Article 8 Min ReadManaging Cyber Risk through Return on Security Investment
Who’s Got Hold of Your Personal Information? Data Brokers Are Big Business
Data brokers are companies that collect and sell personally identifiable information to third parties. This industry has become a multibillion-dollar industry, but it also presents risks to individuals and businesses whose personal information may be used for nefarious purposes.
Data brokers gather information — often sourced from commercial databases or from the open web — and sell or license that information to third parties for a fee.
The use of PII by data brokers can range from commonplace to controversial, and can also be exploited by cyber criminals for malicious purposes.
Individuals and businesses should regularly assess and manage their personal information online, including utilizing opt-out options, to protect against data brokering and potential abuse.
The internet has made collecting and selling personal data easier than ever, and personally identifiable information (PII) is particularly valuable to one growing industry: data brokers.
Data brokers are businesses that gather information — often sourced from commercial databases or from the open web — and sell or license that information to third parties for a fee. This data can come from public records, consumer marketing lists and social media. Data brokering has become a multi-billion dollar industry, and these businesses use personal information in ways that range from the commonplace to the controversial.
“The primary focus of these sites is to collect information such as dates of birth, home addresses, personal contact details, emails and names of relatives,” says Catarina Kim, managing director of the Intelligence Group in Aon’s Cyber Solutions. “They have dual use purposes. On the surface, a user can buy a report on the site to vet the background of a person. However, this data can also be used by bad actors to conduct social engineering, account takeovers or target members of the public.”
There are also other, more nefarious data brokers. These threat actors typically operate on the dark web and traffic data that have been stolen or exfiltrated through third-party data breaches.
For business leaders or other high-net-worth individuals, either type of data brokering activity can present a very real risk if their personal information is used by individuals who might want to target them or their families for harassment, fraud or criminal activities.
The primary focus of these sites is to collect information such as dates of birth, home addresses, personal contact details, emails and names of relatives.
The amount of personal information available on the open web is vast and often highly accessible, especially in the United States. A simple search can provide such details as an individual’s associated telephone number, email address, mother’s maiden name and other data that can used for phishing, answering password reset questions and even engaging in more sophisticated attacks to defeat two-factor authentication on bank accounts. Vehicle license plate numbers and information about the make and model of an executive’s car might also be readily available.
“People are often unaware of how much PII is available about them online. Cyber criminals can complement what’s accessible for free on the open web by leveraging data found on the dark web, including compromised passwords for email addresses that were breached through third party sites such as a food delivery service or online marketplace,” says Dennis Lawrence, a senior consultant in the Intelligence Group at Aon’s Cyber Solutions. “This is particularly relevant since many people reuse old passwords or use slight variations of them.”
“Those are all things that could be used and leveraged in a very strategic way by certain people if they got into the wrong hands, especially if it is information about a senior executive or a high-net-worth individual,” says Kim. “It can be used to access their email accounts, extort them, impersonate them and to commit fraud.”
Identifying and Controlling Data Vulnerability
Determining what information might be available about executives or other prominent individuals is an important process and one that must be repeated regularly.
“On the open web, the companies that sell this information are legitimate businesses. This is not obviously stolen data, these are data sets that they are buying from other companies that have collected this information,” says Kim. “If the sites refresh their data in six months, information gets repopulated even after an opt-out request has been submitted. So it’s not necessarily a one-and-done.” As a result, it’s best to take a proactive approach to managing personal information online. Individuals can begin with a vulnerability assessment to examine their digital footprint, using open, deep and dark web sources to identify areas of risk.
“Anything that’s publicly accessible, anything that we can glean from social media, anything that we can glean from the dark web, those are the first things people should consider reviewing,” says Kim. When possible, individuals can opt out from having their information sold, or, in some cases, records can simply be removed from websites.
If individuals choose to keep posting on social media, they should understand the privacy settings they can apply to their activities. “There are ways that you can lock down your profile so you can still share information without providing access to people outside your circle,” Kim says, noting the benefits of “proactive monitoring.” This entails constantly scanning the open and dark web for information on individuals that might be leveraged against them.
As Information Moves, Risks Increase
A lawsuit filed earlier this year by a data broker against one of its customers speaks to some of the risks associated with information as it changes hands.
While there aren’t widespread laws governing data brokers’ activities, some U.S. states like California require databrokers to register with the state’s attorney general. The California Consumer Privacy Act also gives residents of the state some rights and protections concerning their personal information. “It’s very specific to California residents,” says Kim. “I don’t foresee that happening uniformly across the United States.”
Other regions have specific legislation in place to protect individuals from data exposure risks. In Europe, the EU has pursued data brokers accused of violating the General Data Protection Regulation (GDPR).
Managing the Power of Personal Data
Personal information about executives or high-net-worth individuals that falls into the wrong hands becomes a powerful risk. Once sensitive data has made its way to the internet, it may be too late to control potential damage. However, by understanding the sorts of information being collected and shared by data brokers and taking steps to limit the amount of data available, individuals can better protect their personal information online.
“Clients will often come to us once an event has happened,” says Lawrence. “But the best way to think about this is that you can help avoid a lot of heartache and violation of privacy if you take action before that potential event occurs down the road.”
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Stay in the loop on today's most pressing cyber security matters.
Article 27 Min ReadTop 5 Cyber Threats To Mergers and Acquisitions
Article 12 Min ReadMitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 14 Min ReadResisting Cyber Attacks Through Layered Security Systems
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Article 9 Min ReadESG Data: How Businesses Can Use Data to Gain an Edge
Article 12 Min ReadWhy ESG Is Even More Important In A Crisis Like COVID-19
Insights for HR
Explore our hand-picked insights for human resources professionals.
Article 9 Min ReadCOVID-19 has Permanently Changed the Way We Think About Wellbeing
Article 11 Min ReadDE&I in Benefits Plans: A Global Perspective
Article 13 Min ReadHow Data and Analytics Can Optimize HR Programs
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 10 Min ReadCase Study: The LPGA Unlocks Talent Potential with Data
Article 16 Min ReadNavigating the New EU Directive on Pay Transparency
Article 14 Min ReadHow to Design Better Talent Assessment to Promote DE&I
Article 8 Min ReadTraining and Transforming Managers for the Future of Work
Article 10 Min ReadRethinking Your Total Rewards Programs During Mergers and Acquisitions
Article 21 Min ReadBuilding a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
More Like This
Article 10 Min Read
Future Trends for Financial Sponsors: Secondary Transactions
Secondary deal activity will likely continue to strengthen as financial sponsors navigate widespread macroeconomic uncertainty.
Article 10 Min Read
How an Outsourced Chief Investment Officer (OCIO) Can Help Improve Governance and Manage Complexity
An OCIO can help asset owners make decisions with confidence and help deliver an optimal investment strategy.
Article 20 Min Read
Designing Pension Communications for Modern Retirement Planning
Organizations can refresh their employee pension communications with these five tips to help people connect with their retirement planning.