How Fast, How Far Stolen Data Travels

We hear about data breaches but don’t hear what happens to the data afterwards, until now.

Bitglass released a whitepaper this week of their recent research in how far and how fast stolen data travels, something we don’t usually get to see.

While Bitglass doesn’t prevent data breaches, what it does is make them traceable. For an experiment they called “the first A/B test” for the web, they created a list of over 1,500 fake employees with fake data designed to look real and included fake credit cards, social security numbers, addresses, phone numbers and more. They ran the fake list through their Bitglass servers and set the Excel file loose on the Internet using a Tor client.

When the file was run through the Bitglass servers, it attached an invisible fingerprint, allowing the file to ‘phone home’. That fingerprint will ping the Bitglass portal, and carries a bevy of information with it, including not just the file name, but also the geographic location, IP address and the device type that accessed the file.

And what did they find?

It was expected that the would get picked up and disseminated, but perhaps they weren’t expecting the speed it would travel or the reach it ended up having.

It only took 12 days for their planted, fake accounts to travel from California to 22 countries and five continents. It was viewed over 200 times, clicked on over 1,000 times, and the data also pointed to the data being accessed by crime syndicates located in Nigeria and Russia.

That’s a far way to go for one little Excel file. And as they pointed out, that’s a whole lost shorter than the 200 days it takes on average for most corporations to detect a breach has taken place.

Products like Bitglass offer a way for companies to track their data and breach attempts, alerting them sooner rather than later and will hopefully lead to companies learning where their weak points are.

But what the experiment also underscores isn’t just how quickly stolen information gets circulated. Their systems determined that the false information was being tested for validity, too. Had the fake data actually been real accounts, fraud attempts would already be underway.

We’ve talked about the scale of data breaches, how massive and how many are affected. What we have here with this experiment is insider evidence of how fast leaked data travels the world, and how many people try to commit fraud using it. In a sea of data, account takeover pirates have their pick of digital credentials in a market all their own. Firms need to not only secure their own data but be ever vigilant against people using stolen data on their sites, too.