Privacy Bee as a Superior Post-Breach Remedy
The Identity Theft Resource Center (ITRC) reports the number of data breaches occurring in the first half of 2024 (roughly 1.1 billion incidents) marks a 490% increase compared to the same period last year. The number of data breach victims in just the second quarter of 2024 (1 billion) represented an eye popping 1,170% increase over Q2 2023!
Presently, organizations are spending billions on post-breach identity theft protection services they provide for free to their victimized customers following the breach of supposedly secure systems. Fortune Business Insights puts the global identity theft protection services market value at $13.13 billion in 2023 and projects it to rise to $14.95 billion in 2024. They project a CAGR of 13.7% through 2032, when spend on these services is projected to reach $41 billion!
This seems like a huge sum of money – almost always unplanned – to have to spend in largely futile attempts at repairing harm, recovering reputation and assuaging investors after falling prey to all-too-predictable social engineering attacks. Attacks enabled greatly by unsecured external data and other data privacy weaknesses. Especially when unsecured external data could be largely neutralized in a preemptive fashion, avoiding damaging data breaches in the first place.
To be clear, anyone who claims to offer an iron-clad, 100% effective solution to the problems caused by unsecured external data (or other data hygiene challenges) is lying. Simply put, the ability to ensure against data breaches, IP theft, HR poaching, doxxing and other consequences of poor external data privacy management is only something to be accomplished by degrees. That is, risk can be largely mitigated, but never eliminated. As such, external data privacy must be regarded as a best practice to be woven into the ongoing processes of overall cyber and information security. Something we write about in detail in our Continuity is Critical whitepaper.
While everyone knows, an ounce of prevention is worth a pound of cure, CISOs and other IT leaders seem to suffer a blind spot when it comes to external data privacy management. The best time to enact protective measures against data breaches – which seem to happen daily to even the largest organizations – is before any breaches have occurred.
Sadly, despite Privacy Bee for Business’s best and ongoing efforts to convince the public to reduce its risk profile as a prophylactic measure, far too many organizations exclude external data privacy protection, investing heavily in traditional information and cyber security measures instead. All while ignoring the clear and present danger of poor privacy practices. Measures which categorically fail to address the connection between unsecured external data and the social engineering attacks that result in the majority of breaches experienced today.
If you’re one of the many unlucky organizations which has suffered a breach BEFORE having deployed Privacy Bee for Business to drastically reduce your risk profile, then this document is for you. In it, we will explore how Privacy Bee for Business can be applied successfully as a affordable post-breach remedy. One far more effective than the performative act of offering free identity monitoring service at great cost to the bottom line.
The Comforting Fiction of Identity Theft Monitoring Services
First, let’s examine the real value of leaning on identity theft monitoring services both in the wake of a data breach or as a preventative measure. It has been said that most people prefer to accept a reassuring lie over an uncomfortable truth. Identity theft monitoring services are for the most part a comforting lie people tell themselves.
Tech columnist, Jeff Somers levels some brutal honesty in an article published on Lifehacker somewhat coarsely titled, “Identity Theft Protection is Mostly Bullshit”. In it, he explains what these services monitor (credit reports, social media accounts, dark web sites and one’s financial accounts). He also explains how the services are passive and require the user to check in with a fairly high degree of regularity or risk being victimized again. Somers notes correctly that monitoring services are not the same from a safety standpoint as identity theft insurance which compensates a user if their identity is compromised, and fraudulent costs are incurred. Somers is correct in stating that much of what these services deliver could be achieved – for free – by one’s own efforts.
“In the end, identity theft protection is kind of like a car alarm: It might make you feel better psychologically, but it doesn’t actually do much.”
Jeff Somers
US News and World Report, while less blunt in its language than Somers, arrives at largely the same conclusion. Their article is titled, “Is Identity Theft Protection Worth It?” After also suggesting that identity theft insurance is a more useful product, they arrive at a mealy-mouthed condemnation of monitoring as a solution saying, “Whether an identity theft protection service is worth the cost depends on a person’s budget, their perceived risk of identity theft, and the value they place on what an identity theft protection service does.”
