Lessons from the Dark Web: What Happens After Your Data is Stolen?

When the Harris Federation was hit by a ransomware attack in 2021, the criminals didn’t just encrypt their systems—they stole sensitive data and threatened to publish it on the dark web. The attackers, a Russian group known as REvil, demanded millions in cryptocurrency and used the prospect of public embarrassment to exert pressure.

“They’d stolen data from us,” said Sir Dan Moynihan, CEO of the Federation, in an interview on BBC Radio 4’s Today Programme.
“They threatened they’d put this stuff up on the dark web and cause us great embarrassment.”

This tactic is becoming increasingly common. Cybercriminals no longer rely solely on locking up systems—they steal data and threaten to leak it. But what exactly happens when that data is exposed on the dark web? And why should every organisation—retailers, schools, hospitals, councils—take this risk seriously?

The Dark Web: A Marketplace for Stolen Data

The “dark web” refers to parts of the internet that aren’t indexed by search engines and require special software like Tor to access. It’s not illegal in itself—but it is where much of the internet’s illicit activity takes place, including:

Sale of stolen credit card numbers
Personal identity data (names, emails, national insurance numbers, addresses)
Hacked medical and education records
Leaked business logins and intellectual property
Credentials for remote desktop access (RDP) into company systems

When ransomware gangs threaten to “dump your data,” they usually mean publishing it on hidden dark web forums or auction sites. Some groups run their own branded leak sites where stolen data is made available as proof—or punishment—for non-payment.

The Aftermath: What Happens Next?

Once your organisation’s data is exposed on the dark web, several things may follow:

1. Further Criminal Exploitation

Other threat actors buy and use the data for:

Phishing campaigns targeting your employees or customers
Business email compromise (BEC) scams
Credential stuffing attacks (reusing passwords across platforms)

2. Regulatory and Legal Fallout

If personal data is exposed—especially from staff, students, or customers—you may be liable under data protection regulations like the UK GDPR. Regulatory action, fines, and reputational damage may follow.

3. Reputational Harm

Your stakeholders may lose trust, especially if the exposure was preventable or hidden. Transparency and accountability are key, but many organisations struggle to control the narrative once the data is out.

4. Long-Tail Consequences

Even years later, your data may resurface. Cybercriminals often sit on breached data, release it in stages, or repackage it for resale. There is no easy way to “clean it up.”

Why Hackers Do It

Publishing data serves two strategic purposes for cybercriminals:

Pressure: To coerce victims into paying ransom demands by demonstrating their seriousness.
Profit: Even if a ransom isn’t paid, the data can still be monetised by selling it in underground markets.

For hackers, it’s all business. For victims, it’s deeply personal.

What Organisations Must Do

In light of these risks, here’s how you prepare:

Limit Data Retention: Don’t keep sensitive data longer than necessary. The less you hold, the less you can lose.
Encrypt Critical Data at Rest: So that even if data is exfiltrated, it’s not easily usable.
Monitor the Dark Web: Services exist to alert you if your data appears in dumps or forums.
Use Multi-Factor Authentication (MFA): Especially for administrative systems and remote access tools.
Have a Breach Communication Plan: Be ready to notify stakeholders, regulators, and staff if data is leaked.

Refusing to Pay: Still the Right Call?

Sir Dan Moynihan and the Harris Federation refused to pay the ransom. Their reasons were ethical—but also strategic. Paying might have simply encouraged the criminals and still led to data exposure. As Moynihan said:

“We were clear from the beginning: we were not going to pay… Had we paid, we’d have opened the door for other school groups to be attacked.”

That decision sent a message. But it also required enormous resilience—and a willingness to accept the consequences of stolen data being made public.

Conclusion: Visibility is Power

You may not be able to stop every attack—but you can prepare for what comes next. Knowing what happens when your data hits the dark web gives you an edge: the ability to respond swiftly, protect your users, and start rebuilding trust.

Because once your data is stolen, the story is no longer yours to control. Unless you’ve already written the next chapter.

View more resources

Blogs & News

The New Age of Supply Chain Attacks: How to Build Resilience in 2025
The cyber kill chain has shifted. In 2025, attackers aren’t just going after large enterprises — they’re targeting the suppliers, [...]

Continue reading
Blogs & News

What Brokers Need to Know About Cyber Underwriting in 2025
Cyber insurance is no longer a niche product. It’s a boardroom priority. But for brokers, the market in 2025 is [...]

Continue reading
Blogs & News

The Future of Third-Party Risk: Why Real-Time Risk is the Only Way Forward
If you’re still relying on once-a-year questionnaires or static audits to manage third-party cyber risk, you’re already behind the curve. [...]

Continue reading

View all resources