Who’s Got Hold of Your Personal Information? Data Brokers Are Big Business

Jump to Section:

May 4, 2022


The internet has made collecting and selling personal data easier than ever, and personally identifiable information (PII) is particularly valuable to one growing industry: data brokers.

Data brokers are businesses that gather information — often sourced from commercial databases or from the open web — and sell or license that information to third parties for a fee. This data can come from public records, consumer marketing lists and social media. Data brokering has become a multi-billion dollar industry, and these businesses use personal information in ways that range from the commonplace to the controversial.

“The primary focus of these sites is to collect information such as dates of birth, home addresses, personal contact details, emails and names of relatives,” says Catarina Kim, managing director of the Intelligence Group in Aon’s Cyber Solutions. “They have dual use purposes. On the surface, a user can buy a report on the site to vet the background of a person. However, this data can also be used by bad actors to conduct social engineering, account takeovers or target members of the public.”

There are also other, more nefarious data brokers. These threat actors typically operate on the dark web and traffic data that have been stolen or exfiltrated through third-party data breaches.

For business leaders or other high-net-worth individuals, either type of data brokering activity can present a very real risk if their personal information is used by individuals who might want to target them or their families for harassment, fraud or criminal activities.

In Depth

The amount of personal information available on the open web is vast and often highly accessible, especially in the United States. A simple search can provide such details as an individual’s associated telephone number, email address, mother’s maiden name and other data that can used for phishing, answering password reset questions and even engaging in more sophisticated attacks to defeat two-factor authentication on bank accounts. Vehicle license plate numbers and information about the make and model of an executive’s car might also be readily available.

“People are often unaware of how much PII is available about them online. Cyber criminals can complement what’s accessible for free on the open web by leveraging data found on the dark web, including compromised passwords for email addresses that were breached through third party sites such as a food delivery service or online marketplace,” says Dennis Lawrence, a senior consultant in the Intelligence Group at Aon’s Cyber Solutions. “This is particularly relevant since many people reuse old passwords or use slight variations of them.”

“Those are all things that could be used and leveraged in a very strategic way by certain people if they got into the wrong hands, especially if it is information about a senior executive or a high-net-worth individual,” says Kim. “It can be used to access their email accounts, extort them, impersonate them and to commit fraud.”

Identifying and Controlling Data Vulnerability

Determining what information might be available about executives or other prominent individuals is an important process and one that must be repeated regularly.

“On the open web, the companies that sell this information are legitimate businesses. This is not obviously stolen data, these are data sets that they are buying from other companies that have collected this information,” says Kim. “If the sites refresh their data in six months, information gets repopulated even after an opt-out request has been submitted. So it’s not necessarily a one-and-done.” As a result, it’s best to take a proactive approach to managing personal information online. Individuals can begin with a vulnerability assessment to examine their digital footprint, using open, deep and dark web sources to identify areas of risk.

“Anything that’s publicly accessible, anything that we can glean from social media, anything that we can glean from the dark web, those are the first things people should consider reviewing,” says Kim. When possible, individuals can opt out from having their information sold, or, in some cases, records can simply be removed from websites.

If individuals choose to keep posting on social media, they should understand the privacy settings they can apply to their activities. “There are ways that you can lock down your profile so you can still share information without providing access to people outside your circle,” Kim says, noting the benefits of “proactive monitoring.” This entails constantly scanning the open and dark web for information on individuals that might be leveraged against them.

As Information Moves, Risks Increase

A lawsuit filed earlier this year by a data broker against one of its customers speaks to some of the risks associated with information as it changes hands.

While there aren’t widespread laws governing data brokers’ activities, some U.S. states like California require data brokers to register with the state’s attorney general. The California Consumer Privacy Act also gives residents of the state some rights and protections concerning their personal information. “It’s very specific to California residents,” says Kim. “I don’t foresee that happening uniformly across the United States.”

Other regions have specific legislation in place to protect individuals from data exposure risks. In Europe, the EU has pursued data brokers accused of violating the General Data Protection Regulation (GDPR).

Managing the Power of Personal Data

Personal information about executives or high-net-worth individuals that falls into the wrong hands becomes a powerful risk. Once sensitive data has made its way to the internet, it may be too late to control potential damage. However, by understanding the sorts of information being collected and shared by data brokers and taking steps to limit the amount of data available, individuals can better protect their personal information online.

“Clients will often come to us once an event has happened,” says Lawrence. “But the best way to think about this is that you can help avoid a lot of heartache and violation of privacy if you take action before that potential event occurs down the road.”