Kiplinger’s article (with the same exact title) “Is Identity Theft Protection Worth It?” concludes,
Monitoring services can help you spot red flags, but they won’t stop criminals from targeting you.” That assessment is pretty much the most concise expression of what one needs to know about the value of identity theft monitoring services.
It seems these solutions are provided by companies post-breach to burnish the appearance of taking actions to remedy the mess they made of their customers’ personal privacy. However, the purpose of this paper is not to necessarily disparage or denigrate the monitoring industry. Instead, it is to offer a better, more effective set of corrective measures an organization can apply by way of recompense to its wronged customers following a breach.
First the Bad News About Post-Breach Remedies
The fact of the matter is, once your data has been leaked due to a data breach, it cannot ever be completely recovered. More than likely, your data will wind up on the dark web and passed back and forth between Data Brokers and People Search Sites. Once exposed, victims might expect an inevitable telemarketing and spam/scam explosion that ripples outward after the initial breach. Especially as the data is repackaged across People Search Sites.
What are the Dark Web and the Deep Web?
To understand where stolen personal data goes and how it is monetized by threat actors, it is important to understand the deep web and dark web.
Experts estimate there are more than 10,000 dark web marketplaces. Dark web marketplaces cannot be found using common search engines. Nor can they be accessed using regular web browsers. These hidden markets are routinely used – due to their masked accessibility – to broker transactions involving stolen data as well as illegal drugs, weapons, counterfeit currency and other forms of contraband.
The web security experts at Kaspersky provide these simple definitions of “dark web”, “deep web”, and “surface web” using the image of an iceberg as a metaphor.
The surface web according to Kaspersky“is the “visible” surface layer. If we visualize the entire web like an iceberg, the open web would be the top portion that’s above the water.” All public-facing websites making up the surface web can be found using common search engines like Google. They can be accessed using standard browsers like Internet Explorer, Chrome, Firefox. These .com, .net, .org sites are easily located using search engines. Surprisingly, the surface web comprises roughly only five percent of all websites.
The deep web rests below the surface and includes approximately 90% of all websites. This includes large, closed networks, corporate intranets, databases and other closed information systems not indexed for search or intended for unrestricted public access. The deep web is comprised of legitimate sites supporting business, government, education, healthcare, etc. Continuing the analogy, this segment is the remaining majority of the iceberg hidden beneath the waterline. In fact, this hidden web is so large that it’s impossible to discover exactly how many pages or websites are active at any one time.
The dark web “is a hidden part of the internet not indexed by regular search engines, accessed through specialized browsers like Tor. It hosts both legal and illegal activities, offering anonymity but also posing risks like scams and illicit content” Kaspersky says. The dark web only represents less than 1% of all web sites.
The media tends to use the terms dark web and deep web interchangeably, but it is only the dark web where the illegal/illicit activity – like the sale of stolen PII/data – most often occurs.
In general terms, cyber thieves and other threat actors as well as legitimate Data Broker companies scrape unsecured external data and PII from public areas of the surface web including social media, business websites, public records, etc. Which is not illegal. Then they add to this collected data. They build detailed profiles/dossiers of individuals adding hundreds of stolen data points on each individual exfiltrated from protected deep web sources like databases and corporate intranets systems and captured through the use of Social Engineering attacks like phishing, spear-phishing and others. This deep web data is typically stolen in bulk (like when a large database is breached/hacked) and sold on the dark web to data brokers who build and sell detailed profiles to marketers, sales forces (for mostly legitimate purposes) but also to threat actors with less than legitimate aims. If it sounds like a legal grey area and less-than-ethical, that’s because it is. Data Brokers do not discern who the customer is and there is little regulation governing the legal sourcing of this data by the Data Broker industry.
Learn More About the Methods of Data Brokers. Read Privacy Bee for Business White Paper, “Exposing the Threat to Data Privacy Posed by Data Brokers & People Search Sites”.
Now the Good News About Post-Breach Remedies
While one cannot ever fully recover all their personal data exposed during a data breach and traded on the dark web, applying strong external data privacy management methodologies can significantly lower the risk of being victimized further even once personal data has been stolen and disseminated through the dark web.
