Your Data Is on the Dark Web. Now What?

It is a Monday morning and you get an email from a service you use saying your details may have been exposed in a data breach. Or perhaps someone on your team mentions they got a notification that their work email appeared in a breach alert. It is unsettling, and the first question most people ask is: can we get that information removed?

The honest answer is no - not in any meaningful way. The dark web is not a single website you can contact and ask to take something down. It is a loose collection of hidden sites and forums, many of which operate outside any legal framework. Once your data appears there, it is typically copied and shared within hours. There is no central authority, no takedown process, and no one to call. For a practice handling client records, financial information, or sensitive health data, that reality is worth sitting with for a moment.

What you can do - and what actually matters - is limit the damage and make sure it does not get worse. The risk with exposed credentials is not just embarrassment. If a staff member's email and password appear in a breach, and they use the same password elsewhere, attackers can work through your systems methodically. That is how many small business breaches start: not with a dramatic hack, but with a recycled password and an unattended login. Understanding the missteps that make a breach worse can help your team avoid compounding the problem in the hours that follow.

When a breach is confirmed, the immediate priority is locking down access. Every affected account gets a new, unique password. Multi-factor authentication - where logging in requires a second step like a code sent to a phone - gets switched on across email, practice management software, and anything else that holds client data. This is not optional hygiene anymore. Under the NZ Privacy Act 2020, businesses have obligations around how they protect personal information and what they do when a breach occurs. If client data is involved, your practice may need to notify the Office of the Privacy Commissioner. CERT NZ is also worth contacting if you have had an active incident - they provide free guidance and can help you understand what happened.

Beyond the immediate response, the longer-term question is whether your practice has visibility into this kind of threat at all. Dark web monitoring services can alert you when staff credentials or your business domain appear in known breach data. That early warning gives you time to act before an attacker does. Paired with good password practices, multi-factor authentication across the board, and regular software updates, you significantly reduce the window of opportunity for someone to exploit exposed data. It is also worth remembering that the fallout from exposed data extends well beyond the initial incident — reputational and operational consequences can surface weeks later. The goal is not perfection - it is making your practice a harder target than the one next door.

Most practice managers are not going to set this up themselves, and they should not have to. This is exactly the kind of thing a good managed IT support arrangement handles - monitoring for threats, responding when something surfaces, and making sure the basics are locked in before a problem starts. If your practice does not currently have that kind of oversight, it is worth understanding what you are missing.

ITstuffed works with professional services businesses across Canterbury on exactly this. If you want a clear picture of where your practice stands, book a 15-minute IT Fit Check and we will give you an honest assessment.