Security Sense: The Ethics and Legalities of Selling Stolen Data

There’s something that’s been bugging me lately that I’ve had trouble putting my finger on. I’ve been thinking about it especially over the last few weeks as I’ve been travelling and watching yet more news of data breaches unfold, particularly with the likes of the 32 million “Twitter” accounts that were alleged hacked (except almost certainly weren’t).

It all boils down to how data breaches are monetised and I have a few issues with the whole thing, especially with the “wholesale” of entire data breaches. We’ve seen breaches sold for many years now but the recent spate of LinkedIn, My Space, tumblr, fling.com and others is what really bothers me. Here we’re talking about tens of millions or even hundreds of millions of records put on dark market websites and sold to whoever is willing to pay just a few Bitcoins.

I’ve heard data breach sellers defend their trade with the justification that “there’s nothing illegal about selling the data” and mount arguments along the lines of “it’s not stolen as the original site still has it”. Yet at the same time we see these very same sellers go to great lengths to keep their identities obfuscated, inevitably because they’re worried about the likely consequences of being caught selling this class of commodity. I don’t know which legal construct would be invoked should they be identified and indeed it would differ based on their jurisdiction, but I do know that legal sentences pay a great deal of attention to the damage done to victims and in the case of selling data breaches, it’s not pretty.

Data breaches are sold because they offer value to the purchaser; they gain something – a return on investment, if you like – by parting with Bitcoins in exchange for user records. Frequently, the upside for the purchaser involves exploitation of the victims in the data breach. Reused credentials across other services are leveraged to gain access to the victim’s account. Sometimes the accounts themselves hold resources of value, other times they serve as a channel for spam distribution, sometimes it’s the victim’s connections which provide fodder for phishing attacks. The value in the data almost always involves exploiting those who innocently trusted their personal information with the hacked site.

And that brings me to the ethics of the whole thing and how I hope those profiting from data breaches are dealt with. Actions which by their very nature lead to the intentional harm of bystanders are malicious in their intent. Whether that be the wholesale of data breaches or the sale of unbridled access to large troves of sensitive data with zero verification of whose data the purchaser is accessing, profiteering in this fashion is not going to be looked on kindly if (and quite likely “when”) authorities track down the perpetrators.

If there was any doubt as to the company this class of data keeps, just look at the image at the top of this post – there’s the LinkedIn data breach sitting alongside marijuana and cocaine. It’s no wonder these individuals value anonymity so highly; they’re overtly conscious of how the law will view these activities and they’re doing their best to hide their identities whilst not giving a damn about selling their victims’ sensitive personal information to whoever will pay for it.