Privacy Bee CEO, Harry Maugans says, “Providing Privacy Bee to your compromised customers in the wake of a breach instead of identity theft monitoring is a far more effective measure. While we strongly urge organizations to avoid breaches by securing external data in a preventative sense, there is still plenty we can help with after a breach.”
Maugans uses the analogy of seismic activity to make the point that applying external data privacy discipline after a breach doesn’t target the allegorical earthquake. However, it quite effectively helps with the aftershocks. Sadly, the breach itself cannot be reversed or even cleaned up. Moreover, unlike unsecured external data on the surface web which can be removed through the ongoing process of executing and managing Data Subject Access Requests (DSARs), there is no viable way to delete anything from the dark web. That exposure of data will always be there.
What is a DSAR?
Data Subject Access Requests or “DSARs” are the requests consumers lodge with any organization that holds their data and which companies are legally required to answer.
So, in Maugans’ analogy, data privacy management doesn’t target earthquakes, but it helps with the aftershocks.
While the fact that the stolen data can never be recovered from the dark web doesn’t sound like “the good news” the fact is dark web data is very hard to access and use. Because each breach may capture small fragments of any individual’s personal data and PII, it requires significant effort to cleanse the data and aggregate data points from numerous different stolen caches into accurate, individual profiles of persons complete enough to truly enable identity theft and other criminal actions. The fragmented data is routinely uploaded to the dark web and sold to Data Brokers or cyber thieves in broken, partial binary files that average criminal can’t do anything with.
It takes a lot of effort to normalize and sanitize the dark web data, evolving it into a useful dataset. This unfortunately is an effort shouldered by shady data brokers, which resell to less shady data brokers. This laundering process allows what began as illegally obtained data to eventually percolate to top tier and nominally “legitimate” Data Brokers and People Search Sites. There it is sold to spammers, scammers and anyone with a few bucks to spend on list purchases.
It is at this juncture in the journey from stolen PII to legitimate data product that Privacy Bee can interrupt the process. Using external data privacy management processes to disrupt the dissemination of data as it seeks to transition from the illicit world to the legal world, this solution silences all data brokers who touch it.
Without a strictly organized and ongoing process of managing DSARs here’s what commonly occurs:
- Organization issues DSAR/Deletion requests to any number of Data Brokers, People Search Sites or other locations where unsecured PII has been detected by scanning
- Weeks of follow up and correspondence ensues and deletions are ultimately achieved for most of the DSARs issued
- Each People Search Site or list reseller purchases new or receives refreshed data from the Data Brokers as part of its license/contract
- The unsecured data is restored to the People Search Sites’ databases
By applying Privacy Bee for Business and maintaining an ongoing practice of its processes, this circular movement of stolen data is repeatedly disrupted. The metaphor Privacy Bee often uses to help understand this process is the concept of a tree and its leaves. Think of Data Brokers as the trunk and branches of a tree. Consider each article of stolen PII as an individual leaf on the tree. If an organization focuses only on one-time deletions, removing individual metaphorical leaves, the trunk and branches will provide the energy to regrow new leaves more quickly than they can be pruned. If the trunk of the tree is felled, no more leaves will be able to grow on any branch. So, although the data may be repeatedly reinserted into the process from where it lives on the dark web, managing deletions from Data Brokers on an ongoing basis essentially cuts the tree down.
It is worth noting that a good deal of the data compromised in a breach is quickly rendered useless when the breach is discovered and disclosed to those affected. Stolen credit card numbers are replaced with new ones. Stolen passwords are reset/updated. Stolen phone numbers can be changed. Consumers victimized by breaches typically self-correct to the extent they can. Of course Social Security Numbers, home addresses, birth dates and other fixed data points cannot be as easily updated as account numbers and such. Yet, taken in sum, adding external data privacy protection to efforts post breach truly reduces the risk profile.
Cyber criminals always seek the path of least resistance, choosing the easiest targets to attack. The very nature of social engineering attacks proves this maxim. Hackers are no longer content to plow volumes of man-hours into brute force attacks on the exceedingly hardened information security and cyber security protections used to protect systems. Especially when it is far quicker and less labor intensive to use ruses and artifice to cleverly trick their way around hardened walls and defenses. The same inherent laziness mostly guarantees that hackers will not want to work extra hard to manipulate stolen data of those actively removing it from Data Brokers’ reach. Particularly when there are so many millions of victims who are doing nothing to interrupt these activities.
