Is Buying the New Hacking? Rethinking Cyber Security

The Classic Hacker Myth

When you think about cybersecurity, you might picture the familiar Hollywood cliché: a lone hacker, hunched over a keyboard in a shadowy room, surrounded by screens flickering with streams of green code. Or maybe you see a high-tech operations center where a team of specialists watches helplessly as the hacker breaches their systems, one firewall at a time.

And while those images may not be entirely wrong, they’re only half the story. As technical consultants, we spend plenty of time securing networks, plugging vulnerabilities, and reinforcing the fortifications. Our job is to ensure that unauthorized intruders don’t get in – no matter how clever, motivated, or well-funded they may be.

But here’s the twist: not all threats come from shadowy figures in dimly lit rooms. Sometimes, the biggest risks to your company’s data security are actually lurking in plain sight—right in the boardroom. 

In this article Niclas Hedam, our Cyber Security Advisor Niclas Hedam, will share his thoughts on the modern and legal hacking method.

No hacking – just buying

That’s where strategic consultants come in. While technical consultants build walls and barriers to protect against cyberattacks, strategic consultants work to stop your data from escaping legally. Yes, legally.

It turns out you don’t always need to hack a company to get your hands on its data. In some cases, you can simply buy it.

Legal breaches

Enter the world of “legal breaches,” where data may end up in the hands of an entirely new – and potentially very interested – owner through perfectly legitimate channels.

These aren’t data leaks in the traditional sense, where information slips out through a crack in a firewall. No, these “breaches” happen through sales, mergers, partnerships, or even outsourced service agreements.

Think about it: every time you strike a deal with a vendor or partner, your business data – market insights, customer information, competitive intelligence – is at stake. These interactions can open the door to your company’s secrets without a single line of code being cracked.

Strategic Consultants: Protecting Data Beyond the Firewall

Strategic consultants work to prevent this kind of breach from happening. They focus on compliance, contracts, and data-sharing policies that govern who can access what information – and how much they can do with it.

They’re not just protecting your data from unauthorized hackers; they are also protecting it from authorized ones. And trust us, those “authorized” data hunters can be just as crafty as any hoodie-wearing hacker.

The Case of 23andMe: Pioneers in consumer DNA testing 

Take, for example, 23andMe. As one of the pioneers in consumer DNA testing, 23andMe holds a treasure trove of sensitive, highly personal genetic data. With millions of customers sharing their DNA for insights into ancestry, health risks, and genetic traits, 23andMe has to maintain strict security measures to keep this data safe from prying eyes.

But here’s the kicker: while 23andMe might be good at keeping hackers out (actually, they weren’t – they were hacked in 2024, even blaming users for the hack), they face a different risk – what happens if they struggle financially?

Currently, 23andMe is having difficulty turning a profit and could even face bankruptcy. If it comes to that, a buyer could step in and scoop up the entire company (and its database) at a fraction of its original value. And who might that buyer be?

Imagine an insurance company eager to refine its risk assessments, snapping up 23andMe for pennies on the dollar.

From Database to Powerful Tool

Suddenly, a database that was intended to help customers understand their genetic backgrounds becomes a powerful tool for assessing – and potentially rejecting – insurance applicants with high-risk DNA profiles.

That harmless test you took out of curiosity? Now, it’s a possible strike against you in an insurance application. Without solid data agreements, your DNA could decide your insurance premiums or even your eligibility for coverage.

This is where strategic consultants could make a world of difference. Instead of just building a security moat around the database, they’d work with 23andMe to ensure that customer data-use agreements are legally secure.

Strategic consultants help companies like 23andMe design robust data agreements that limit future usage to specified purposes only, even in the event of a sale. This way, customers can rest assured that their genetic information will remain strictly for personal insights – and out of the hands of any potential buyer with different motives.

Lessons from RadioShack’s Database Sale

And this isn’t just a thought experiment. Real-world cases have shown that customer data can be the crown jewel in acquisitions – sometimes as explicitly as if it were a line item on the balance sheet.

Take the case of RadioShack. Once a well-known electronics retailer, RadioShack struggled financially and ultimately filed for bankruptcy in 2015. During the liquidation process, it turned out that one of RadioShack’s most valuable assets wasn’t its remaining inventory or brand name – it was its customer database.

In the auction for RadioShack’s assets, the customer database was explicitly part of the deal. This included the personal data of millions of customers who had shopped at RadioShack, from email addresses and phone numbers to transaction histories.

Prospective buyers saw this database as a goldmine for targeted marketing, and it became a primary motivator for companies considering a purchase. And this was even though RadioShack had previously assured customers that it prided itself on “not selling our private mailing list.” 

The Role of Strategic Data Agreements

The RadioShack and 23andMe cases are perfect examples of why companies need strategic consultants who can anticipate and protect against these types of risks.

Strategic consultants help businesses set up data agreements that establish clear boundaries around how customer data can be used, even in the event of a sale or bankruptcy. Without these protective measures, a company’s most sensitive asset—its customer data—could be sold off with little oversight, allowing new owners to use it in ways the original customers never anticipated.

This case illustrates why data strategy isn’t just a “nice-to-have”; it’s essential for the ethical and long-term protection of customer relationships and trust.

By designing data policies that safeguard customer interests, strategic consultants can help companies avoid the pitfalls of an unwanted data auction—and ensure that even if the company changes hands, customer data remains off-limits to any buyer with plans to exploit it.

Data Protection Partner

At itm8, we have several experienced strategic consultants, who can act as advisors or your Chief Information Security Officers (CISOs) to help safeguard your most valuable assets – not just with firewalls and encryption, but with rock-solid agreements that protect your data no matter what.

Maybe the most significant risk for your company isn’t hacking groups breaching your systems but other companies intending to buy and exploit your data?