Data laundering, just like money laundering, is the process of obtaining data through illegal means, such as the dark web or a stolen/hacked database, and then passing it through a legitimate business or process to make it appear authentic.
There are more avenues to gather and force data as both companies and customer bases familiarise to modern technologies and new ways of doing business, making data laundering a growing concern.
PKWARE vice president of security and privacy Chris Pin explained how data is obtained in several ways:The information could be purchased on the dark web, snatched from a company’s website, or exposed from systems via malware, email phishing, or even man-in-the-middle attacks.
“Once threat actors have the data, they usually run it through a randomizer, which is a data cleaning tool that helps randomise the missing or valuable information in order to create the data appear more genuine to possible buyers,” he explained.
The Concernwith Data Laundering
The problem with data laundering is that buyers may be completely unaware that they are purchasing stolen information, which is exactly the point.“
What happens next if a company buys stolen information?“Like any other data, it will be stored somewhere, such as a database,” Pin explained. “Storage and system resources are already a significant investment, and adding more for a company to process more data will only increase that investment.” For this illegal data, an organisation must apply all of its discovery,security controls, data governance, and so and so forth, in addition to storage.”
According to Pin, this is where things get really bad, because the IT department has completed all of the necessary steps for the business to begin incorporating that data set into AI, machine learning, and other automated decision-making processes.
“Perhaps this will assist your organisation with regional product, marketing campaigns, or trend research, and other activities,” he said.“The issue is that this skewed data could lead to a lot of inaccuracies and lead to a business losing money as a result of decisions based on false data. And that’s just the business aspect of it.”
From a risk standpoint, this illegal data poses a significant threat, as not knowing the legitimacy (or lack thereof) of the data could expose your company to legal action.
“If your company begins marketing to stolen emails, the consumer may file a request for access to all of the data you have on them, demanding to know why and where you obtained it,” Pin said. “They will have grounds for a private right of action, or even a class action suit, because you will be unable to answer their questions.”
The most important takeaway, he said, is that organisations that want to participate in the modern era of data trading must be confident in their sources.
Tracking the Series of Custody
Furthermore, their sources must be certain of their sources, which means that tracking the chain of custody to make sure data rationality and the lawfulness of sharing the data happens to be more important than ever.
“As time passes, more data privacy laws will catch up, making chain of custody a data requirement that every organisation and federal office begins to enforce,” he predicted.
Data laundering is nothing new, according to Andrew Barratt, managing principal of solutions and investigations at Coalfire, a cybersecurity advisory firm. It has long been recognised as a problem in the “data sales” space.
“It’s probably not as advanced as many people believe,” he said.“It can range from simple Excel manipulation to large-scale data breach ingesting and sanitization algorithms that aim to remove anything that could be used to attribute the source.”
He explained that once a list of names, addresses, and emails is broken out, it’s nearly impossible to figure out where it came from unless the data set contains very specific “canary” records for that purpose.
How to Battlewith Data Laundering
To combat data laundering, Barratt believes that privacy laws should evolve in line with standards such as the GDPR and the California CPA, which essentially impose a legal or regulated obligation on businesses to remove data at the request of citizens.
He noted that GDPR has gone anextended way toward establishing a few very high-level privileges for data subjects in the United Kingdom and the European Union, and that the United States use to be moving in that direction on a state-by-state basis.
“The Constitution and the Bill of Rights do not expressly grant citizens a right to privacy,” he explained, “although there have been numerous case laws that have argued the case for privacy from the government.”
Unfortunately, if all these records come from negotiated data sets, “that horse has fastened and the ship has cruised,” according to Barratt.As people are bombarded with marketing spam, targeted ads, and other forms of advertising, these entire records will continue to be a privacy issue and, most likely, a nuisance.
According to him, “depending on the context of the data, there may even be some personal security issues surrounding the loss of names and addresses, social security numbers, and health care records.”
The primary target of regulation, according to John Bambenek, threat intellect advisor at Netenrich, must be the companies that purchase this data, to make sure that they only use trustworthy vendors and collect data for genuinereasons.
“It would be preferable if consumers owned their data, and all buying and selling had to be done with their consent,” he said. “However, we are a long way from that world in the United States,” he added.
He said that any action that encourages or profits from criminal behaviour ensures that it will continue, and that many companies involved in doubtful data purchases use to be likely searching the other way on purpose.
“Unlike ransomware, there is no reason for companies to provide these criminal enterprises money, and criminal enterprises must not be used as digital mercenaries for feeding their data machines,” Banbenek said.