Doxxing, Swatting and Other Physical Threats – An Online Privacy Epidemic

Cyber crime isn’t automatically associated with violent criminal activity. That is, when we think of cyber criminal activity, we tend to think of hackers working anonymously behind computer screens to steal credit card data or other financial information for purposes of personal enrichment. We think of identity theft, or the growing instances of ransomware attacks. However, violent crimes being perpetrated through online means are rising at an alarming rate. The same avenues used by cyber criminals intent on stealing for monetary gain are also being used by threat actors with motivations in mind besides personal enrichment. Doxxing, swatting and other malicious practices are being carried out by threat actors with axes to grind. And lax online data privacy management is enabling these acts of physical violence. The good news is that the same privacy protections designed to defend against theft are also effective at protecting lives.

This document examines the nature of the physical threats being carried out using cyber means. It explains the implications of online privacy management in hardening defenses, and provides proven-effective solutions for protecting yourself, and your company or organization from being victimized online and in the physical world.

Read or watch any news source today and you’re certain to come across a current tale of violence being carried out against specific types of victims. In today’s highly polarized social environment, attacks are on the rise. Focused on certain professionals, political, governmental, and religious figures, political or religious advocacy groups, journalists or even entire specific industries, acts of terror and physical violence are becoming an appallingly regular occurrence.

For example, consider the increasing frequency of violence directed against hospitals, doctors and clinics. Whether at the hands of anti-abortion activists, anti-vaccine conspiracy theorists or others, the number of accounts of medical industry personnel being accosted and, in some cases, attacked or even murdered at their home address is rising. Or, consider the exodus of poll workers, school board members, public school teachers and other public servants or volunteers who have been verbally accosted, hounded and even physically attacked by violent threat actors.

In other cases, physical attacks are directed at executives or even rank and file employees working in controversial and polarizing industries such as gun manufacturing and pharmaceutical companies or in government/public positions. Simply being employed can put workers at risk from dissatisfied customers, extortionist hackers, disgruntled former employees, extremist activists, or just passionate individuals on opposite ends of the political spectrum. For industries in the cross-hairs of culture wars, the rise of physical threats has begun to impact their ability to attract and retain key talent. The fear of working in a public or controversial industry makes employment candidates feel vulnerable to unwanted and potentially dangerous attention.

In a related, alarming trend, physical attacks against utility infrastructure threatens the health and lives of large swaths of people. Whether for political reasons or otherwise, threat actors have been exploiting weak privacy policies to gain access to automated systems managing power generation, water treatment and other critical utility infrastructure. Some have even used unauthorized access to protected online systems to identify locations vulnerable to physical attacks intended to cripple entire regions’ critical infrastructure. National security experts have been expressing concern about the potential for hostile foreign adversaries to gain access and control over nuclear facilities in the US.

Whether motivated by geopolitics, religious fanaticism or any other dynamic, the potential for physical harm cannot be understated. When utilities are brought offline, lifesaving medical treatments and life support equipment is interrupted. Lifesaving emergency medical interventions and surgeries are interrupted. Emergency room capacity is limited. Clearly, threat actors are increasingly focusing on strategies to interrupt utilities and inflict suffering on entire population centers. CNN reports on recent ransomware attacks targeting electric utility companies.

Quantifying the Rising Threat
To illustrate the scope of the rising threat, consider the following statistics:

the number of times more likely corporate executives are to become targets of cyber attack according to the Verizon Data Breach Investigations Report for 2022.

43 million

the number of Americans personally experiencing some form of doxxing

38%

the number of school board members surveyed in October 2022 by Education Week magazine planning to run for re-election to their seats. Two thirds decided to step down with many citing threats to their safety directed at them by far right-wing groups.

10.1 million

the average dollar cost of a data breach in the healthcare industry according to IBM Security’s annual “Cost of a Data Breach Report”

the rank of cyber risk identified by the American Water Works Association in a 2019 report on threats facing the US water sector –Department of Homeland Security and the FBI has been warning on this as well.

101

the number of physical and computerized attacks on electric energy delivery equipment reported in August 2022, up from 97 in instances in all of 2021.

Gaining access to these encrypted systems in order to perpetrate these attacks is commonly achieved by leveraging utility workers’ Personally Identifiable Information or “PII” sourced from Data Brokers, People Search Sites like Spokeo and hundreds of others, or public online sources. With the PII acquired via these channels, threat actors launch spear phishing and other social engineering methods to swindle employees’ login credentials. (For more on how Social Engineering works, read our white paper here.)

