Nearly every large company executive has their details held by data brokers online, rendering their businesses vulnerable to attack by cybercriminals, research from Blackcloak suggests.
The cybersecurity analyst investigated 750 of its clients, most of them executives or board members at Fortune 1000 and other large organizations. It found that 99% of them were listed on data broker websites – legal entities often used by cybercriminals – and some individuals were listed on more than a hundred such platforms.
The quality of the data varied, but seven in ten profiles featured sensitive personal information including social media details and photos from popular sites such as Facebook and Linkedin.
More worryingly, all but one in twenty contained data on an executive’s family, other relatives, and even neighbors. Four in ten profiles featured IP data on personal computers, and brokers held an average of three email addresses per executive.
“While maintaining data on three personal email addresses may not seem that significant to the novice eye, access raises the risks of fraud and impersonation emails,” said Blackcloak. “Access to an executive’s IP addresses could lead to a Distributed-Denial-of-Service (DDoS) attack, network eavesdropping and communications hijacking.”
Blackcloak stressed that top bosses were now the weakest link in large corporations’ cyber defenses, explaining the multiple troves of data being kept on them by cybercriminals.
“Executives have become the soft underbelly of enterprise security,” it said. “Cybercriminals know that the path of least resistance into their primary goal – the enterprise – is now often through the online privacy, personal devices, and home networks of a company’s most esteemed leaders.”
Though data brokers are not yet illegal, the US Congress is debating a law that would set up a national “opt-out” list for those who do not want their details harvested by brokers – who can then sell them on to the highest bidder, or even in some cases give them away for free.
But Blackcloak poured cold water on the bill, warning that “legislation can take a long time to become law, and an even longer time to begin making an impact.”
Currently the only way to remove details from data broker sites is to hire someone to do it manually, one site at a time, a service Blackcloak provides but described as “a tedious task that often needs to be repeated every other month.”
Some pundits have even branded data brokers a threat to democracy, with Emmy-award winning show presenter John Oliver calling their industry a “sprawling, unregulated ecosystem which can get really creepy, really fast.”
More from Cybernews:
Subscribe to our newsletter