A few weeks ago, HBO's Last Week Tonight with John Oliver brought the dangers of online data brokers from out of the shadows and into the mainstream spotlight. Perhaps the best at exposing the seriousness of a problem through levity, Oliver addressed the reality of data brokers' "sprawling, unregulated ecosystem, which can get really creepy, really fast."
Oliver isn't the first to speak out against online data brokers. Last year, Wired contributing reporter Justin Turner wrote a scathing article in which he called online data brokers a "threat to democracy." While Turner's article might have had the unintended consequence of being dismissed as too hyperbolic, his point about online data brokers' being a threat to civil rights and national security is fair and accurate.
Online Data Brokers Are the Holy Grail for Hackers
Today, the goals of cybercriminals, fraudsters, and identity thieves are made infinitely easier to attain thanks in large part to social media and data brokers.
The treasure trove of personal data available on social platforms provides significant ammunition for adversaries to commit cybercrime both on and off of social platforms. According to Fraud Watch, "many attackers have seen this [social media] as the perfect way to gather personal information to fuel cyberattacks like phishing or brand impersonation."
But if social media is a treasure trove of data, then online data brokers are the holy grail of information. These perfectly legal data aggregators can maintain up-to-date records on everything from personal emails, phone numbers, familial associations, geolocations, and home addresses to business records, browsing and search history, financial assets, social media posts, voting records, and more.
Virtually everything that's needed to deploy an online scam, fraud, account takeover, or digital theft is readily available on more than 200 data brokers' websites, sometimes free of charge, and always easily hackable by those with the means and motivations.
Data Brokers' Impact on the Enterprise
It's no shock that cybercrime, fraud, and identity theft continue to increase when so much personal information is so readily available. Unfortunately, this has major consequences for the enterprise, too.
At present, cybercriminals are increasingly attacking the personal digital lives of company leaders, such as executives, board members, and other key personnel, using information gained from data brokers, as a means to bypass enterprise security controls and move laterally into the organization that is their ultimate target. In March, Bleeping Computer reported that Chinese hackers were targeting the personal Gmail accounts of government employees rather than the agency itself.
Recent research by BlackCloak examined how at risk executives, and by extension their companies, are from online data brokers. A study of more than 750 enterprise senior leaders found that an astounding 99% of executives have their personal information available on more than three dozen online data broker websites.
In addition, 70% of executive profiles found on data broker websites contained social media information and photos, most commonly from LinkedIn or Facebook, while 40% of online data brokers had the IP address of an executive's home network. With this IP address data, an executive's home is front and center for being targeted.
Further, 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors. Any of this personal information can be used to launch a social engineering attack, email spoofing, or even network hijacking, putting both the individual and their company at risk.
Will a Renewed Focus on Privacy Put Online Data Brokers out of Business?
A bipartisan bill is floating around Congress that would create a national opt-out list for data brokers. But legislation can take a long time to become law, and an even longer time to begin making an impact.
Meanwhile, enterprises should begin to weigh online data brokers as part of their risk exposure analysis if they don't already do so. And while the online data broker removal process can be lengthy and burdensome, and often needs to be repeated, failing to opt out executives at a minimum could prove more harmful to your organization than not in the long run.
At the very least, organizations must recognize data brokers as the adversary that they are. They need to help empower executives to minimize their digital footprint to reduce the risk of their personal information falling into the wrong hands.