Immediate and Longer-Term Benefits and Value
Having persuaded the reader of the value inherent in applying Privacy Bee for Business service as a post-breach remedy – far superior to identity monitoring service as a way to reduce risk and rebuild trust – there is also an array of longer-term benefits to be discussed. These benefits are amplified if the victimized organization elects to apply Privacy Bee for Business to cover its internal workforce and vendor partners at the same time.
Adopting a muscular posture toward external data privacy and the securing of PII is something that all internet users are going to have to do. It is a new security practice that far too many are as yet unwilling or unable to embrace. However, it will ultimately become as regular and necessary a practice as password management, endpoint protection, encryption or any other commonly accepted best practice. It needn’t take being victimized for an organization and for individual victims to come to this realization. However, it the context of this document – EDP as a post-breach remedy – it is enough to accept that everyone must take control over their unsecured external data if they wish to continue to navigate the internet with the utmost available safety against cyber crime.
What new users of Privacy Bee quickly come to understand once they’ve activated their Privacy Bee accounts (courtesy of the organization that allowed the breach and underwrites the service as a remedy) is the myriad ways Privacy Bee protects them. They receive a great education about the ways their data is collected and manipulated. They also learn a variety of practices to protect themselves from future attacks. The platform delivers all the tools necessary to stand up and maintain world-class data privacy.
Beside the Data Broker and People Search Site removal services wherein an army of “worker bees” continuously issues, manages and reissues DSARs, Privacy Bee enables the following processes for overall privacy management. (Note: It’s worth clarifying that, while this facet of the solutions regularly initiates thousands of DSARs, this practice is not Privacy Bee’s only/exclusive method for cleaning up. It is used only when the subject fails to comply with worker bees’ attempts to engage each subject’s proprietary, opt-out/suppression/deletion path.)
Marketing List Removal service is critical to businesses seeking to minimize unwanted distractions to their workforce derived from spam and targeted marketing. This is also useful in mitigating HR poaching.
Privacy Preference Management on the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited. Then enabling the user to allow trusted sites to collect their data while barring distrusted sites from doing so. For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company. The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.
Vendor Risk Management is crucial to protecting the internal workforce as well because all best efforts can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy. If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella. Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections.
External Data Privacy Audit (EDPA)
The process of holistic data privacy and security begins with this free audit and accompanying report analyzing External Data Risk.
The EDPA is a unified employee audit, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). It delivers a centralized view into public employee exposures, then overlays the tangible financial impact exposure may have within your organization.
Privacy Risk Assessment (PRA)
Another 100% free tool, the PRA is a survey of roughly 75 questions Privacy Bee administers online to all the organization’s CIO, CISO or any other key stakeholder within the executive leadership of the organization. It takes about an hour to complete. The PRA explores how customer and employee data is managed by the organization, illuminating any opportunities for improvement, unmitigated risk, or insufficient Governance, Risk and Compliance (GRC).
Once completed, the answers may impact the business’s Privacy Risk Score, as maintained by Privacy Bee. Completing the PRA is frequently required by customers who track your business in their Vendor Risk Management system. Once completed, your organization’s PRA will be available to any of your customers all year. They’ll be able see your organization’s active status, and optionally request to see detailed answers (for trusted relationships), which you fully control.
Other solution elements included in the Privacy Bee for Business suite include a Vendor and Cookie Consent solution that actually generates revenue for the client organization. Privacy Pledge and Trust Badges to help restore the reputation damaged after a breach and demonstrate renewed commitment to privacy and security. Privacy Bee University to help cultivate awareness and the latest best practices for the workforce to remain focused on these ever present threats.
Conclusion
Winston Churchill said it best: “Never let a good crisis go to waste”. If your organization has fallen prey to a data breach, seize the opportunity to not only do something of material value for your customers whose data has been lost. But to also take concrete and highly effective steps to protect against the next inevitable attempted attack. Adopt Privacy Bee as a remedy for past breaches and Privacy Bee for Business to dramatically reduce the probability of the next one.
