As the dark web is difficult to access, it is not always obvious when a breach has occurred. It could be weeks or months before any stolen data is used or sold
As part of the PFS’s commitment to enhance the reputation and standing of the financial services sector, the policy and public affairs department produces materials covering a wide range of subjects including UK and European regulation, industry developments and legislation.
One key area of this is the CII Good Practice Guides, covering a broad range of topic areas as part of an effort to expand the knowledge of finance professionals as well as examining emerging trends. Here, we feature an extract from one such guide.
What is the dark web?
The internet, as we understand it, is only a small percentage of what is actually ‘out there’. Search engines access what is known as the ‘surface web’. They retrieve their results by indexing pages that contain links allowing themselves to be identified. However, less than 10% of all the pages on the internet are indexed by search engines. This means that more than 90% of online data makes up what is known as the ‘deep web’.
The deep web contains everything not indexed but accessible using a direct address or by searching through content. The internet is too large to be indexed comprehensively by search engines, so anything not directly linked can be found here. Deep web content can be anything from archived pages, to databases or private networks. However, the most infamous part of the deep web is the ‘dark web’.
The dark web is a small part of the deep web (thought to be 0.1%) that is concealed because it does not contain inbound links. To access the dark web, users will need to know an exact address, have access to virtual private networks or have specific login details. To maintain privacy, users may access the dark web by using the Tor network (‘the onion router’) via a Tor browser, which encrypts the data.
The dark web can be a useful tool for retaining anonymity for the site concerned as well as for the site user. Legitimate reasons people may want to protect their identity include accessing uncensored news stories, sites blocked by local governments, journalists storing sensitive data, human rights groups protecting data and whistleblowers concealing their identity.
However, due to the anonymity associated with the dark web, it is largely known for illegal activities such as distributing extreme pornography, the buying and selling of weapons and drugs, terrorism and the hiring of hackers.
Relevance of the dark web
The reason the dark web should be of interest is that it is also a tool used for the storing and selling of stolen data. Those who have been subject to a cyberattack may find that not only have their details been stolen but also distributed for sale on an illegal marketplace.
As the dark web is difficult to access, it is not always obvious when a breach has occurred. It could be weeks or months before any stolen data is used or sold. These marketplaces can offer anything from email addresses with passwords that can be used to access personal information on any site with a relevant account, to account details to steal funds.
In May 2018, law enforcement from 28 countries met at Europol headquarters to discuss how to coordinate tackling crime on the dark web. As the criminal marketplaces found there exist anonymously on a digital platform, there is an urgent need to clamp down on these illegal activities. The outcome of this was the creation of a dedicated dark web team, which will work together with EU partners and global law enforcement.
Europol outlines the team’s role: “It will deliver a complete, coordinated approach: sharing information; providing operational support and expertise in different crime areas; and the development of tools, tactics and techniques to conduct dark web investigations and identify top threats and targets. The team also aims to enhance joint technical and investigative actions, organise training and capacity-building initiatives and work together with prevention and awareness-raising campaigns – a 360-degree strategy against criminality on the dark web.”
The dark web team will take action towards reducing the size of this “underground illegal economy”, however it will still be the insurance industry that will have to pick up the pieces when a breach occurs.
Since the European Union General Data Protection Regulation came into effect in May 2018, the Information Commissioner’s Office requires any suspected breach to be reported within the first
72 hours, detailing the following:
- Information on the nature of the breach;
- The approximate number of individuals concerned;
- Categories lost;
- Details of the likely consequences of the breach;
- How the breach will be dealt with.
All data subjects affected must also be notified that their data may have been compromised. Any failure to do so could result in a fine of up to 4% of a firm’s global revenue or €20m, whichever is higher.
Now that more of an effort is being made to track down and identify stolen data on the dark web, this needs to be investigated and included as one of the consequences of a breach. Such methods include: data breach detection applications that can alert you within minutes if your data has been hacked, leaked or stolen; or employing a data monitoring service to detect on your behalf.
With the risk of identity theft increasing, dark web surveillance is vital to scan online for any activity associated with an identity to see if it is being misused. As well as monitoring web pages and networks, other sources of data that will be checked include chatrooms, forums and malware. By being thorough, this should inspire public trust that firms not only know how to respond to a cyberattack, but if the data ends up on the dark web then they also know how to track it down.
What can be done?
The focus on cyberattacks needs to address what happens to the data after it has been stolen. Most of the time companies focus more on repairing the breach, notifying clients and managing any reputational damage. The journey of the data post-theft can become more complex and create more issues in the years to come. Consider the following:
- Identify vulnerable risks;
- Maintain good security controls;
- Use monitoring software;
- Respond to a breach promptly.
Rather than waiting for the worst to happen, security measures like these are good risk management and inspire customer confidence that you are acting in their best interests. The key is to treat data as valuable, even after it has been stolen.
James Moorhouse is content manager at the CII