By Sherri Davidoff   /   Jun 10th, 2019

Should Your Data Breach Response Plan Include Dark Web Scanning?

Here’s a new ‪#databreaches development: LabCorp, a medical testing firm that uses the same hacked billing vendor as Quest Diagnostics, has reportedly been “scanning the dark web for any signs of its customers’ personal data,” as part of their data breach response, “but so far hasn’t found anything.”

Is dark web scanning the new credit monitoring? As part of their data breach response plan, organizations seek out ways to reassure consumers and reduce risk. New dark web scanning services have proliferated in recent years, with companies promising to scour the seedy underbelly of the Internet and alert customers if their sensitive intellectual property or personal data is found.

LabCorp, which plans to notify 220,000 of its customers, appears to have deployed dark web scanning as part of its data breach response, in an effort to detect any sign of stolen customer data.

But it’s not possible to scan everything. The dark web is “dark” for a reason; it’s impossible to get a list of every site. There are over a septillion possible addresses. For this reason, there is no Google for the dark web that has crawled everything. That means that there are innumerable hidden corners, private forums, and closed chat rooms that dark web scanning companies can’t possibly detect, let alone examine.

Companies that scan the dark web can certainly detect data that is advertised for sale in any of the popular marketplaces or closed forums for which they are a member— but they can’t possibly rule out that the data is circulating on the dark web, in a place unbeknownst to them.

What if LabCorp scans the dark web and finds a positive match, indicating that customer data is for sale? This would obviously not bode well for LabCorp or their customers. Would LabCorp even be required to disclose this information to consumers, or could they simply not mention that they had scanned the dark web at all? With this approach, breached organizations can have their cake and eat it too: they can share the good news when nothing is found, and keep quiet when the results are bad.

Timing is another key question. How often will LabCorp scan the dark web? Did they just scan it once, or will this be an ongoing operation? It can take a while for large stolen databases to worm their way into the more popular areas of the dark web. For example, Yahoo’s passwords were not widely peddled on a popular forum– as far as we know- until years after their breach. A dark web scan conducted immediately following a breach discovery might miss delayed data dumps.

Scanning the dark web over a long period of time could have significant negative consequences for a breached organization. What happens if LabCorp did discover some customers’ data a year or two down the road? If so, their breach could resurface in the media, like a re-opened wound. This could potentially lead to lawsuits, negative publicity, and more. Breached organizations have clear disincentives against long-term dark web scanning.

LabCorp’s use of dark web scanning as a way to reduce risk and reassure consumers is a new development in data breach response. Will dark web scanning become a standard part of a data breach response plan? Will a free dark web scan accompany free credit reporting as a new way of reassuring and compensating consumers?

The answers may ultimately be driven by insurers. If cyber insurance underwriters decide to cover the costs of dark web scanning, breached organizations may choose to take advantage of it. If not, already-stressed organizations are certainly less likely to fund a new offering, particularly given the uncertain potential for benefit. Only time will tell if dark web scanning goes mainstream for #databreach response, or if LabCorp’s actions will remain an idiosyncratic choice.

Do you need help creating a data breach response plan, or require data breach remediation services? If so, contact LMG Security and we can help.

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity. As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.