Security awareness

The other sextortion: Data breach extortion and how to spot it

Greg Belding
July 27, 2021 by
Greg Belding

Sextortion is a serious crime that has negatively impacted thousands worldwide with an estimated 10,000 or more currently at risk. While this crime has garnered some headlines, there is a different type of sextortion that has been plaguing the cyber world that of data breach extortion. 

Role-appropriate training to your entire workforce

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

What are sextortion and data breach extortion?

Sextortion refers to a crime that involves an abuse of power through coercion, and this coercion is sexual in nature. The criminals may demand nude photographs or some other kind of sexual act in exchange for not violating the victim’s privacy. This catastrophically impacts the lives of victims and can have far-reaching emotional consequences for the victim.

Data breach extortion is the other type of sextortion that falls within the realm of information security. It is when cybercriminals claim that they have exfiltrated sensitive data from the victim, typically an organization, and demand that a payment is made to them in exchange for them not leaking the information to the public. This payment is normally made in bitcoin and the payment demand can range from $1,000 to $3,000 worth of bitcoin.

Cybercriminals engaging in data breach extortion are following in the footsteps of ransomware that I wrote about a couple of years back called Maze. The functionality of Maze was a departure from other ransomware where ransomware up until that point was encrypting the victim’s data and then demanding a ransom to decrypt the data. Maze added another action to this list: exfiltration. And they were not exfiltrating mundane information available to the public. Instead, they were exfiltrating sensitive organization information that would damage the reputation of the organization.

Is data breach extortion a crime?

Yes. Both of these are serious crimes and the FBI as well as local and state law enforcement are not only aware of these crimes, but they actively investigate, arrest and prosecute those that engage in them.

What to do if data breach extortion happens to you

The unfortunate thing is that data breach extortion can happen to any organization. The good thing is you can disarm the strongest weapon in the hands of data breach extortion attackers, which is their ability to throw deception into the mix. When cybercriminals threaten data breach extortion they operate based upon the premise that they have exfiltrated your data and the key to this working is your belief that this data has been exfiltrated.

The unfortunate thing for would-be cyberattackers is that you can spot whether the data breach extortion attempt is legitimate without having to rely on the attacker’s claims. Organizations that have an IT department or even a sole IT/information security professional can determine if data has been exfiltrated. They would have to conduct a forensic audit of the network and databases that would have been impacted by this exfiltration without difficulty.

How to deal with Facebook sextortion

Of the sextortion cases that bleed into the realm of information security, Facebook is a platform that has been hit especially hard with sextortion. Remember, if this happens to you, you do not have to give in to their demands. Please visit the Facebook Stop Sextortion hub here if you believe you may be facing Facebook sextortion yourself. 

Do data breach extortionists follow through on their threats?

There is no clear answer whether the extortionists will make good on their threats. If we are talking about the first data breach extortion in its early days, such as in the heyday of Maze in 2019. Maze was known for making good on their threats of releasing the sensitive organizational information of their victims and the attack group made millions in bitcoin from organizations that paid up the extortion.

Data breach extortionists that have followed in the footsteps of Maze have operated less on actual data exfiltration and more on deception. Where Maze would actually exfiltrate sensitive organizational data, current data breach extortionists may be just pulling your proverbial chain. This claim would read something like, “Please forward this email to someone in your company who is allow to make important decisions! We have hacked your website and extracted your databases.”

As scary as that may sound (and not I am not talking from a grammar perspective), you can prove whether this actually occurred with a fairly basic audit of your network and systems. Once you have determined that this exfiltration has not occurred, you will be in a strong position when it comes to the next steps in dealing with the data breach extortionists. Remember, if they don’t have your data, they cannot damage your organization’s reputation.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What to do when faced with data breach extortion and sextortion

Sextortion is a crime where, instead of demanding money, criminals demand something sexual in nature, such as sexual images of yourself or possibly even acts. Data breach extortion is the other sextortion, so to speak, where cybercriminals claim that they have exfiltrated sensitive information about your organization and will damage your reputation unless you pay up in bitcoin. Remember, unless you are dealing with the Maze attack group, chances are that your data has not been exfiltrated, thus taking the wind out of the attacker’s sails. This will have to be confirmed by your IT department to see if your data has actually been exfiltrated.



Maze Ransomware, InfoSec

Data Breach Extortion Campaign Relies on Ransomware Fear, Data Breach Today

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.