User data is a valuable commodity on the dark web with everything from credit card numbers to medical records being available for a price. Criminals often steal large batches of data through websites and sell the collections online to criminal gangs who later use it for illicit purposes.
Generally, a single stolen credit card number with expiry information and the CVV number sells for around $45, and like with the regular world, there are discounts for buying in bulk. Personal information, such as passports, can go for more; upwards of $200 and stolen password lists, especially for sites such as online gaming, can often stretch into the thousands.
With the anonymity of the dark web, virtual theft has now become a staple for many organized crime establishments, and the challenge that attackers have now is to continue creating new and elusive ways to circumvent security which organizations have in place to protect their website.
Exfiltration, leakage and theft
Data exfiltration is the process of moving data without the consent of the organization who owns it. Also known as data theft, the action of moving data can be done physically, such as taking data from a business location on a USB stick or virtually by copying data or emailing them to an unauthorized recipient.
Direct access to the data is not always required, with malware often being used to trick those who do have access into leaking it. Attackers will utilize phishing techniques to coerce users into installing malicious executables or leverage client-side attacks to skim data from websites.
Data theft through online skimming has become a significant security issue for ecommerce websites; criminals inject malicious code designed to steal payment information as users enter numbers into a page. While this process is capturing only a single card number each time, over a shopping holiday, such as Black Friday, attackers can still steal substantial amounts of data.
There are numerous examples of businesses who have suffered breaches where data has been stolen, with the larger ones making very public headlines. While sometimes this theft happens at the hands of a company insider, more often, it is the result of organized cybercrime groups.
The organization is responsible
While it might seem unfair, when a breach happens resulting in data theft, the organization who experienced the loss is the one on the receiving end of litigation. With the introduction of legislation, such as the CCPA and GDPR, organizations can face substantial penalties and civil suits resulting from what is often perceived as negligence.
The CCPA for example allows for penalties of up to $2,500 per individual consumer affected by an unintentional data breach, meaning that a site of just 10,000 users could face a $25M fine. More so, the language within the CCPA bill highlights that organizations are expected to implement and demonstrate adequate protections against data exfiltration.
Ensighten data exfiltration prevention
Ensighten’s security and compliance technology enables organizations to mitigate data exfiltration through website breaches or when theft happens as a result of a supply chain vulnerability.
- Third-party technology control: Allow only approved vendors to operate in an easy-to-deploy manner, as well as manage and update policies in real time
- Real-time website monitoring: Monitoring of all network requests coming in or out of the website to detect and block potential threats
- Masking of sensitive data: Determine unique data patterns to prevent sensitive data being exposed within the URL and passed to unauthorized parties
- Only allow secure scripts to load: Only allow secure (HTTPS) scripts to load on secure pages and block any non-secure requests from loading