A client of a security services firm has received an email from the dark web demanding a ransom or it will start selling data it has stolen from the client. The client as asked for the firm’s assistance in paying the ransom. How should the company proceed?
It was late on a Friday afternoon. The ReliaQuest Security Operations Center was busy as usual, but nothing was out of the ordinary. ReliaQuest Chief Technology Officer, Joe Partlow, was in his office working on a new technology innovation when his cell phone rang. It was the Chief Information Security Officer (CISO) for ABC Company, one of ReliaQuest’s clients–a company with millions of customers across the United States. ABC Company’s CISO had a crisis on his hands. He had just gotten word from his public relations staff that a journalist had called asking for a comment about a supposed leak of millions of customer records containing personally identifiable information (PTT) that could potentially be used to steal identities. Apparently, the data was listed “for sale” on the “dark web” portion of the Internet by an anonymous hacker. The CISO wanted ReliaQuest’s help figuring out whether the data had, in fact, been stolen. If so, who stole it, and how? And what could be done now to re-procure the data lost? The journalist had given the company a 24-hour window before he said he would post a story.
There was also the question of whether the supposed data leak was legitimate at all. ABC Company’s security team had not been able to verify that any of their systems had been breached, and there seemed to be no way to inspect the supposed stolen data without purchasing it from the anonymous hacker–something the company was not comfortable doing on its own.
The situation was urgent. The prospect of alleged customer data floating around the dark web was deeply troubling to the CISO and to Joe, yet he knew that finding the underlying cause of the situation could require members of the ReliaQuest team to use tactics outside the scope of work formally agreed upon by ReliaQuest and ABC Company. Joe also knew that if the breach was real, any tactics to identify and secure the data that ReliaQuest used could be subject to discovery in a criminal case. Moreover, Joe worried that if the breach was real and had somehow happened while under ReliaQuest’s watch, the incident could create a public relations crisis not only for ABC Company, but also for ReliaQuest. Joe was at a high stakes crossroad for making a decision and time was of the essence. ReliaQuest prided itself on team members’ willingness to do whatever it took to make security possible for customers. Nonetheless, Joe needed to decide: How far should ReliaQuest go to verify the breach? How would they find the underlying cause of the breach? How would they recover stolen data? And who should he consult with both within and outside of ReliaQuest to solve the problem while protecting stakeholders?
Authors:Jonathan Elder, Nicole Jacobson, Natalie Remsen, Kim Wilmath
Cite as:Elder, J., Jacobson, N., Remsen, N. & Wilmath, K. (2017). Reliaquest: Behind Enemy Lines. 2(12). 1-25. Retrieved from: http://pubs.mumacasereview.org/2017/MCR-02-12-Elder-Ransomware-p1-20.pdf