Research released Monday by a cybersecurity services provider reveals how widespread the risks are to executives and the organizations they ramrod from data brokers collecting sensitive data about them.
The provider, BlackCloak, published in a blog the results of an analysis of 750 of its customers, most of them executives and board members at Fortune 1000 or other large institutions. Among the company’s findings:
- 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100;
- 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook;
- 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors;
- On average, online data brokers maintained more than three personal email addresses for every executive record.
“While maintaining data on three personal email addresses may not seem that significant to the novice eye, access to any personal email address raises the risks of unauthorized access, fraud and impersonation emails, among other digital threats,” wrote BlackCloak Director of Marketing Evan Goldberg.
Home as Soft Underbelly
The research also found that 40% of online data brokers had the IP address of an executive’s home network. “Not only could you use address information held by the broker to physically go to an executive’s home, but you could use the IP address to digitally break into their home from anywhere in the world,” observed BlackCloak Founder and CEO Chris Pierson.
Related: Hackers Are Cashing In With Hijacked IP Addresses
“We see corporate executives targeted all the time in their personal lives,” he told TechNewsWorld. “If you’re targeting the CEO of GE, are you going to hack him at his GE email address, where he’s protected by corporate cybersecurity, or are you going to target him at his Gmail account or his wife’s account or his kids’ accounts, and get a foothold in his home?”
“Because everyone has been working from home for the past two years, it’s created the home as the soft underbelly of the corporation,” he said.
“Data broker information has been leveraged to commit identify theft and unemployment fraud over the past two years,” he added.
Some of the risks cited by BlackCloak are overblown, maintained Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.
“Data brokers are often selling data that is already public, such as information on voting records or campaign contributions,” he told TechNewsWorld.
“Similarly,” he continued, “information that is publicly accessible on social networks or on websites is not particularly sensitive.”
However, he acknowledged that cybercriminals can use that information to perpetrate phishing attacks and impersonate an executive.
Danger to Top Brass
“The reality is that data brokers present fertile grounds for hackers, abusers and stalkers,” observed Liz Miller, vice president and a principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, Calif.
“Where else could you pay $29 for a complete dossier on an ex-girlfriend including current address and phone number, current associates residing in the same location and basic detail about that person?” she told TechNewsWorld. “When you actually think about what this intensely sensitive data can mean in the hands of someone with no moral or ethical compass, it should terrify people.”
Data brokers have only one reason for being, noted Greg Sterling, co-founder of Near Media, a news, commentary and analysis website. “Their raison d’etre is to collect as much data on as many households and people as possible,” he told TechNewsWorld.
“By definition then, they expose and transfer information that individuals might not want exposed or sold, or that might be sold non-consensually or without knowledge of the individuals involved.”
Armen Najarian, chief identity officer at Outseer, a provider of payment fraud protection solutions in Bedford, Mass. maintained that data brokers present significant risks to executives. “In the digital era, data is power,” he told TechNewsWorld. “It’s dangerous for any company to have such detailed profiles of highly influential business professionals.”
“Often these profiles will include highly personal information, like income and assets, which are used by cybercriminals to target and steal a victim’s identity,” he continued.
“By studying the online behavior of these executives, fraudsters have an intimate look at what’s going on in these individuals’ lives, making it easier for them to deploy highly targeted attacks,” he added.
Not So Anonymous Anonymity
Some data brokers and applications justify their voracious appetite for data by claiming they only share anonymized information, a claim disputed by the Electronic Frontier Foundation in a July 2021 article on its website written by Gennie Gebhart and Bennett Cyphers.
“Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name,” they wrote. “In particular, there’s no such thing as ‘anonymous’ location data. Data points like one’s home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations.”
“Another piece of the puzzle is the ad ID, another so-called ‘anonymous’ label that identifies a device,” they added. “Apps share ad IDs with third parties, and an entire industry of ‘identity resolution’ companies can readily link ad IDs to real people at scale.”
While governments in some other regions of the world have taken a harder line toward data brokers, that hasn’t been the case in the U.S. “It’s an area where the laws in the United States are not as robust as they could be,” Pierson said. “Over time, there have been a number of different legal proposals, but there have been no meaningful restrictions in what data brokers can do in the United States.”
“The best way to regulate data brokers would be to create a federal data privacy law that establishes basic consumer data rights, especially for sensitive personal data,” Castro advised. “Federal law is the best way to ensure that Americans have control of their information and avoids creating a complicated state-by-state patchwork of laws.”
“The U.S. government should absolutely consider enacting legislation to regulate data brokers,” added Najarian. “This is an issue that extends beyond Fortune 1000 executives. It affects every single person who uses the internet.”