Experiment Tracks Spread of 'Stolen Data' Online

John Lister's picture

A security research firm says more than a thousand people accessed a dummy database of personal details that it released as an experiment, though that number is much likely higher. It says the would-be criminals acted far faster than most security breaches take to fix.

The experiment was the work of BitGlass, a company that offers security services for cloud computing firms. The firm wanted to test how quickly a 'leaked' set of personal data would spread around the world; to do so, BitGlass made an Excel file that contained 1,568 sets of names, phone numbers, addresses, credit card numbers and social security numbers.

BitGlass says that the profiles were completely fake and didn't match any real individual, thus making it 'safe' to release online. The researchers also added a hidden watermark that sent them a message whenever the file was opened. They then made the file publicly available through the file storage and sharing service Dropbox.

'Stolen' Data Published On Dark Net

BitGlass then published the data on seven sites known to be used by cyber criminals that exchange stolen data. The websites were part of the dark net, a term used to describe a hidden network on the Internet; the data is therefore not available via an ordinary web browser or search engines.

After 12 days, the baited files had racked up 1,100 views with 47 people downloading the database. It was downloaded to 22 countries across the five largest continents, with Nigeria and Russia showing the most interest. The watermark also revealed that many people who viewed the files came from university networks, though that may have been because such networks often have unsecured WiFi. (Source: darkreading.com)

"People do cross-examine [the information] and download it, looking for breached data ... Our goal was to see how liquid the market is [when it comes to accessing such data] ... We didn't put it up for sale ... We were curious to see what happens to it after a breach," says Nat Kausik, CEO of Bitglass.

Criminals Vet Data Before Downloading

According to BitGlass, the most interesting finding is just how many people looked at the data before downloading it. That suggests many would-be criminals carefully vet leaked data to make sure it is genuine before trying to take advantage.

On one hand, it's hardly surprising that so many would-be criminals showed an interest in what they thought might be 'free' personal data. On the other, it's possible that the real number of individuals that viewed the data was likely much higher, because cybercriminals are likely to employ ways to disable the watermark tracking. (Source: theverge.com)

What's Your Opinion?

Are you surprised by how widely word of the supposedly-stolen data spread online? Do you think the findings show firms handling personal data need to be even quicker to react when there's a real breach? Or do you think the experiment is too flawed to draw any firm conclusions?

Rate this article: 
Average: 5 (6 votes)


Dennis Faas's picture

These are interesting findings but I think most cybercriminals would block the watermark, so I think the data is not very representative of a real-world scenario. If we could go back in time and track the downloads from big data breaches of Target and pastebin (for example), that would be far more revealing. But as they say, hindsight is 20/20 and even so, my example isn't even plausible.

f58tammy's picture

This just proves there is more than just a handful of criminals out there wanting this kind of data, and that these security breaches will always be happening. Even if this is not a accurate sample of the real world experience of data proliferation.
I would suggest that the banks and credit card company's, let their account holders take a more proactive solution to making such data useless. By having a lock-out page on their web site that would be user friendly. Where you could set up a denial of payment to any charges from another country, state or county. To unblock the lock-out you would just have to go and unchecked a box and answer your security(a misnomer I know) question that you have set up at the time, just before you travel outside of your authorized area. If you do have a recurring charge from a company of another country, you could enter it into a white list.
The more this kind of denial of payments systems are in effect, the less valuable the data breach would be.