Data leaked in this manner has included confidential commercial documents and personal data of clients and employees. Companies often pay to avoid the potential legal implications, reputation damage, and the risk of additional data leaks.

This trend highlights the importance for cybersecurity and business leaders to understand the potential effects of a data leak on their organization and have a plan to prepare for and respond to such attacks. 

How Is Leaked Data Used?

“The buck does not stop once the ransomware attack is over. Sometimes it is just the beginning,” said Thomas Willkan, a threat intelligence analyst at Accenture PLC. Mr. Willkan has examined various data leak sites and the implications of data exfiltration, or the unauthorized removal of sensitive or confidential data from a company’s systems. The effects of a ransomware attack go beyond just the initial attack and can have far-reaching consequences for a business, including damage to reputation, financial losses, and operational disruptions beyond the initial attack.

Mr. Willkan explained the shift by cybercriminals to encrypt less data is because it is easier to conduct this kind of attack, and companies are more likely to pay ransoms if these groups threaten to or leak sensitive data. 

The increased organization and accessibility of data leak sites, coupled with the evolving tactics of attackers, have made it easier for other criminals to exploit data obtained from ransomware attacks, This is especially the case since previously disorganized leak sites are now indexed and easier to navigate for criminals. They can pay to access the indexed data leak sites and find specific data they are looking for, facilitating other attacks such as business email compromises and extortion attacks. 

Business email compromises involve getting organizations or individuals to transfer money to an account under the attacker’s control, often through deceptive communication such as an email purportedly from a senior executive. In 2022, the Federal Bureau of Investigation reported receiving 21,832 BEC-related complaints with adjusted losses of over $2.7 billion.

Exploiting Leaked Data

“BEC attacks are the perfect trifecta for these groups because they are the least difficult to perform, most lucrative, and require the lowest skill levels,” said Mr. Willkan.

He said information leaked on these sites makes it easier for criminals to carry out BEC attacks or other social engineering ploys because they can learn a target’s internal language, including acronyms and expressions specific to their industry. This data enables threat actors to avoid using non-standard company wording, which might  indicate fraud. As a result, companies will likely have a hard time detecting these kinds of attacks or may fall victim to a subsequent attack.

There are few public examples of data being weaponized in this way as businesses are reluctant to disclose such incidents, but one case did surface recently. In September 2022, Optus, an Australian unit of Singapore Telecommunications Ltd., was breached, and data was subsequently leaked online. The Australian Federal Police later arrested a man and charged him with attempting to extort those individuals whose personal data was leaked. Although this rather crude extortion attempt was by an individual rather than a cybercrime group, it illustrates how easily such attacks can be carried out.

How to Respond

Data exfiltration is increasingly prevalent in ransomware attacks. With that in mind, Jim Finkle, managing director at public relations firm FGS Global, advises companies to diligently determine the scope of the data exfiltration to help minimize its effect. 

“Leaked data that is sold or exploited by criminals is most useful when the company has no knowledge of it,” he said. 

Mr. Finkle explained that knowing what data was stolen and if it was leaked is powerful because companies can then take other actions to defend against subsequent attacks and prevent them. To effectively achieve this, he stated it starts with having the right team in place, whether internal or external personnel, such as communications, legal, cyber insurance, and forensics. 

Company officials can work with forensic investigators to establish what data was stolen. Still, sometimes it may be faster to download the data from the darkweb forum where the attacker published it. Webster Bank N.A. recently did this after its third-party service provider Guardian Analytics Inc. was successfully attacked. 

The company’s breach disclosure provides a window into the scale of the task. Upon learning its customers’ data was included in the leak, Webster Bank officials downloaded a copy of the stolen data and assembled a team of attorneys and 140 reviewers to sort through the data and determine what was taken. Only then was the bank able to notify regulators and affected customers accurately.  

Restoring Trust

Trent Duffy, a partner at FGS Global, explained how communication is vital in restoring trust and dealing with a data-exfiltration incident. He said companies need to “manage the narrative on [their] own terms versus letting the threat actors or a government disclosure do that for [them].”

Making a well-informed disclosure to customers and regulators based on the findings of the forensics teams not only promotes transparency but also maintains trust between an organization and its clients and other stakeholders even after the incident.

To prepare for the increasing volume of ransomware attacks and data leaks, Mr. Finkle and Mr. Duffy advised that companies must have a crisis plan that includes all parties, conduct regular stress tests and tabletop exercises to test the response plan through simulation of likely scenarios and prioritize effective communication during incidents. These actions can help companies control the narrative, minimize the consequences of data exfiltration, and prevent follow-up attacks.

This WSJ Pro Research paper provides further details on effective post-breach communications.

WSJ Pro Research is a premium membership that supports executive decision making on critical business issues by supplementing the news with timely, in-depth research and data.

All WSJ Pro Cybersecurity research reports, webinars, events and data are available at wsj.com/pro/cybersecurity/research

Meet the Author