One risk business owners often overlook is the personal information about their team members that is available online, mostly thanks to people-search sites. This information poses both physical and cyber threats to every business, regardless of size.
People-search sites scrape the web for public records, social media activity, and other available information about individuals, which they then use to create detailed profiles to sell to anyone who wants them.
When you google someone’s name, these sites appear in that person’s search results. All someone needs to do is search for you or another key member of your organization to discover an amazing amount of revealing, personal information that can be used for hacking, extortion, and other crimes that affect your safety or your bottom line. This information includes:
- Home addresses and photos
- Names and photos of family members
- Work history
- Phone numbers
- Social media activity
- DMV records
Here are some common ways personal data can harm your business, as well as some tips on how to protect your organization.
The level of detailed information available online makes business owners and executives especially vulnerable to stalking and physical attacks. Here are some examples of business executives whose online information enabled people to find and threaten them at their home addresses:
- Apple CEO, Tim Cook—On December 4, 2019, a man named Rakesh Sharma entered Tim Cook’s home carrying flowers and champagne. He then tagged Mr. Cook in several suggestive pictures on Twitter. Mr. Sharma trespassed again a month later and rang Mr. Cook’s doorbell. By the time the police arrived, the man had fled the scene. The incidents spurred Mr. Cook to file a restraining order against the individual. Mr. Sharma has also threatened other Apple executives, stating that he “knows” where one of them lives. He also said he or someone he knows would use a gun.
- Arizona skincare products company CEO—The man, whose name is being kept anonymous by the police, was threatened at his house by Jacqueline Claire Ades, a woman he had met once via an online dating site. In July 2017, he discovered her parked outside his home and called the police. This led Ms. Ades to send him more than 159,000 text messages, including one that said “I’d make sushi outta ur kidneys n chopsticks outta ur hand bones.” A year later, he saw her via security footage taking a bath at his home while he was away. When police arrested her, they found a large butcher knife in her car.
- Snapchat cofounder and CEO, Evan Spiegel—He was stalked and harassed in 2015 by someone calling themselves Ramon Martinez. Mr. Martinez has sent him numerous Twitter, Snapchat, and email messages that mention President John F. Kennedy’s assassination, actress Rebecca Schaeffer’s murder, cutting car break lines, and Molotov cocktails. The alleged stalker also sent a package to Mr. Spiegel’s home address containing a gun magazine.
Corporate activism—or mistaken identity
Your company’s good name is vulnerable to attacks—often for no good reason—and when that happens, executives or business owners increasingly find themselves personally targeted. Whether it’s your brand or your CEO earning negative attention, would-be attackers turn to personal information to try to force your hand.
It doesn’t even matter whether the company or individual has done anything to deserve the mob’s outrage. Public opinion can be turned by a CEO’s decision, a simple case of mistaken identity, or by the ravings of someone who is simply out to ruin a particular business or individual. Regardless of the reason for coming under fire, the fallout from this kind of crisis can affect an organization’s bottom line by diminishing the company’s standing in the eyes of the consumers and investors alike.
Here are some recent examples:
- Starbucks CEO Howard Shultz—When Mr. Shultz decided to tackle racial equity by having baristas write “race together” on customers’ coffee cups in 2015, the company faced a massive public backlash. Shultz commented that the “volume of negative attention was like nothing the company had ever seen.” As a result of the controversy, the company’s head of global communications received death threats.
- New York City charity—During the Gamestop investment coup that took place on January 28, 2021, the stock app Robinhood came under intense social media fire for stopping trading after a group of Reddit users drove up the stock price. Unfortunately, social media protesters mistakenly attacked a New York City charity named Robin Hood, forcing them to put out a statement denying their involvement.
- Singapore CEO—Tuhina Singh was doxed because she was misidentified as a woman from a viral video, refusing to put on a mask amidst the coronavirus pandemic. People posted her personal details (including her name, her picture, and the names of her coworkers) on social media. This led to an outpouring of racist and xenophobic comments towards her, which forced her company to publish statements proclaiming her innocence.
“It has come to our attention that there has been misinformation spreading across the social media about our CEO, Ms Tuhina Singh, being confused as the Singaporean woman who was recently arrested for flouting Covid-19 mask rule and claimed to be ‘sovereign’. We are glad the matter is resolved. The real lady has been identified and appropriate action taken by authorities.”
