How does personal information removal from online sources help companies protect themselves against hackers?
To answer this question, DeleteMe’s CEO Rob Shavell sat down with the ethical hacker Rachel Tobac in a recent webinar.
The full recorded version of this webinar is available for download. If you are responsible or concerned about your organization’s cyber security (or executive safety) in 2023, it’s unmissable.
This blog post goes over some of the points made by Rob and Rachel in the webinar.
Points like how hackers use personal information that exists on the internet to attack individuals and companies, why “security through obscurity” is redundant, and steps employees and organizations can take to make themselves less hackable.
But first, a warning: these insights might permanently change how you view your security posture.
Personal Information Is Fueling Attacks
Whether they’re targeting individuals or entire companies, most hackers today rely on easy access to personal information to carry out their attacks.
The link between personal information and cybercrime/personal attacks is getting harder to ignore:
Social engineering campaigns are most successful when hackers can personalize their communications to their target. Depending on the hacker’s goal, these campaigns can be used to exfiltrate sensitive data, trick the victim into making a wire transfer, or enable malware or ransomware.
Spoofing attacks require knowledge of the person an attacker is trying to imitate.
Account takeover often happens after a threat actor can guess a target’s password or can match the target to breached credentials.
Doxxing necessitates knowing as much about a target as possible, including their contact details and home address.
Harassment hinges on the harasser being able to contact their target.
Personal Information: How Hackers Find It And How They Use It
Rachel identified two important sources of personal information she always turns to when hacking individuals and organizations.
Data broker sites
Data brokers are companies that share people’s personal information for free/a small fee.
Data broker websites are one of hackers’ favorite tools. This is because data brokers enable hackers to find personal information about people in a matter of minutes.
When conducting reconnaissance, all a hacker has to do is type in a person’s name plus a term like “date of birth,” “address,” or “phone number” into Google to view that person’s entire life dossier.
Most of the time, data broker websites are among the first few results on Google.
Although some data brokers put people’s personal information behind a paywall, the fee to view someone’s profile is usually very small. There are also data brokers who show all or some data points for free.
This information is fair game for hackers because few data brokers vet the individuals who purchase data from them.
Data breach repositories
Data breach repositories like DeHashed are a great resource for individuals who want to see if their personal information has been compromised in a breach. They’re also a handy tool for hackers.
Data breach repositories make it easy to associate breached data with personal information that’s visible about people online through sources like data brokers.
Hackers can go to a breach depository, see if their target’s email address (which they found on a data broker) has been involved in any breaches, and then try to hack into that person’s other accounts.
Most people reuse passwords (not just across different services but also personal and professional accounts) or change them slightly. About one in four executives say their birthday forms at least part of their password.
Hackers can take all the passwords they know about an individual, put them into a word list, and then try thousands of little tweaks.
You Can’t Rely on “Security Through Obscurity” Anymore
A decade or so ago, we lived in what Rachel describes as “a world of security through obscurity.”
Finding personal information about someone online was time-intensive and difficult, and this made people feel safe. If a bad actor had one piece of information about an individual, they couldn’t easily associate it with all the other data points available on that particular person.
Linking information from one repository to another was complex.
Fast forward to today, and data brokers have more data about more individuals than ever.
For example, we found that the number of data points a data broker has on a typical DeleteMe customer has risen from 255 to 491 in the last two years alone. That’s a 150%+ increase in just the granularity of exposed information.
Advancements in technology have also made it increasingly simple for hackers to connect all the dots. For example, dark web data points with data broker information.
This means that even throwaway email accounts can be tied to a person.
If someone signs up for a service with a throwaway email account and the service provider experiences a security breach, they may think there’s no way for their secret alias to be linked to them. But if they’ve shared other personal details with the company, like their billing information, their throwaway account can now be associated with them in a public way.
Depending on the nature of the service (for example, if it’s controversial), this could open up the person to all sorts of threats, from doxxing to harassment and reputational damage.
