For most of us, the chance of being caught up in a data breach is just another hazard of online life.
Personally identifiable information (PII) is stolen from a company we have an association with, and nobody is the wiser unless the company contacts us with the bad news.
Except not every company wants to tell us, or even realizes it’s been breached. In that case, we must depend on researchers to spot undisclosed breaches on the dark web.
That doesn’t always happen either, which leaves two options. The first is for users to check their email addresses against breach databases such as Have I Been Pwned? to see whether any hits turn up. The second is to trawl the dark web ransomware leak sites for themselves, not exactly a user-friendly undertaking for the average person.
So, it looks as if there are lots of ways to find out about breaches, but none of them offer anything beyond fairly modest reassurance.
The Ransom Web
Recently, the ill-famed BlackCat ransomware group (ALPHV) has come up with a better system—read about a breach on a public website specially created for this purpose by the criminals themselves.
According to Bleeping Computer, BlackCat recently set up a website where employees and customers of a breached and ransomed U.S. hotel could check to see whether their PII had been stolen.
For customers, the query data included names, arrival dates and the cost of a stay, while for 1,534 employees it was names, social security numbers, dates of birth, phone numbers, and email addresses.
This site was on the public web, which means it will be indexed by search engines. Once there, even if the site is taken down, that data is cached for weeks or months unless a request is made to remove specific content. Removing it would mean contacting each search engine in turn.
Turning Up the Pressure
The innovation here is a twist on double extortion, a way of putting pressure on a victim to pay up for fear that stolen data will be made public. Of course, making something “public” normally doesn’t mean many people ever see it, hence the need to make it more public by using a conventional website anyone can visit.
Commented Brett Callow of Emsisoft, the security company that tipped Bleeping Computer off about the discovery:
“While it’s an innovative approach, it remains to be seen whether the strategy will be successful – and, of course, that will determine whether it becomes more commonplace.”
Our guess is that even if it doesn’t increase the conversion rate overall it might still become more common because it increases the psychological pressure on those already inclined to pay. It’s also incredibly cheap, if vulnerable to takedowns.
Ransomware is often described as a technical and business challenge. But it is also as much a psychological and social challenge. It is all about being compromised and then hung out to dry in public. Some organizations will do anything to avoid being reminded of that—especially if their verified customers get to hear about it.