The Anatomy of the Doxxing Threat

doxxing
/ˈdäksiNG/
noun
noun: doxxing; noun: doxxing
the action or process of searching for and publishing private or identifying information [releasing private documents or “dox”] about a particular individual on the internet, typically with malicious intent.
Oxford Languages

Here are two examples of doxxing that resulted in threats of physical violence perpetrated against a specific target. In the interest of ideological balance, these examples come from opposing sides of the same underlying social controversy.

Example A)
SFist, a San Francisco news outlet recentl y reported on the activities of an anti-abortion group that had been protesting a local abortion clinic. Such protests are Constitutionally protected examples of speech and assembly. However, when the protest group illegally accessed the clinician’s personal data and released that clinician’s name and home address, the line between protest and criminal threats of violence was crossed. The group proceeded to plaster the clinician’s neighborhood with flyers, further advertising this doctor’s home address with the headline, “There’s a killer in your neighborhood”. This behavior invites violence upon the victim. And while in this instance, luckily, no one was ultimately physically harmed, the clinician’s family was terrorized. The leaders of the protest group were charged with felony stalking and other crimes.

Example B)
Following the US Supreme Court’s overturning of the fifty-year-old Roe vs. Wade ruling which made abortion legal in the US, extremist elements of the pro-choice movement retaliated by doxxing the five conservative members of the court. Technology industry network, Tech Target reported that the Justices’, “physical addresses, IP addresses, and credit card information, including CVV and expiration date… was uploaded to an underground site intended for doxxing”. Again, the unauthorized acquisition and dissemination of these private addresses are essentially a method of delivering a terrorist threat. In this instance as well, luckily, no one was physically attacked.

The same good fortune was not visited on eight separate abortion providers and four responding police officers who were killed after being doxxed by anti-abortion activists between 1993 and 2016 according to National Abortion Federation literature.

The Oxford definition of doxxing above refers to the “action or process of search for and publishing private or identifying information”. Threat actors are easily able to search for and find private information on the targets of their ire with very little difficulty. In fact, Privacy Bee research reveals approximately 99% of executives’ personal data are exposed within dozens of data broker databases and people search sites. For executives and leaders in high profile and controversial industries and organizations, this privacy failure puts them and their families at great risk.

Social media is another source of Personally Identifiable Information (PII) threat actors can harness to perpetrate doxxing attacks. Social media is even more dangerous when it comes to doxxing because unlike people search sites or data brokers, the information is available publicly and for free. Moreover, people voluntarily publish PII to their social media regularly. A bad actor can simply locate their target’s Facebook, Instagram or Twitter page and easily learn the target’s whereabouts, addresses, vacation plans, family relations and other sensitive information.

Isn’t Doxxing Illegal?
This CNN article on doxxing answers the question, “Is doxxing illegal and can you be arrested for doxxing?” The article reveals an inconsistent and porous patchwork of regulations. In Singapore for example, intentional harassment was outlawed in 2014 with fines for violators of up to $3,800- or 6-months jail time. The UK has guidelines for violence against women and girls wherein posting private images or PII to social media without their consent is punishable. In the US, doxxing laws vary widely by state. Nevada recently passed a bill banning doxxing and permitting civil lawsuits to be brought by damaged parties. In California, online harassment including doxxing can land a violator in jail for up to a year and may include fines up to $1,000. However, the plaintiff must prove the defendant intended to visit harm upon the victim and their family by revealing the PII. Many states have no law governing doxxing at all.

What are Social Platforms Doing About Doxxing?
The same CNN article says, “Facebook’s parent company Meta does not explicitly use the term ‘doxxing’ in its privacy violations policy but said in a statement to CNN that it considers users sharing ‘personally identifiable information’ about others a violation of its community standards.” Facebook’s policy is to review content that run afoul of its community standards. They may remove PII such as home addresses that could result in tangible harm. However, if said information is publicly available through news coverage, press releases or other sources, Facebook does not remove it.

When it comes to protecting yourself, your business or organization against doxxing, you’re mostly on your own.

What Can Your Organization Do About Doxxing?
To prevent doxxing, organizations must eliminate exposed personal information that fuels executive phishing, poaching, doxxing, and other security threats. Privacy Bee protects executives, employees and their families from physical violence, retaliation, or threats with the most advanced and effective employee doxxing defense available, trusted to protect some of the most powerful, wealthy, and influential people in the world. With clients ranging from a leading global journalism conglomerate to criminal law firms and pharmaceutical research organizations. Privacy Bee has the most advanced scanning platform with the most extensive coverage, the industry’s highest take down success rates, and 100% real-time reporting. For example, Privacy Bee even goes a step beyond People Search Site monitoring, proxying major search engines and constantly searching for any other kind of attack vectors as well.

