Threat Intelligence Blog

Posted January 28, 2019

Today is Data Privacy Day, and we’re joining forces with hundreds of other companies, government entities, nonprofits, and individuals as a Data Privacy Day 2019 Champion to lead and educate in all things related to data privacy. This year’s Data Privacy Day will spotlight the importance and value of personal information, and the National Cyber Security Alliance (NCSA), which officially leads the Data Privacy Day campaign, is encouraging participants to remember, “Personal information is like money. Value it. Protect it.”

Businesses understand the value and importance in protecting the personal information of customers and their business assets. Unfortunately, they are often so focused on keeping customer and corporate information safe, they overlook the exposure of their executive’s personal information. Employees at every level of an organization represent the company; however, executives are prime targets for protesters, scammers, and threat actors because of their public presence. As we have seen in the headlines, exposure of an executive’s information has the potential for broad impact, including manipulating the stock prices by denigrating a brand or the disruption of a merger or acquisition by sharing early stage planning information.

An executive doesn’t need to be part of a major breach to have their personal information surface online. The truth is, many executive’s personal information, including their home address, phone number, personal email address, and family information is already readily available online. Information from data aggregation sites (many of which post their information online without malicious intent) and public records disclosures can be misused if it falls into the wrong hands. What’s more, sometimes executives or their employer are the reason personal information is released, through oversharing in executive biographies or social media. Perhaps most perilous, an executive’s own family post information that can put themselves and their parents at an increased risk of targeting or exploitation.

How can executives guard their information while executing their public responsibilities? Below are four of the most common causes of the public release of an executive’s personal information that we’ve observed. While not entirely conclusive, these represent some of the most egregious, and sometimes surprising, sources that executives and their company’s security personnel need to understand when establishing policies to protect executive information.

 

Executive Biographies

Executives, especially those at the C-Suite level, are frequently the public face of their company. Having a charismatic and popular executive is a goal for which many companies strive. However, companies frequently struggle with finding the proper balance between showcasing their executives as someone that is approachable and down-to-earth while not providing too much information that could be used to target or exploit the executive. It is common for executive biographies to name where the executive lives, his or her spouse’s name, hobbies, and even the names and ages of the executive’s children along with a photograph of the family. LookingGlass has even seen cases where a company disclosed the name of the public park where their executive runs every morning. Publicly posting information like this can jeopardize the executive’s personal privacy and open them up to be cyber criminals, hacktivists, disgruntled employees, and more. Since executive biographies are often written by marketing departments, it is important to have executive security and protection teams review the content in executive biographies.

As a rule of thumb, executive biographies should only contain executive information that the company would publish on a major highway billboard.

 

Social Media Disclosures

Similarly, executives should strive to keep their personal life off of social media. Many executives use social media to build a larger following and brand loyalty, which can have a positive impact on both their personal brand and that of their company. However, executives that post their family or personal life on publicly viewable social media accounts are increasingly jeopardizing their family’s safety.

A big step to limiting such disclosures is to make sure executives are not making personal social media postings on professional social media accounts. Executives should be encouraged to maintain a public social media presence, as having one helps cut down the risk of impersonation accounts being registered and allows the executive the unique opportunity to join in and share public conversation. If the executive does not wish to maintain an online presence, the account can even be managed by an assistant or authorized third party. However, these public accounts should only display positive professional information. If the executive wishes to post more personal information, he or she can do so on a second account with high privacy settings. That way, the executive can better manage access to the information posted.

 

Disclosures Mandated by Law

Executives need to understand that some disclosures of personal information are mandated by law. Every state publishes property records through a recorder of deeds, tax assessment, or county records department. These records will typically disclose a property owner’s name, mailing address (if different), and ownership history. Some counties also display assessment information that shows the dimensions of internal rooms, locations of windows and doors, egress points, etc., as well as the taxable property registered to the residence, such as vehicles, and any building permits registered to the property. This information is often times freely available through a simple search where the only information needed is a first and last name. This information, coupled with publicly accessible mapping software such as Google Street View, can allow for those looking to target the executive to electronically “case” the residence and surrounding area without ever traveling there.

Similarly, the Federal Election Campaign Act requires the Federal Election Commission (FEC) to publish information from campaigns and political committees from donors of $200 or more. The FEC then publishes this information, which includes the donor’s full name, addresses, occupation, and employer, to their database which is publicly available online. Executives (and their spouses in many cases) that give to candidates and political committees will subsequently publish their home address for the public to see unless they make the donation through a Post Office box or business address.

These disclosures are frequently the genesis from which data aggregation sites such as whitepages.com, radaris.com, and spokeo.com gather their information. So, although public property records and FEC disclosures are not indexed by search engines, the information disclosed on the non-indexed site can spread to the searchable internet.

 

Family Member Leaks

While executives themselves may be instructed and trained in how to protect their private information online, often times their families are not. Unfortunately, because of this, the leak of an executive’s private information frequently comes from disclosures by a close family member. For instance, there have been many cases of an executive’s child posting potentially exploitable information publicly online, such as location of their school, the cars their parent’s drive, names of pets, when they are out of town, and even confirming that their parent is an executive of a specific company. While children are frequently the origin of personal data leakage, such disclosures can come from any family member, including spouses, parents, or even friends. These disclosures only increase the risk of executive’s families being used as a roundabout way to get to the executive.

Personal safety is not the only reason that family members need to be educated on the importance of protecting personal information. In the wrong hands, their personal information can be used to maliciously access personal accounts, create fraudulent identities, and ruin careers. Teens and young adults especially need to understand the impact that acts such as sexting and cyberbullying can have on their future, as well as their family.

In an age where social media saturation and oversharing is common place, a company’s executive protection policy should also include the executive’s family. They need to be instructed why data privacy and protection is important and fully understand the limits of their sharing.

Protecting Your Executives

If you would like to know more about how to protect your executives from digital business risk, please contact us. We can share information about the LookingGlass Executive Threat Assessment (ETA) service. ETA has provided hundreds of executives with their online footprints and assessed where these executives were most exposed. The final report provides tips on how to mitigate risks, as well as suggestions tailored to the unique executive specific to protecting themselves and their families.

Want more information on Data Privacy Day? NCSA has various resources on the importance of data privacy and tips on how to secure your personal information. To learn more, click here: https://staysafeonline.org/data-privacy-day/about/

Additional Posts

North Korea could accelerate commercial espionage to meet Kim’s economic deadline

North Korea-linked hackers have shown no limits in what they will target – from a Hollywood ...

Cybersecurity Resolutions for the New Year and Year-Round

The New Year is often seen as an opportunity for a fresh start. Whether you want a healthier diet, ...