- Finance marketing executive—Peter Weinberg was misidentified via the activity on his fitness app as being the person who attacked several young girls on a bike trail. The problem was, the police mixed up the dates when they asked the public for help in identifying the man. Mr. Weinberg had, in fact, ridden that trail the previous day. Still, people found his data online and posted his name and address. Soon, he was receiving thousands of threats like these: “Hey you racist b****….we’re coming for you.” “You deserve to pay.” “Ur going down u disgusting piece of s***.” “Nice job assaulting a small child today. You need to be fired from your job immediately.”
An impersonation attack relies on knowledge of human nature and personal details available online to fool someone into believing that someone is who they say they are to commit industrial espionage, fraud, or identity theft, all of which can end up costing your company its competitive edge and significant revenue.
In these scenarios, a criminal pretends to be an individual whom people are unlikely to question, like an inspector, construction worker, or IT specialist. They also can pose as new employees or individuals from a remote office.
To gain your team’s trust, imposters research the people they are most likely to meet. From what they can find on the internet, they can learn their names and job titles, and even personal tidbits about their managers, which they can use to make their visit more believable.
After gaining access to the building, they are free to download information, take pictures, or install spyware, because most people are uncomfortable challenging someone who looks like they belong there.
In one case, a security firm tested a bank’s onsite security measures and was able to infiltrate it by impersonating payment card industry (PCI) auditors. They simply showed up for a surprise inspection carrying clipboards, wearing shirts bearing a logo, and having researched the appropriate jargon that the employees use.
They crawled along the floor for 90 minutes, doing “official-looking” things like checking cables and affixing stickers on network jacks. Meanwhile, they were able to photograph sensitive equipment and convince an employee to log in to a workstation so they could capture the individual’s credentials on video.
Criminals also use the personal information they can find about your team members to conduct phishing attacks—a type of cybercrime that involves sending fake messages (mostly by email, but that can also involve phone calls or SMS text messages) to trick people into giving away sensitive information, downloading malicious software, or transferring money.
Usually, these messages appear to come from a trusted source, like a boss, coworker, or corporate vendor, which is what makes them so effective.
There are two types of phishing attacks that target businesses:
- Spear phishing attacks—Messages designed to motivate a particular individual to take some action. In 2019, 88% (PDF) of businesses around the world experienced spear-phishing attacks.
In this example, someone spoofing an executive’s email account is targeting someone with access to the company payroll information to obtain employees’ valuable personal data.
- Whaling attacks—Phishing emails directed at high-level executives.
In this whaling example, Chinese cybercriminals drafted an email to a Mattel executive using the identity of the company’s new CEO, asking the recipient to approve a $3 million payment to a supplier in China. The recipient transferred the money, which the firm was unable to recover.
This is just the tip of the iceberg when it comes to business threats from personal information. And as time goes on, bad actors become more savvy and sophisticated in the ways that they use this information to bypass your defenses.
To protect your company, you need a comprehensive security plan that centers around removing personal information from the internet. This is a time-intensive process that involves several important steps.
First, you’ll need to determine which key employees need protection. The most vulnerable individuals are those who have access to confidential information, decision-making power, or other qualities that make them targets for your competition, cybercriminals, and other bad actors.
After identifying the team members most at risk, it’s a good idea to design a policy framework to safeguard their privacy as you scan for their personal information and report on it.
The next step is to identify which of the hundreds of people-search sources out there are publishing your team members’ personal details. You’ll also need to search the dark web for sites selling your team’s information, as well as any social media sources that support them.
Finally, you’ll need to track down any other websites that are exposing your people’s personal data online and then go through the different opt-out procedures for each site for each employee. This can be an arduous task, depending on the size of your team and the number of sites that are posting their information.
Unfortunately, you aren’t done once you complete the opt-out process. This is because people-search sites are constantly scanning for new information and may repopulate your team’s profile when new data appears online. As a result, you will need to assign resources to continually monitor these sites to ensure your team’s privacy remains intact.
ReputationDefender has extensive experience working with businesses of all sizes to develop customized privacy protection solutions. Whether you’re a small business or a Fortune 500 corporation, we can help you manage your team’s personal information online. Give us a call for a free consultation.