Proton Data Breach Observatory to expose infosec cover-ups • The Register

Some orgs would rather you not know when they’ve suffered a cyberattack, but a new platform from privacy-focused tech firm Proton will shine a light on the big breaches that might otherwise stay buried.

Launched on Thursday, Proton’s Data Breach Observatory aims to scour the dark web for details of breaches that don’t reach the likes of regulators’ portals, or those that the affected organization simply hasn’t acknowledged.

Proton said in its announcement that the Data Breach Observatory will launch with a roundup of 2025’s incidents to date, identifying 300 million individual records across 794 attacks.

Excluded from these are the often lofty figures associated with infostealer dumps, which typically garner the clickiest headlines but concern data that is routinely duplicated, old, or otherwise mundane.

The Data Breach Observatory will feature only attacks that targeted lone organizations rather than such aggregated cases. Without this exclusion, the number of incidents it would have collected would be nearly double, and the number of affected records would be in the hundreds of billions, Proton said.

The Swiss privacy biz said there isn’t enough transparency around data breaches, and there is a growing market on the dark web for stolen details, such as credentials and sensitive personal information.

In 49 percent of cases examined so far this year, passwords featured among the leaked datasets, and sensitive stuff like records related to government services or healthcare were found in more than a third (34 percent).

Proton is aiming to update its Data Breach Observatory in near-real time, and responsibly disclose the attacks it finds on the dark web that may otherwise never have gotten the airtime they deserve.

The new service wasn’t launched to simply harangue orgs for keeping shtum when they could be more transparent. Proton said it believes the Observatory will help small and medium businesses, which remain the most vulnerable to data breaches, become more aware of the dangers and shore up their systems accordingly.

Eamonn Maguire, director of engineering, AI & ML, at Proton, insists that the Data Breach Observatory is different from sites like HaveIBeenPwned, and the fact that it ingests data from dark web sources sets it apart from others like it.

He told The Register: “Many breach disclosures come from other sources too: GDPR notifications, researchers, threat intelligence feeds, and journalistic investigations, and so on. However, there’s still a significant gap: many organizations choose not to disclose breaches when not legally required, or delay disclosure. 

“Our Observatory fills this gap by monitoring criminal sources directly, meaning we can identify breaches regardless of whether the organization affected chooses transparency. The key differentiation is systematic, near-real-time monitoring of criminal sources rather than waiting for eventual disclosure.”

Scouring the dark web for this kind of intel is not a novel endeavor, although publicizing results of those investigations is less common.

Dark web breach data is made available to customers of threat intelligence companies, for example, but these are often private reports, so the wider business community rarely benefits.

In additoin, data circulating on the dark web is often unreliable and thus must be screened. You can’t just take the word of a cybercriminal and run with it.

Using ransomware leak blogs, from which big cybersecurity companies commonly gather statistics to inform their quarterly reports on the number of attacks, is problematic, because these sites routinely inflate their claims. 

Asked how Proton plans to ensure the veracity of the data it finds, Maguire said that the company has partnered with US-based Constella Intelligence, which will handle this part of the process.

“There are a number of processes that go into this,” he said. “For example, cross-referencing compares against known breach patterns and previous leaks. Similarly, metadata examination analyzes timestamps, file structures and other metadata for consistency, and company outreach plays a part too.

“Part of our responsible disclosure process includes contacting affected companies, which often provides confirmation. You’re absolutely right that ransomware leak sites can include duplicated or inflated data, which is precisely why we focus on single-source, identifiable breaches and exclude aggregated compilations. We’re not simply republishing what criminals claim; we’re applying validation layers before disclosure.” ®