Companies must monitor the dark web to ensure data privacy
Imagine discovering a scanned copy of your passport, PAN card, aadhar card etc. publicly available on the internet. What if someone were to apply for a credit card or a buy-now-pay-later (BNPL) loan or a PayPal account with minor photo edits to these documents?
Individuals are concerned about data privacy and protection, but how can they safeguard their information online? With increased internet usage, online data has grown exponentially over the last decade, reaching about 64.2 zettabytes in 2020, according to Statista.com. The Dark Web, on the other hand, is a collection of hidden websites that can't be accessed with a regular web browser but may be accessed with specialized software, settings, or authorization.
Breached data that includes personally identifiable information (PII) may be sold or auctioned on the Dark Web by threat actors most of the time, as cyber-attacks increase in scale and complexity each day. The dark web, and the deep web or the hidden internet, provides anonymity and secrecy to users, making it a popular destination for criminals.
Dark Web data may include PII from government databases, private companies, and individuals. Some of the common items for sale on the Dark Web include financial information such as credit card details, identity information such as scans of passports and social security numbers, login credentials for a number of online accounts including banking and email accounts, malware that may pose a threat to cybersecurity, and more.
Companies that have been impacted by ransomware attacks or data breaches need to monitor the dark web for any sale of confidential information that could cause business impact. However, monitoring the Dark Web is challenging, as it involves many sources along with marketplaces like closed forums, messaging apps, etc. These monitoring techniques involve use of varied tools and data feeds for continuous searches to gather raw intelligence in near real-time covering thousands of sources.
Periodic monitoring and vulnerability assessment can help validate if critical information, e.g. IP addresses, DNS, IT architecture, sensitive and confidential business data, contact details is publicly exposed, which can be leveraged for conducting cyber-attacks. When it comes to the Dark Web, though, because the site or data isn't indexed and can't be discovered by typical search engines or crawlers, specialists with the required skills, precise tools, and understanding must check for exfiltrated data.
Because many businesses handle customer data, dark web monitoring assists them in preparing and reacting quickly to avoid risks such as legal disputes, brand damage, financial fines, regulatory penalties, and most significantly, future assaults if they discover their data is available on the dark web.
On the dark web, personal information including names, phone numbers, and contact information, credentials, as well as identification numbers such as social security and AADHAR are openly available in addition to business data. This poses a significant risk of identity theft and online financial fraud. Platforms such as Automated Vending Carts (AVCs) are used for trading credit cards, credentials, and accesses. Personal information is frequently utilized for ‘targeted advertising’ and ‘behavioural advertising’, in which ad brokers try to deliver advertisements that are most appropriate to the person visiting the website /app, increasing click-through rates.
According to the NIST Privacy Framework, negative effects can be experienced on both individual and societal levels, with adverse impact on organizations’ brands, profits and growth; if data privacy risks are not managed and addressed.
Not only personal data, but also organizational data is at risk. Employees frequently use the same password for several corporate and personal accounts, making it simple for threat actors to obtain access to it. They can then utilize it to perpetrate a variety of internet frauds including business email compromise, financial frauds, and so on once they have gained access. Credentials are frequently sold on the Dark Web. It's always better to use a strong and well-known password manager rather than remembering many passwords, writing them down somewhere, or keeping the credentials in the browser's default storage.
Keep up to date anti-malware software and patches, use multi-factor authentication, back up your data regularly, and maintain a good cyber hygiene. Keeping strong passwords that are changed on a regular basis and as soon as possible after being informed of a breach can assist prevent cyber security breaches.
Individuals can check if their passwords or accounts have been compromised earlier in any of the data breaches on websites like https://haveibeenpwned.com/ or https://mypwd.io/
With the rise of BYOD and the adoption of remote working, it's more vital than ever to ensure that your cyber security policy encompasses all devices, not just those on your corporate network. Implementing a Zero Trust network is a vital part of the cyber security architecture design, but employee security knowledge is also important. Designing and implementing a data privacy and governance framework for categorizing, tagging, and labelling data sets is critical for identifying sensitive and personal data so that steps to conceal / mask, anonymize, or obfuscate the data fields may be put in place.
As data privacy standards become more stringent around the world, with increased fines and mandatory disclosures, it's a good idea to proactively do Dark Web monitoring or hire consultants who can help you avoid fines or data breaches.
Privacy of data is a serious issue, especially when the data itself has the potential to harm the people whose data it is. Organizations need to have a framework in place to protect their infrastructure and comply with local laws as well as international obligations.
The dark web is extensive and growing, but there are ways you can check if your personal information is compromised in any of the data breaches.
Amit Jaju
Amit Jaju is the Senior Managing Director of Ankura Consulting (India).
TRENDING STORIES
Next Article