Last week, the main segment on the Emmy winning show, “Last Week Tonight with John Oliver,” focused on Data Brokers. For over 20-minutes, John Oliver ripped into online data brokers’ “sprawling, unregulated ecosystem which can get really creepy, really fast.” The segment would have been much funnier, if it wasn’t so true. 

Oliver’s sentiment aligns closely with that of Wired contributing reporter Justin Turner. In April 2021, Turner opined a scathing article in which he called online data brokers a “threat to democracy.” Said Turner “without robust national privacy safeguards, entire databases of citizen information are ready for purchase, whether to predatory loan companies, law enforcement agencies, or even malicious foreign actors.” He failed to note that some online data brokers even give away information they obtain for free. 

Online data brokers host a treasure trove of data for cybercriminals 

While perhaps not quite an existential “threat to democracy,” online data brokers are a very significant problem to individuals and businesses alike. In fact, they are often the main source of truth for hackers and cybercriminals to obtain the information needed to deploy targeted cyberattacks, such as social engineering or business email compromise, or to commit online fraud and identity theft. 

By capturing and reselling personally identifiable information ranging from emails, phone numbers, familial associations, geolocations, and home addresses to business records, browsing and search history, financial assets, social media posts, and voting records, data broker websites are akin to Walmart for hackers: they provide seemingly everything that’s needed at little to no cost. 

Ironically, data brokers themselves are also at risk of cyberattack from those seeking access and information. Last year, hackers breached the data broker LimeLeads, exposing nearly 50 million business contacts on the deep/dark web. Just months before, the data broker Social Data leaked 235 million social media profiles. In addition, data dumps following hacks of data brokers are increasingly routine. 

The risks online date brokers present to individuals and companies

Following the John Oliver segment, our security operations team, under the guidance of CISO Daniel Floyd, took on the task of aggregating and anonymizing data from nearly 1,000 BlackCloak members, the vast majority of which are executives and Board Members at Fortune 1000s or other large institutions. Since BlackCloak helps our clients with the data broker removal opt out process, the data we analyzed was reflective of their risk profile just prior to their onboarding period. 

Our goal of this research was to further quantify just how widespread and dangerous the online data broker epidemic has become to both individual executives and the organizations that they lead. 

Here’s what we found: 

  • 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100
  • 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook 
  • 40% of online data brokers had the IP address of an executive’s home network 
  • 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors  
  • On average, online data brokers maintained more than three personal email addresses for every executive record

While maintaining data on three personal email addresses may not seem that significant to the novice eye, access to any personal email address raises the risks of unauthorized access, fraud and  impersonation emails, among other digital threats. In addition, access to an executive’s IP addresses could lead to a Distributed-Denial-of-Service (DDoS) attack, network eavesdropping and communications hijacking. 

Data Broker Example

Example of a data broker file.

Data broker threats to executives are also a threat to the enterprise

Online data brokers are not only a threat to individual executives and their family, but also to the organizations that they lead. 

Today, cybercriminals are attacking the personal digital lives of company leaders to bypass enterprise security controls and move laterally into the organization. Just last month, Bleeping Computer reported that Chinese hackers were targeting the personal Gmail accounts of government employees rather than the agency itself. 

Executive’s have become the soft underbelly of enterprise security. Cybercriminals know that the path of least resistance into their primary goal – the enterprise – is now often through the online privacy, personal devices, and home networks of a company’s most esteemed leaders.

Fortunately, a bipartisan bill is floating around Congress that would create a national opt out list for data brokers. But legislation can take a long time to become law, and an even longer time to begin making an impact. 

In the meantime, organizations must begin to prioritize data broker removal for executives and key personnel, or risk succumbing to a lateral attack that manifests in a leader’s personal digital life, and other security concerns of consequence to executives. 

One of BlackCloak’s primary benefits is how we help our clients opt out of nearly 200 data broker websites. A tedious task that often needs to be repeated every other month – data broker removal is just one way we help protect executives, and by extension their companies, from targeted cyberattacks. 

For more information on how BlackCloak helps remove personal information from data brokers, visit the data broker removal section on our website