Our client came to us with a problem. They were made aware of an allegation that some of their employee’s data was available on the dark web. They didn’t know how it got there and they needed us to find out.
The Background:
It turns out that our client was the victim of a ransomware attack in the prior 18 months. Their system was compromised and their data held hostage. Following their corporate policy, the ransom was paid.
Another firm was hired to perform an audit on the cyber incident and according to their findings, no data exfiltration took place. However, nearly 12 months later a complaint was filed against our client alleging that employee PII data was found on the dark web and we were brought in. At this stage, our job was essentially to perform an audit on the audit.
The Challenge:
There wasn’t much to go on. Our client had been assured there was no evidence of data exfiltration during the Ransomware incident. If exfiltration took place, did that mean the previous vendor was at fault for not catching the exfiltration? Was our client liable for not notifying their customers in California? These were important issues to resolve. If the data did not come from the original ransomware attack, it could point to another and perhaps more serious issue, an internal source, a mole, selling customer data from within the company.
We began with a detailed analysis of the previous vendor’s findings. Complicating matters, much of the original IT infrastructure had been replaced and the original forensic images created during the initial IR review had been deleted. In essence, the crime scene had been wiped. However, we were able to validate the approach taken by the initial IR firm and validate certain data points about the investigation.
The next step was to try and connect the dots from the initial IR investigation to what we were finding on the dark web. We set out to find the alleged data, determine if in fact it existed, and if it did, what exactly did it contain. After an exhaustive search, we were able to determine that the website family responsible for the attack had been shut down by the FBI. We also determined that this family advertised the breach, but that there was no evidence of exfiltrated data. Further, we were able to find a data set purported to have PII for one of the plaintiffs, but when analyzed, we determined this was a COMB (combination of many breaches) and not a unique or affiliated data set. Essentially, it was determined that the data did exist, but its fingerprints did not match the data held by our clients so it could not have come from their breach.
The complaint was dismissed as meritless and our client was able to rest easy knowing their data had not been sold on the dark web.