What is the legality of sharing data from data breaches?

Hello, I hope this will be the right forum to ask this question. What is the legality of sharing data that comes from data breaches? Specifically in the US, but i’m curious to laws in other places.

Data like:

+Usernames

+Emails

+IP Addresses

+Passwords

+And more

Every site and OSINT person has explained that this leaked data is “public information” so it is legal to have and to create services free or paid to search this data. I know that your data is already being sold by companies themselves, but doesn’t that data become “stolen” when breached?

Does the illegality only come in when you abuse this data in some way like identity theft or accessing accounts through stolen passwords?

Not a lawyer, but I wouldn’t bank on that. What I have noticed is sites like haveibeenpwned for example do not share the corpus data, only a hashed version.

You can however use a password manager that can do a look up there, and both Bitwarden and KeepassXC have that feature (they create a hash and then check the hash).

I agree there should be a law or rule by IT ministry prohibiting circulatuon of data breaches which are often in form of “samples”. Maybe popular social media websites should also have a policy against leaked data bases on their platflorm.
For example on the pirate platform “Telegram” you could find many groups sharing dehashed leaked databases info openly.
It really increases the risk for the victim.

Eh, honestly that sounds rather pointless at that stage. Once the data is out it is out. The assholes looking to exploit it are the ones who will get it whether it’s allowed our not. So it is arguably better that it gets shared in the open, thus making sure more people hear about it and have a chance to take mitigating measures.

Well if you collect or process data of EU citizens regardless of you being in the US you are subject to the GDPR. Therefore you are required to notify the individual of the fact that you are processing their data besides even the sharing of such. Something being publicly accessible does not change that requirement as far as my understanding goes.
Depending on the usage may also need to obtain consent when your usage isn’t covered by any subjectable “legitimate interrest”.
(Not a lawyer)

Are you sure?

“This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” - Article 3 – Territorial scope

Makes it seem that some kind of agreement between the relevant countries needs to be in place for it to apply

See clause (a). in your reference.

My understanding is that when ever you target subjects while they remain in the EU the regulation applies.

A US based firm offering services or by f.x. targeting the subject in whatever way (say f.x. using the local language, targeting ads) will be seen as targeting the market in which the subject remains.

It is different when an EU person is visiting the US and while they are there data is collected by a firm. That is outside of the scope of the regulations. But f.x. a tourist office processing data of a EU person planning to go to the US is.

So in this case it is quite difficult as it will come down to the question when are you targeting a specific market. However, when the data is obtained from a source where the subject would have been in the EU market I don’t think that status can change as the orginal processing is subject to the GDPR. Again I have to emphasize I am not a laywer, this is just my understanding of the matter.

that pertains to the offer of goods and services to the individual whose data is being processed, which would not apply in this situation

If you share data you are offering something? This would definitely apply.

I honestly dont see how. If that was the case a lot of whats done when it comes to academic research would be illegal. The data is not being processed by the entity that collected it, nor anyone affiliated with it. Be mindful that by “processor” they mean a subcontractor, thats made clearer in other languages. In English you almost invariably lose some nuance, making correct interpretation harder

Academic research can be based on consent. At my uni we were required to prove that we obtained such from all data subjects. I don’t think that is weird at all. Data can also be shared with a uni for research when the right measures have been taken and there is a legitimate interest, such requires a DPIA.

Scraping personal data of the web, is in whatever way a very gray/dark area.

Neither do I. Depends on what youre doing, how youre getting the data and the fact that ethics and law do not always coincide. I could provide examples but maybe that would get us too off topic. I really dont see how GDPR would apply to this situation given the discussed article 3 and the fact that the data processor would not be either the data collector or a subcontractor, which is what they mean by the word “processor” in the English version of the document

@potg While I only loosely read them, I think you’ll find these white papers from the US DoJ Criminal Division’s CCIPS of interest as I believe they at least somewhat answers your questions for the USA (assuming that they’re up-to-date).

DHS and DOJ Cybersecurity Information Sharing Act Procedures and Guidance and FAQs (October 2020)

Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020)

I am pretty sure that if you scrape data you will be a data controller under the GDPR.

You can only be a data processor when you obtain data as a subcontractor. Since there is no realationship with the original controller that won’t apply.

yes, thats what Ive been saying

thats where the last paragraph of the article comes in and precisely what I led with:

Hey thank you for those links, @frostlike. I still need to read those over again, it’s not an easy read for me as i’m not savvy on these things. I planned on a response once I understood them but I figured I should go ahead and thank you now.

I’m doing searching on this topic (after my first post) looking specifically for legal cases. So far i’ve found one from Canada, on LeakedSource thanks to this blog post by Troy Hunt.

I don’t know the best way to detail the relevant parts (a LinkedIn cease and desist already covered in the Troy Hunt blog, the site going down, the arrest of the owner, the company pleading guilty and charges made) in this post so if you’re interested this has the most detail https://krebsonsecurity.com/2023/07/leakedsource-owner-quit-ashley-madison-a-month-before-2015-hack/ The charges made were trafficking in identity information, unauthorized use of a computer, mischief to data, and possession of property obtained by crime.

From the KrebsOnSecurity article

In 2019, a Canadian company called Defiant Tech Inc. pleaded guilty to running LeakedSource[.]com , a service that sold access to billions of passwords and other data exposed in countless data breaches.

The RCMP arrested Bloom in December 2017, and said he made approximately $250,000 selling hacked data, which included information on 37 million user accounts leaked in the 2015 Ashley Madison breach.

Subsequent press releases from the RCMP about the LeakedSource investigation omitted any mention of Bloom, and referred to the defendant only as Defiant Tech. In a legal settlement that is quintessentially Canadian, the matter was resolved in 2019 after Defiant Tech agreed to plead guilty. The RCMP declined to comment for this story.

As to his company’s guilty plea for operating LeakedSource, Bloom maintains that the judge at his preliminary inquiry found that even if everything the Canadian government alleged was true it would not constitute a violation of any law in Canada with respect the charges the RCMP leveled against him, which included unauthorized use of a computer and “mischief to data.”
“In Canada at the lower court level we are allowed to possess stolen information and manipulate our copies of them as we please,” Bloom said. “The judge however decided that a trial was required to determine whether any activities of mine were reckless, as the other qualifier of intentionally criminal didn’t apply. I will note here that nothing I was accused of doing would have been illegal if done in the United States of America according to their District Attorney. +1 for free speech in America vs freedom of expression in Canada.”
“Shortly after their having most of their case thrown out, the Government proposed an offer during a closed door meeting where they would drop all charges against me, provide full and complete personal immunity, and in exchange the Corporation which has since been dissolved would plead guilty,” Bloom continued. “The Corporation would also pay a modest fine.”

No clue if the Linkedin cease and desist from 2016 has connections to what would happen later.

https://threatpost.com/linkedin-slams-breach-data-reseller-with-cease-and-desist-order/118213/

LinkedIn is striking back against a website attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach. Website LeakedSource is reporting lawyers representing LinkedIn have served the company a cease and desist order on Wednesday alleging the company is in violation of California’s Computer Fraud and Abuse Act because it is “illegally copying and displaying LinkedIn members’ information” without their consent.

LeakedSource claims California laws are not applicable to the company because it is based outside the United States. The company also claims it is not making the entire database available for sale. It claims its business model is to sell subscriptions to individuals interested in searching its database collection of publicly available, compromised databases to verify if their credentials have been compromise. Prices start at $0.76 a day with monthly subscriptions also available.