The ability to link a person’s throwaway account to their public persona also exposes them to cyber-attacks.
Here’s one common scenario:
When setting up their throwaway account, a person reuses an old password that they also use on Venmo or LinkedIn. They don’t think anyone will ever be able to tie their throwaway account back to them, so they feel safe.
The service that they signed up for with their throwaway account is breached.
A hacker can now get into the person’s Venmo and request money from their friends or take over their LinkedIn account.
Some hackers are not even motivated by financial gain. They may just want recognition or to do as much damage as possible to a company or specific employee because they don’t like them or disagree with their policies.
At DeleteMe, we see this happen all the time to both our B2C and B2B customers. Personal information is exposed not just through coordinated attacks that threaten network security but also through doxxing and harassment that are often driven by strange personal motivations.
Social Engineering Is Getting More Dangerous
“Sir, if you would kindly transfer $10k to my Swiss bank account…..” Sadly, the days of Nigerian Prince email scams are long over.
Instead, these easy-to-spot scams are being replaced by “two-hop” social engineering attacks. In these, an attacker hacks into a person’s account and then impersonates them.
For example, a threat actor that hacks into a lower-level employee’s account using breached data may not necessarily be able to exfiltrate sensitive information, but they will have access to that employee’s network and social graph.
The individuals who have received emails from that employee in the past will have a built-in assumption of trust. If they receive an email request from that same email address, they are unlikely to think anything is amiss.
As Rob says, “we are moving into a world where a single chink in the armor can necessitate a whole reevaluation of who to trust and in what context.”
Another example of a social engineering attack where personal data plays a crucial role is executive gift card scams. These often target new hires.
Cybercriminals look for people on LinkedIn that have recently shared that they’re starting a new role at a new company. Then they try to find the contact information of people to whom this new employee may be reporting to, for example, the CEO or HR executive.
Using spoofing tools, the attacker impersonates these people to the new employee, asking them to buy gift cards in their name.
More often than not, the new hire does as their “boss” or “manager” asks them.
3 Steps You Can Take to Reduce the Chances of Getting Hacked
Below are three steps Rob and Rachel advise employees and companies to take to minimize their risk of getting hacked.
Reduce your digital footprint
The less information there is about employees online, the harder it will be for a hacker to a) find it and b) abuse it.
One of the best ways employees can reduce their digital footprint is to opt out of data broker websites.
Because data brokers get their information from a variety of sources, including public records and social media profiles, they serve as a one-stop-shop for hackers looking for personal information on their targets.
Opt-out needs to happen on a continuous basis. Data brokers never stop scraping and buying data on people, so new profiles reappear regularly.
Subscribing employees to a data broker removal service can ensure that the personal information that shows up about them online is kept to a minimum.
Use the right technical tools
By putting in place the right technical tools and security software, employees and organizations can make it harder for hackers to achieve their objectives.
If an employee uses a password manager and strong passwords, a hacker won’t be able to reuse compromised passwords across their other accounts.
With strong multi-factor authentication (MFA), an attacker won’t be able to hack into an employee’s account even if they have their password.
Good phishing reporting tools make it easier for employees to flag suspicious-looking emails.
Layer in the human element
While employee training alone shouldn’t be relied on to prevent attacks, it is still an important element of any company’s cybersecurity posture.
Employees should understand the “why” behind a company’s privacy and security recommendations and know what to look for.
They should have answers to questions like:
What are some of the most common attack methods?
What would it look like if someone was trying to socially engineer me? For example, if an employee is in IT, the hacker might pretend to be a customer. On the other hand, if an employee is in HR, the attacker will most likely impersonate an employee.
Easy access to people’s personal information on the internet is putting them at risk. It’s also putting at risk the companies they work for.
Removing personal data from online sources can minimize the likelihood that employees will be successfully socially engineered, hacked, or otherwise exploited. Combine data removal with other security measures like training and the right technical tools, and you will be less hackable than the average company.
DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control their digital identity.