Stolen data does not just disappear
When a data breach makes the news, the coverage focuses on the initial attack — how many records were exposed, which company was affected, and what type of data was compromised. What rarely gets covered is what happens next. The stolen data enters an ecosystem that is organized, efficient, and surprisingly predictable. Understanding this ecosystem is important for every business that handles sensitive information, because it changes how you think about prevention, detection, and response.
The breach timeline
Most breaches follow a consistent timeline. Understanding each phase helps you respond more effectively when — not if — your organization faces a security incident.
Phase 1: Initial access (days to months before discovery)
The average time between an attacker gaining access to a system and the breach being discovered is still measured in months, not days. During this dwell time, the attacker moves through the network, escalates privileges, identifies valuable data, and exfiltrates it. In many cases, the attacker has been inside the network for weeks or months before anyone notices anything unusual.
This is why breach monitoring matters. You may not detect the intrusion in real time, but monitoring for your organization's data appearing in known breach databases or dark web marketplaces can provide early warning that something has happened.
Phase 2: Discovery and containment
Discovery happens in one of three ways: your own monitoring detects the breach, a third party (like a security researcher, law enforcement, or a breach monitoring service) notifies you, or the attacker announces it — either by deploying ransomware, contacting you with extortion demands, or posting your data publicly.
Once a breach is discovered, the immediate priority is containment. This means identifying the entry point, revoking compromised credentials, isolating affected systems, and stopping the ongoing exfiltration of data. Every hour of delay during containment increases the scope and cost of the breach.
Phase 3: Investigation and notification
After containment comes the investigation: What data was accessed? How many individuals are affected? When did the breach begin? How did the attacker get in? This investigation informs both the technical remediation and the legal notification requirements.
Notification timelines vary by jurisdiction, but the trend is toward faster mandatory disclosure. Many states now require notification within 30 to 60 days of discovery, and some have moved to even shorter windows.
What attackers actually do with stolen data
Stolen data is not a trophy that sits on a shelf. It is a commodity that moves through a supply chain — from the attacker who stole it, through intermediaries who package and sell it, to the end buyers who use it for fraud.
Credential data gets tested and resold
Stolen usernames and passwords are tested against other services within hours of being exfiltrated. Automated tools attempt to log in to email providers, banks, social media platforms, and cloud services using the stolen credentials. Any successful logins are packaged as "verified" accounts and sold at a premium. A verified corporate email login is worth significantly more than an unverified credential pair because it provides access to internal systems, financial data, and the ability to impersonate a real employee.
This is why a breach at one service can cascade into breaches at others. If your employees reuse passwords across personal and business accounts, a breach of any service they use puts your business systems at risk.
Financial data gets used quickly
Stolen credit card numbers, bank account details, and financial records are among the most time-sensitive types of stolen data. Attackers know that cards will be canceled and accounts frozen once the breach is discovered, so they move fast. Credit card data is either used directly for fraudulent purchases or sold in bulk to buyers who specialize in cashing out stolen financial instruments.
For businesses, stolen financial data can also enable wire fraud. With access to bank account numbers, routing information, and enough context about the business's financial relationships, an attacker can craft convincing wire transfer requests or redirect incoming payments.
Personal information fuels identity theft
Social Security numbers, dates of birth, home addresses, and other personal identifiers are valuable precisely because they do not change. A stolen credit card number is useful for weeks. A stolen Social Security number is useful for years. This data is used to open new credit accounts, file fraudulent tax returns, commit insurance fraud, and create synthetic identities that combine real and fabricated information.
Employees whose personal data is stolen in a business breach face long-term identity theft risk that extends far beyond the immediate incident.
Data gets held for ransom
In ransomware and extortion attacks, the attacker's primary goal is payment. They encrypt your systems, exfiltrate sensitive data, or both — and then demand payment in exchange for decryption keys or a promise not to publish the stolen data. Even if you pay, there is no guarantee the data will not be sold or published later. Multiple ransomware groups have been caught selling data after receiving payment.
Dark web data markets, explained simply
The dark web is not as mysterious as it sounds. It is a portion of the internet accessible through specialized browsers like Tor, where websites are not indexed by search engines and users can operate with a degree of anonymity. Within this space, marketplaces operate much like any e-commerce platform — with listings, reviews, customer support, and return policies.
Stolen data is listed for sale with descriptions of what is included, how fresh it is, and how it was obtained. Prices vary based on the type of data, its recency, and whether credentials have been verified as working. A database of unverified email and password combinations might sell for a few dollars. Verified corporate email logins with access to financial systems can sell for hundreds or thousands.
These marketplaces also offer services built on stolen data: money laundering, document forgery, and fraud-as-a-service operations where buyers can purchase fully executed identity theft packages rather than doing the work themselves.
Breach notification laws: what you are legally required to do
Every U.S. state has a data breach notification law, but the requirements vary significantly.
Timing
Most states require notification within 30 to 60 days of discovering a breach. Some states, like Florida, require notification within 30 days. Others allow up to 60 or 90 days. A few states specify that notification must happen "without unreasonable delay" without setting a specific deadline, which creates ambiguity but generally means as fast as reasonably possible.
Who must be notified
At minimum, you must notify the affected individuals. Many states also require notification to the state attorney general, especially if the breach affects more than a certain number of residents (commonly 500 or 1,000). Some industries have additional requirements — healthcare organizations must comply with HIPAA breach notification rules, and financial institutions have obligations under the Gramm-Leach-Bliley Act.
What must be included
Notification letters typically must include a description of what happened, the types of data involved, what steps you are taking in response, and what the affected individuals can do to protect themselves (such as placing credit freezes or monitoring their accounts). Many states require that you offer free credit monitoring for a specified period.
Penalties for non-compliance
Failure to comply with breach notification requirements can result in fines, lawsuits, and regulatory enforcement actions. Several states allow affected individuals to bring private lawsuits, and class action litigation after breaches has become increasingly common. Beyond legal penalties, mishandling breach notification destroys trust with customers, partners, and employees.
How to find out if your data has already been breached
You do not have to wait for a notification letter to find out if your data has been exposed. Breach monitoring services continuously scan known breach databases, dark web marketplaces, and paste sites for credentials and data associated with your domain. When employee email addresses or credentials appear in a new breach, you receive an alert — often before the breached company has even discovered the incident.
For individuals, services like Have I Been Pwned allow you to check whether a specific email address appears in known breach databases. For businesses, automated breach monitoring across all company email addresses provides continuous visibility without manual checking.
Prevention is cheaper than response
Every phase of the breach timeline — from the initial intrusion to the legal notification to the class action lawsuit — costs money, time, and reputation. The businesses that fare best are the ones that invest in prevention and detection before an incident occurs: vulnerability scanning to close entry points, employee training to stop phishing, breach monitoring to catch exposures early, and documented security policies that demonstrate due diligence.
Run a free security assessment to find out what an attacker can see about your business right now — and close the gaps before they are exploited.
