The seemingly unstoppable growth of “darknet” marketplaces is creating a new commodity industry – corporate insider information.
The mainstream media would have you believe the dark web is primarily for distributing drugs and child pornography — much as they did with the regular Internet back in the mid-1990s.
Anonymous Markets Tempting for Corporate Information Dealers
To an extent this is true (at least the drugs part, anyway). Trade in digital products and information seems less risky, however, and online black markets’ added anonymity and increasing ease of use could be tempting for disloyal employees who lack the contact networks to sell their secrets elsewhere.
Security blogger Brian Krebs highlighted this problem with a post on corporate strategies to counter “insider” leaks — anonymous vendors selling their companies’ secrets.
This growing practice has raised a new degree of concern among corporate investigators, who are now discussing it openly and even hiring security firms to monitor online black markets for mention of their clients’ names.
The term “corporate insider information” covers a number of areas, including sensitive intellectual property, private customer data and internal communications networks.
Companies with a particular interest in intellectual property, like healthcare and pharmaceuticals, are the most active in working with private investigators and law enforcement. Together they have found a startling number of employees and insiders offering information for sale.
There has also been an increase in unscrupulous employees from rival companies actively soliciting for insider information online, creating even more temptation.
Profit, Malice or Mistake
This issue is different to that of whistleblowers, or employees motivated by a moral sense of justice to report malfeasance. Corporate information sellers trade their companies’ secrets for malice or profit, with online markets making it easier to find buyers while cryptocurrency makes the money chain harder to trace.
Some reports show that leaks by employees account for half or more data breaches, though the exact extent to which this is intentional or even malicious is still unknown.
A recent study on data breaches by Verizon found that only a minority of insider-sourced cases were from those in leadership or IT positions, with most coming from staff in administrative, healthcare and public sector jobs.
Companies would need to pay more attention to who has access to sensitive information and whether it is necessary for them to have it, the report said.
Keep Them Happy?
Several commenters on Krebs’ post pointed out employers will need to put extra effort into keeping their employees happy, which prompted debate about who is responsible for morale — and if maintaining it is even possible.
“Love your employees, bond at the company retreat, bring in bagels on Friday, but monitor the heck out of their authorized daily activity,” Verizon said, “especially ones with access to monetizable data.”
Of course there are many ways for an employee to become “disgruntled,” some of them neither rational nor logical. Not everyone is satisfied by retreat bonding and bagels. Even well-treated employees may be motivated to leak information purely for personal profit — as government intelligence agencies have often found.
Insider attacks have also been an issue at companies holding large amounts of bitcoin and other cryptocurrencies, namely exchanges. Several high-profile “hacks” resulting in loss of funds, such as ShapeShift and Mt. Gox, have been blamed on insiders either acting alone or granting access to outsiders.
New Intelligence Industries to Combat Breaches
Krebs pointed to a now-defunct open-web marketplace called Enigma, which existed only to match buyers and sellers of corporate information. It shut down after its operators suspected it had become completely infiltrated by investigators and spies.
It appears that, in the future, corporations will need to employ more people with specialist skills to investigate intentional data breaches, something governments have had to do for centuries with their own intelligence services.
Employees with access to sensitive information are bound to find themselves under greater scrutiny, through monitoring and screening procedures.
This will create whole new departments and even industries. For anything involving bitcoin and cryptocurrency transactions (either theft or sale) forensic skills for following money trails on blockchain-based networks will be more in demand.
What would tempt an average person to betray their employer like this? Do darknet markets really make it easier?
Images courtesy of Duncan Elms, UK Information Commissioner’s Office.