitimate to potential buyers,” he said.
The Trouble With Data Laundering
The trouble with data laundering is that purchasers may be totally unaware that they are buying stolen data, which is, in fact, the point of data laundering.
“If an organization has purchased stolen data, what happens next? Like any other data, it’s going to be stored somewhere, such as a database,” Pin explained “Storage and system resources are a big investment already, and only add more for a company to process more data. On top of storage, an organization must also apply all its security controls, discovery, data governance, etc., for this illegal data.”
According to Pin, this is where things gets really bad, because now the IT organization has done everything required of them in order for the business to start including that data set into AI, ML and other automated decision-making processes.
“Perhaps this helps your organization do things like marketing campaigns, regional product or trend research and more,” he said. “The problem is this laundered data could pose a lot of inaccuracies and lead a business down a path of losing money due to decisions based on false data. And that’s just the business side of things.”
From a risk point of view, this illegal data provides plentiful risk, as not knowing the legitimacy (or lack thereof) of the data could leave your organization open to lawsuits.
“If your company starts marketing to emails that were stolen, the consumer could submit an access request to uncover all the data you have on them, wanting to know why and where you got it from,” Pin said. “Since you will be unable to answer their questions, they will have grounds for a private right of action, or even a class action suit.”
He said the big takeaway is that organizations that are going to participate in the modern era of data trading need to be assured of their sources.
Tracking the Chain of Custody
Additionally, their sources need to be sure of their sources, which means tracking the chain of custody to ensure data validity and the legality of sharing the data has never been more important.
“As time goes on, more data privacy laws will catch up, making the chain of custody a data requirement that every organization and federal office begins to enforce,” he said.
Andrew Barratt, managing principal of solutions and investigations at Coalfire, a provider of cybersecurity advisory services, said data laundering is nothing new and has widely been considered a problem in the “data sales” space for a while.
“It’s probably not as sophisticated as many may think,” he said. “It can be anything from small-time Excel manipulation to large scale ingesting of data breaches and sanitization algorithms that look to remove anything that can be used to attribute the source.”
He explained that once a list of names, addresses and emails are broken out, it is almost impossible to identify where it may have come from—unless there were very specific ‘canary’ records placed into the data set for that purpose.
How to Combat Data Laundering
To combat data laundering, Barratt said privacy laws should continue to evolve in line with standards such as the GDPR and the California CPA, essentially putting a regulated or legal obligation on to companies to remove data at the request of the citizen.
He pointed out GDPR has gone a long way to set some very high-level rights for data subjects in the UK and EU and the U.S. is moving in that direction on a state-by-state basis.
“Federally, the Constitution and the Bill of Rights don’t explicitly give citizens a right to privacy although there are various case laws that argued the case for privacy from the government,” he noted.
Unfortunately, from a security perspective, if these records are from compromised data sets, “that horse has bolted and the ship has sailed,” Barratt said. These records will continue to constitute a privacy issue and, most likely, a nuisance for people as they get inundated with marketing spam, targeted ads and so on.
“Depending on the context of the data, there may even be some personal security issues surrounding the losing of names and addresses or social security details and health care records,” he warned.
John Bambenek, threat intelligence advisor at Netenrich, also pointed out that the primary target of regulation should be the companies who buy this data to ensure they only use reputable vendors and only collect data for legitimate purposes.
“It would be better for consumer data to be owned by the consumer and all buying and selling needs to be with consumer consent, but we are a long way from that world in the United States,” he said.
He noted that any action that encourages or monetizes criminal behavior will ensure such behavior continues, and said many companies engaged in these questionable data purchases are likely looking the other way intentionally.
“Unlike ransomware, there is no reason to give these criminal enterprises money and companies should not be using criminal enterprises as digital mercenaries to feed their data machines,” Banbenek said.
