Data Breach Backups

“For sale: company data, new breach” is the saddest six word news headline any CISO or privacy officer can imagine. It heralds media storms, loss of public confidence, and worst of all: government auditors. While internal privacy officials can usually be redirected by pointing at an intern who used the CC field instead of BCC, and third party compliance auditors can be distracted with the promise of even more contracts, government regulatory bodies suck you into their bureaucracy for months or years even though the likely outcome is probably a fine that costs less than the emails they make you send to affected customers.

Here at ScorpInc we’ve so far avoided data breaches and confidential information leaks by being good at information security, something we recommend other companies, organisations, and governments should try. But the continual stream of leaks of private data by hackers like KaoriWaifu07 and the constant availability of this information online has led us to our newest service: Data Breach Backups.

Simply package and encrypt vital information that you can never risk losing and then post it on a popular breach forum, social media channel, “encrypted” chat service, or hacktivist website with a notice about how you just exfiltrated it from a specific (different) company. The encrypted information represents such a juicy and exciting target that many users and groups will automatically take and publish copies of it online in the hopes that someone eventually cracks it. With standards-compliant encryption and solid internal secret/key storage systems you should be safe from having that data ever unencrypted but always being certain that a few copies of it will remain online specifically by the type of people who want to be seen having dirt about a major company.

An alternative to this system is to steganographically encode your actual vital data inside a dump of information that your [Offensive Site Reliability Engineering]({{ relref “/content/studies/” }}) has managed to purloin from a rival company. The impact of this is two-fold:

  1. You will always have a permanent backup of your data somewhere online.
  2. Your competitor is forced into the public eye for their bad cybersecurity and management of private data.

ScorpInc recommends that you do not leak any information about individuals that have been captured during such OSRE exercises as they are not involved or at fault for the information handling of the company they used.

When it comes to secure, permanent backups, ScorpInc is the name you will trust.