What is the risk?
The quantity of personal information available online and in other publicly accessible sources is constantly increasing. Account credentials and other pieces of data, even as simple as an email address or phone number, can be very valuable to threat actors, either for onward sale, or for use in social engineering and other types of fraud. Information which poses a reputational risk to an individual or an organisation is also a growing concern for many, as reputational damage is notoriously difficult to repair. For some people, the threat may also be physical, and so information that ties them to real-life locations needs to be closely protected.
What types of information are out there?
The primary identifier for a person’s online presence is normally an email address, and most people are unaware of the quantity of data that can be derived from just an email, including passwords, addresses, device location and linked online accounts or activities. All of this information can be a valuable resource to hostile actors, who can build on these start points to create a detailed profile for social engineering, identity theft or physical targeting. In one recent example of this, an individual’s habits were tracked via a sports app, resulting in the theft of their high-end bike. In another example, an IP address exposed in dark web data provided a correlation between business-sensitive activities which the founders were seeking to keep out of the public eye.
Data which a person has (intentionally or otherwise) released about themselves can pose a risk, but this can to an extent be managed proactively in order to reduce that risk. Information which an individual never intended to see the light of the day often creates bigger problems. Information that has been stolen or leaked can be especially damaging for two primary reasons: firstly the author likely assumed that it would remain private, and secondly they may not know that it has now entered the public domain. In its simplest form this may mean that an account username and password are made available to unauthorised users without the account owner’s knowledge, leading to obvious security concerns. In some instances, exposed credentials or records can be exploited in longer-term attacks.
What can be done about it?
To some extent, the proliferation of personal information is an unavoidable consequence of modern life, but this doesn’t mean that nothing can be done to reduce the risks posed by that proliferation. At the core of this issue is the need to balance convenience and accessibility against privacy and security. This balance, and the acceptable compromises that can be made, will vary from one individual to another, based on their risk appetite and public profile, amongst many other factors.
Kiris Group provides comprehensive assessments of online and digital profiles, working alongside individuals or companies to help deliver an understanding of their online footprint and how to minimise risks, without making uncomfortable compromises. Our team are at the cutting edge of the techniques and capabilities which might be leveraged by threat actors. We help our clients with proportionate, practical measures and solutions to reduce risk to an acceptable level. To find out more, get in touch.