Expert witness - delivering evidence from the dark web when data breaches go to court - Image by Sang Hyun Cho from PixabayThe implementation of privacy legislation has been well-publicized. The California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), have raised public awareness considerably regarding the value of personal data and the implications of its loss or theft.

The fear that a malicious actor might use stolen Personally Identifiable Information (PII), or other personal data to commit fraud via identity theft, is a real and understandable concern for individuals. Compounding this fear is the frequent data breaches that hit the headlines. People regularly hear or read about millions of records being exposed or stolen. Often, one outcome of these mega breaches is a class action lawsuit. This is where individuals, whose data has been breached, launch a suit against the organization that has been accused of not securing their data.

Experts in cybersecurity

BlueVoyant are experts in cybersecurity and the dark web. It is here that cybercriminals sell breached data. BlueVoyant professionals may be called in as expert witnesses to help analyze the increase in risk a breach has or has not caused. They can also explain to the court how personal data is sourced by cybercriminals and used to commit fraud.

What are some of the factors we consider when we assist in these cases? How can individuals minimize their risk of fraud, even if their data is involved in a breach?

The first thing to note is that no one wants to end up on either side of a class-action lawsuit over a data breach. Plaintiffs are worried about whether they need the protection of anti-fraud measures. Defendants will have suffered a loss of customer trust, reputation, and potential financial damage. We focus on helping courts come to a fair conclusion based on evidence that we can provide. This is due to the expertise of our cyber threat and dark web analysts and the insight we can provide into cybercriminal communities and tactics.

Can the stolen data be used to commit identity theft?

One of the critical determinants of a class action lawsuit hinges on the type of data that has been stolen and whether it can be used on its own to commit identity theft. In this sense, all data breaches are not quite the same.

When data is stolen, if it has any value at all to fraudsters, it usually turns up on dark web marketplaces. Each piece of personal data has differing value to cybercriminals. Opening bank accounts, making purchases, or claiming benefits based on someone else’s identity requires specific privileged information. We can make precise determinations on what information is necessary to commit specific criminal schemes. We are also able to comment to the contrary when data breaches do not contain sufficient PII to advance fraudulent activities.

Dark web sites that cater to identity thieves usually carry inventory that focuses on the types of data required to commit financial fraud. In the cybercriminal world, these data packages are referred to as a ‘Fullz’. Fullz, at a minimum, includes the victim’s full name and billing address, credit card number, expiration date and card security code, as well as their social security/national insurance number and birth date.

Risk exposure on the dark web

We are often asked to investigate the level of exposure those affected by the breach already have on the dark web. The rationale for this is to establish whether the breach in question has genuinely increased individual identity or financial fraud risk.

It often comes as a surprise when people learn just how much of their data is already available on the dark web. Our dark web analysts conduct exhaustive searches of deep/dark web sources. They look to establish what personally identifiable information is obtainable and identify the historical breaches from which it originates.

We can build a full picture of an individual’s presence online. It could include lists of stolen account log-in and password details. It may also include PII such as driver’s license information, residential history, and social security data. If class-action participants had low exposure prior to the breach at issue, their claim that the breach has raised their risk can be validated. If, however, much of their personal data was already available, their position – in the case of this specific breach – is, potentially, not as strong.

Assembling this evidence requires support from an authoritative and credible expert witness with a covert presence on the dark web from which to conduct investigations. BlueVoyant maintains this type of presence. Our analysts have honed their craft in international intelligence agencies and at the highest levels of private sector cyber intelligence. They can build this portfolio of information to lend evidence-based clarity and substance to legal arguments.

What can individuals do to protect their data?

Experience tells us that it’s vital that individuals keep high-value personal data under tight control. In the event of a breach, your risk of identity theft or financial fraud can be reduced. It means keeping social security/national insurance numbers, credit card information and PII closely guarded. When combined, they can be the prime tools for identity verification by financial and government institutions.

Also, the importance of account password hygiene cannot be overstated. Cybercriminals who buy a list of names, emails and passwords exfiltrated from a breach at one organization will try them out with other businesses. Using the same log-in details with your favourite clothing store as for your bank means a breach at one compromises your security at the other.

Ultimately, no one wants to be involved in a data breach class action. When it does happen, understanding the value of the data stolen, whether it has surfaced on the dark web, and the level of victims’ existing exposure are the key factors the court needs to use to reach its verdict. That is where BlueVoyant can help. We can research, analyse, and present evidence that helps courts to reach a fair conclusion in data breach class action lawsuits.


BlueVoyantBlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO, Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200 and GCHQ, together with private sector experts. BlueVoyant services utilize large real-time datasets with industry leading analytics and technologies.

Previous articlePlease Sir, can we have some more
Next articleAre COVID-19 immunity passports a risk to human rights?
Austin Berglas
Austin Berglas is an accomplished cyber intelligence professional with a demonstrated history of creating, building, and leading world class teams optimized for mission success. As head of the cyber branch in the FBI’s New York office, Austin spent years tracking and battling intrusions by state-sponsored hackers into strategic U.S. networks. In 2017, Austin joined BlueVoyant as the Global Head of Professional Services, after building and leading the Cyber Defense practice at corporate investigations company, K2 Intelligence. Prior to his private sector career, he served 22 years in the U.S. Government. Austin was the Assistant Special Agent in charge of the Federal Bureau of Investigation’s New York Office (NYO) Cyber Branch. There, he oversaw all national security and criminal cyber investigations in the agency’s largest cyber branch.

LEAVE A REPLY

Please enter your comment!
Please enter your name here