What’s With All the Data Breaches?

There are several factors for the historic surge in data breaches. These include the proliferation of mobile devices, the amount of data transferred, more digital storage, and poor security measures such as weak passwords and encryption protocols.

However, these factors do not represent the biggest security threat.

Humans: The Weakest Link in Digital Security

According to Verizon’s 2022 Data Breach Investigations Report, 83% of all data breaches involve a human element [1]. Hackers and other threat actors are well aware of this fact and are taking full advantage.

One way that hackers take advantage is through the use of social engineering tactics.

Social Engineering

Social engineering (for brevity, “SE”) is a common set of tactics used in data breaches. The reason is that it exploits the weakest link in the digital security chain: people.

Threat actors use publicly available sources, such as People Search Sites, to obtain information that can be used in an SE attack. Other common sources of personally identifiable information (PII) include Data Brokers, public records, social media accounts, and websites. PII is often used in conjunction with SE engineering tactics to craft convincing spear phishing messages.

The Scourge of Social Engineering and PII Exposure

Social engineering bypasses all technical controls, including firewalls.

– Kevin Mitnick, world famous hacker turned cybersecurity expert

PII’s proliferation, dissemination, and publication fuel data breaches, making social engineering attacks an even more significant threat. Anyone can be a social engineer, circumventing technical controls and making detection difficult.

As Kevin Mitnick stated, “Social engineering bypasses all technical controls, including firewalls.”

With more threat actors and attacks that bypass traditional methods, it’s no surprise that data breaches continue to rise. The consequences for organizations are severe, from sensitive data access to reputational damage. The question remains: where does the employee information that enables these attacks come from?

The four primary sources of employee PII

Social engineers, hackers, and other threat actors usually acquire employee data from one of four primary sources:

1. Public sources: Social engineers gather information from publicly available sources, including People Search Sites, social media profiles, and others. SEs may also purchase this data from Data Brokers (see 3).
2. Data Breaches: Employee PII is often among the data stolen in a breach. Additionally, PII is usually extracted as a secondary byproduct. In such a case, the hacker targets specific systems or data sources but finds and steals other types of data, including PII.
3. Data Brokers: Data Brokers collect and sell personal information on individuals. Moreover, Data Brokers have been criminally indicted for selling PII to illicit persons and criminal organizations. Several others have been hacked, resulting in vast stores of PII leaked.
4. People Search Sites: People Search Sites compile PII by aggregating publicly available information from various sources, including social media profiles, public records, and others. People Search Sites may also offer additional services such as background checks or reverse phone lookups which can provide even more detailed PII.

Data Brokers and People Search Sites

Data Brokers and People Search Sites are data hoarders collecting and selling personal information about individuals without their knowledge or consent. This data can include names, addresses, phone numbers, e-mail addresses, social media accounts, financial records, and more. The Data Broker then sells this data to individuals or organizations.

The problem with Data Brokers is that they often do not have appropriate security measures to protect the data collected. The information gathered and sold by Data Brokers is usually done without the individuals’ consent. As a result, an individual’s data can unknowingly be easily stolen by (or sold to) hackers, criminal organizations, or other bad actors and used for malicious purposes.

What to do about it

So, what can be done to reduce these risks?

Here is a simple 5-point checklist that business leaders can use to reduce the risks of a data breach:

1. Educating employees on recognizing and preventing social engineering tactics can significantly reduce the risk of data breaches.
2. Learning to recognize telltale signs of social engineering communications, including:
   • A false sense of familiarity
   • Exaggerated promises
   • Fear tactics, including FOMO
   • “Social proof” (Person “X”, “Y”, and “Z” have already done it…)
3. Automating hardware and software patching.
4. Implementing robust authentication measures (e.g., 2FA, MFA)
5. Investing in an External Data Privacy (EDP) solution.

External Data Privacy (EDP)

External Data Privacy is the scanning, deleting, and monitoring of PII from public data sources, specifically Data Brokers and People Search Sites. EDP is a valuable and proactive measure against data and other security breaches, as it protects personal information from being exposed.

1. Check if your Data Brokers have your information

2. Submit a removal request to Data Brokers who have it

3. Continue to monitor your information to ensure that:

• Any deleted information stays deleted
• Detect and take action on any leaked information.

By scanning for, deleting, and monitoring PII from over 350 Data Brokers and people search finders, EDP can mitigate the risk of a Data Breach by stopping unauthorized access or use of sensitive information. Moreover, EDP can help your organization comply with data privacy regulations such as GDPR and CCPA.

Privacy Bee offers several free services to help get you started. These include:

• A comprehensive Risk Assessment and Privacy Risk Score
• 24/7 Breach Monitoring with e-mail alerts
• Thousands of DIY guides for removing your data from all major Data Brokers and People Search Sites
• Information on what data was exposed and where