The Threat of Swatting – Doxxing’s Deadly Cousin

swat·ting
/ˈswädiNG/
noun
noun: swatting
the action or practice of making a prank call to emergency services in an attempt to bring about the dispatch of a large number of heavily armed police officers [or SWAT teams] to a particular address.
Oxford Languages

Evolving from the ability to dox a perceived enemy, the practice of swatting holds a great potential for catalyzing physical harm upon its victims. And it is a practice that is expanding rapidly in frequency among threat actors. Chief Security Officer magazine’s Cynthia Brumfield says there has been a “surge of swatting attacks targeting corporate executives and board members”. In an article she wrote by the same name, Brumfield recounts the following harrowing tale.

“At around 8:45 pm on February 1, 2023, a caller to the Groveland, Massachusetts, 911 emergency line told dispatchers that he harmed someone in a home on Marjorie Street in the upscale small town 34 miles north of Boston. The caller also said he would harm first responders, too.

Groveland police chief Jeffrey Gillen summoned the police, fire, and emergency mutual aid of the nearby towns of Ipswich, Rowley, Topsfield, and Haverhill. Police evacuated neighboring homes around the house on Marjorie Street but soon found out that the call was a hoax, a “swatting” incident designed to draw significant police presence to a targeted location. So far, no arrests have been made.

This incident is part of a growing surge in swatting attacks across the country, including yesterday, when swatting threats were leveled against nearly a dozen school districts in Michigan and multiple schools in Southern California. Swatting, which derives its name from the specialized police forces known as SWAT teams, is a highly dangerous prank that has caused many accidental injuries and even deaths.”

Though swatting as a practice began among the online gaming community as a prank, threat actors have embraced it as a means for terrorizing the corporate executives, political leaders or other targets of their discontent. Cybersecurity experts agree that swatting directed at corporate entities begins with information purchased from data brokers and People Search Sites.

The growing corporate swatting epidemic begins with threat actors visiting the websites of their corporate foes to identify the top executives and/or board members. They take those names to data brokers or people search sites where they can easily purchase the addresses, phone numbers, email addresses and other PII that may be available for sale at these sites. (To learn more read our white paper about the Threat to Data Privacy Posed by Data Brokers and People Search Sites.)

Then the malicious actors use the addresses of their target to call the police and report a hostage situation, active shooter, murder in progress or other serious crime at the executive’s address. This triggers a swift and overwhelming response as the authorities descend on the address with lethal force at the ready. In the confusion, the victim – the executive or other target of the swatting – is at best terrorized and at worst reacts in ways that get them injured or killed by responding forces. Here’s the story of a swatting call that led to the death of a Tennessee man. This article shares several more tragic deaths caused by swatting.

Like doxxing, swatting is also being aimed at public servants. Recently, there have been increasing numbers of swatting events directed at public schools. On one day in February 2023, m ultiple Southern California schools were sent into lockdown after bogus reports of school shooters were called into law enforcement. On the same day, swatting attacks were launched against public schools in Lansing, Detroit, Jackson, Ann Arbor and Okemos, Michigan, Authorities are still investigating to determine if these events were somehow linked and who is behind them.

Michigan Attorney General Dana Nessel reiterated the potential charges one could face if found and convicted of issuing threats of violence, including:

communicating a threat of terrorism, 20-year felony;
calling in a bomb threat, a four-year felony;
malicious use of a telecommunications device, a six-month misdemeanor; and
threatening violence against school employees or students, a one-year misdemeanor.

Additionally, swatting could result in the following charges:

false report of a crime, a 93-day misdemeanor;
false report resulting in physical injury, a 5-year felony;
false report resulting in a serious bodily impairment, a 10-year felony; and/or
false report resulting in a death, a 15-year felony.

Those that are found guilty of these crimes can face fines of up to $50,000.00, in addition to jail or prison time. However, this is only in Michigan and the laws in other US states vary widely.

Waiting for federal legislation to catch up to the evolving technology and criminal element is not sufficient. Particularly when these types of cyber crimes pose threats more severe than financial losses. There is no price too high when it comes to protecting against the threat of physical violence. The good news is that the actual price to protect any organization against doxxing, swatting and attacks on physical infrastructure is modest.

Get started today with Privacy Bee for business and protect your organization and its personnel from doxxing, swatting and other physical threats. Let us show you how to take control over online privacy management.