PII of many Fortune 1000 executives exposed on data broker sites


Research released Monday by a cybersecurity service provider reveals just how widespread the risks are for executives and organizations as they rip off data brokers who collect sensitive data about them.

The provider, BlackCloak, posted in a blog the results of an analysis of 750 of its customers, mostly executives and board members of Fortune 1000 or other large institutions. Among the discoveries of the company:

  • 99% of our executives have their personal information available on over three dozen online data broker websites, with a significant percentage listed on over 100;
  • 70% of executive profiles found on data brokerage websites contained personal social media information and photos, most often from LinkedIn and Facebook;
  • 95% of executive profiles contained personal and confidential information about their family, relatives and neighbors;
  • On average, online data brokers maintained more than three personal email addresses for each executive record.

“While keeping data on three personal email addresses may not seem so important to the untrained eye, access to any personal email address increases the risk of unauthorized access, fraud and identity theft, among other digital threats,” BlackCloak chief marketing officer Evan Goldberg wrote. .

The house as a soft stomach

The research also found that 40% of online data brokers had an executive’s home network IP address. “Not only can you use the address information held by the broker to physically travel to an executive’s home, but you can also use the IP address to digitally break into their home from anywhere in the world” , observed BlackCloak founder and CEO Chris Pierson.

“We see corporate executives targeted all the time in their personal lives,” he told TechNewsWorld. “If you’re targeting the CEO of GE, are you going to hack him into his GE email address, where he’s protected by the company’s cybersecurity, or are you going to target him into his Gmail account or his wife’s account or the accounts of his children?, and gaining a foothold in his house?

“Because everyone has been working from home for two years, it’s made home the soft underbelly of the business,” he said.

“Data broker information has been used to commit identity theft and unemployment fraud over the past two years,” he added.

Some of the risks cited by BlackCloak are exaggerated, argued Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.

“Data brokers often sell data that is already public, such as voting information or campaign contributions,” he told TechNewsWorld.

“Similarly,” he continued, “information publicly available on social media or websites is not particularly sensitive.”

However, he acknowledged that cybercriminals can use this information to carry out phishing attacks and impersonate an executive.

Danger for upper brass

“The reality is that data brokers present fertile ground for hackers, abusers, and stalkers,” observed Liz Miller, vice president and principal analyst at Constellation Research, a technology research and consulting firm in Cupertino. , in California.

“Where could you pay $29 for a complete file on an ex-girlfriend, including current address and phone number, current associates residing at the same location, and basic details about that person?” she told TechNewsWorld. “When you actually think about what this extremely sensitive data can mean in the hands of someone with no moral or ethical compass, it should terrify people.”

Data brokers exist for only one reason, noted Greg Sterling, co-founder of Near Media, a news, commentary and analysis website. “Their reason for being is to collect as much data on as many households and people as possible,” he told TechNewsWorld.

“By definition, they expose and transfer information that individuals might not want exposed or sold, or that might be sold without the consent or knowledge of those involved.”

Armen Najarian, director of identity at Outseer, a provider of payment fraud protection solutions in Bedford, Mass., argued that data brokers pose significant risks to executives. “In the digital age, data is power,” he told TechNewsWorld. “It is dangerous for a company to have such detailed profiles of highly influential professionals.”

“Often these profiles will include highly personal information, like income and assets, which is used by cybercriminals to target and steal a victim’s identity,” he continued.

“By studying the online behavior of these executives, fraudsters gain intimate insight into what is going on in the lives of these individuals, making it easier for them to deploy highly targeted attacks,” he added.

Anonymity Not So Anonymous

Some data brokers and apps justify their voracious appetite for data by claiming that they only share anonymized information, a claim disputed by the Electronic Frontier Foundation in a July 2021 article on its website by Gennie Gebhart and Bennett Cyphers.

“Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name,” they wrote. “In particular, ‘anonymous’ location data does not exist. Data points like home or work are themselves identifiers, and a malicious observer can link movements to these and other destinations.

“Another piece of the puzzle is the Advertising ID, another so-called ‘anonymous’ tag that identifies a device,” they added. “Apps share advertising IDs with third parties, and an entire industry of ‘identity resolution’ firms can easily link advertising IDs to real people at scale.”

While governments in some other parts of the world have taken a harder line on data brokers, this has not been the case in the United States. “This is an area where the laws in the United States are not as strict as they could be,” Pierson mentioned. “Over time, there have been a number of different legal proposals, but there have been no meaningful restrictions on what data brokers can do in the United States.”

“The best way to regulate data brokers would be to create a federal data privacy law that establishes basic consumer data rights, especially for sensitive personal data,” Castro advised. “Federal law is the best way to ensure that Americans have control over their information and avoid creating a convoluted patchwork of laws from state to state.”

“The US government should definitely consider enacting legislation to regulate data brokers,” Najarian added. “This is a problem that goes beyond Fortune 1000 executives. It affects everyone who uses the internet.


Comments are closed.