As executive threats soar, information hardening is key to security
The assassination of UnitedHealthcare’s CEO last December continues to be a grim reminder of the personal threats which many executives face. At a time of escalating political rhetoric and social divisions, corporate executives frequently find themselves caught in the middle — whether it’s by angry activists, organized criminals or lone wolf actors.
As companies grapple with the growing threats to their executives, they need to prioritize strategic information “hardening” as a key part of their overall strategy. By limiting the public and commercial sources of sensitive personal information — such as physical locations, family members, etc. — they can significantly reduce the executive’s overall attack surface. This should be a central part of any executive protection program.
Scrub Dangerous Personal Info From Websites and Social
Shortly after the shooting, several healthcare and insurance companies took action and removed executives’ photos from their websites, with some companies even deleting their entire senior leadership pages altogether.
These efforts reflect a new normal within corporate America to try to reduce the depth of easy to find data highlighting the personal lives of executives. However, executives are public figures, so companies should not assume they can keep their identities hidden. It’s important to focus on key information that could make it easier for an attacker to track the person’s location or to target their family members.
For example, many corporate bios include sensitive details, such as the names of spouses and children, loved ones’ photographs and references to the city/town where they reside. These details are often included to make the person seem more “human” and relatable, but they provide valuable clues that a determined attacker can use to cause harm.
Executives’ social media accounts should also be restricted so that only approved connections can view their information. These online profiles should be similarly stripped of personal information and executives should refrain from posting anything too revealing, such as personal photos and photos that might reveal details of physical security controls — like alarm sensor placement.
Additionally, executives and the companies’ social media teams should avoid posting any live updates of an executive’s physical location and future travel plans.
Indirect Leaks Through Family’s Social Media
It is extremely common for an executive’s children to unwittingly share sensitive private information — and actionable intelligence — through social media and dating apps. This is a significant area of risk that is often overlooked by corporate security teams.
The most high-risk apps are those which require geolocation sharing, such as dating apps like Tinder. However, there are other social media or messaging apps which may encourage geolocation sharing, such as Snapchat’s Snap Map. Community apps such as Nextdoor also reveal the user’s general location.
It is also important for any digital executive protection program to include monitoring and protection for these key family members. Sensitive photos or videos which expose the neighborhood or exact address of the home, the home’s exterior, the vehicles they drive (especially if the license plate is visible), schools, gyms, or any other images or information that could be used to identify their location or regular daily routines should be prevented. Photos and videos of loved ones can also be harvested for use in AI-powered virtual kidnapping scams.
Data Broker Profiles
The vast majority of (99%) of senior executives have exposed personal information in the many data broker sites that operate legitimately in the United States. These data broker profiles are the holy grail for a malicious actor, as they provide enough information for an attacker to physically locate or track the executive, find family members they can target, hack the home network, doxx them, and much more. Data broker profiles can also facilitate “swatting” attacks, which put the entire family in danger while law enforcement officers respond to what they must assume is a real threat.
The most common types of exposed information in data brokers include: home address, vacation home address, real estate transaction histories, family members, neighbors, vehicle registration, cell phone and landline numbers, email and social media accounts, and home network IP address.
Companies must take steps to remove these profiles. It is not an easy process, and many data brokers will relist the information any time new public data enters the system (such as a real estate purchase or speeding ticket), but it can be done. There are plenty of third-party services available that can monitor these sites and have information speedily removed. It’s important for companies to partner with comprehensive and collaborative providers on this front to ensure widespread removal takes place.
Real Estate Sites
Many state and county governments provide a public-facing database of real estate holdings, which in some cases can be easily searched by the person’s name.
Consumer-focused real estate sites, such as Zillow, Realtor, Redfin, and others also retain interior and exterior photos of listed properties, even long after the sale has been completed. There are also a growing number of news sites and blogs that report on the real estate transactions of high-profile figures, and may provide enough revealing information to find the home’s physical address.
Executives’ home purchases can — and should — be masked through trusts, corporations or other means. However, this doesn’t completely solve the problem and in some cases the person’s true identity can be unmasked by a little basic sleuthing.
As a part of the home purchase, the new owner should contractually obligate the listing agent to remove all pictures and descriptions of the home from the multiple listing service (MLS) and any other tertiary real estate sites under their control.
Second, the images of the home that are in the listing should be assigned to the new owner for some consideration (i.e. payment) giving that owner all rights to the images. Once this transfer has taken place and the new resident owns the copyright for the images and/or the listing description a “take down request” can be made to the owner of the website. If that request is not obliged, then the owner can request the hosting provider take down the entire website or page with infringing (copyrighted) material. This is all a courtesy of the Digital Millennium Copyright Act (DMCA).
Dark Web Data
Executives’ emails, account passwords, Social Security Numbers, credit/debit card numbers, and even some insurance and health information may also be found in the Dark Web.
This data is usually collected by cybercriminal groups who hack into corporate networks and databases. They then sell the stolen information to other criminals or dump it on a public forum to punish the company after a failed ransomware negotiation.
It is critical for all corporations to have robust Dark Web monitoring included as part of their overall cybersecurity efforts. While it is difficult to have these websites shut down or disrupted (that would require a coordinated federal law enforcement effort), by identifying this leaked information, the company can take steps to increase its security protection for the affected executives and thus get ahead of the threats.
Physical Security Hinges on Data Security
The vast majority of threats begin online, with information gleaned from the Surface or Dark Web.
Corporate security teams must conduct regular open-source intelligence (OSINT) assessments on their top executives to find out exactly what, where, and when sensitive information is being exposed. Monitoring should also extend to commercial data sources, such as data brokers, and criminal networks in the Dark Web.
While it may seem overwhelming, it is possible to drastically curtail this sensitive information by routinely monitoring and searching for this data, and taking the appropriate remediation steps or partnering with organizations that are able to provide this level of support.