Internet Data Tails: Be Careful What You Share

By Cynthia Hetherington

Data, at its most annoying, is a commodity with social media sites selling your Likes to data providers. Data, at its most dangerous, allows terrorists and scammers—as near as your neighbor or from faraway lands—to farm from open sources the personal addresses of our military personnel to threaten them and their families. They robocall mercilessly and prey on the elderly. Unfortunately, we share much of the data that generates these annoyances and threats

In this new blog series, we help you understand the dark side of information sharing. You will learn the pitfalls of oversharing and how to reduce your online risks. You will gain useful tips for protecting your personally identifiable information (PPI) and preventing identity theft, learn how to opt out of online vendors and how to remove your PPI from three major DNA collection retrieval services.

A variety of information is available to businesses and organizations. While most of the information is non-sensitive, some of it can be sensitive. This week, we review types of information, where it is stored, and federal laws regulating the sharing of such information.

The Dawn of the Internet

Let’s take a moment for a bit of history: The internet began as research commissioned by the United States government in the 1960s to build a communications network that would survive a nuclear attack. By the 1980s, the precursor interconnected regional academic networks and gave way to the modern internet. During the early 1990s, the internet saw continued exponential growth as business, personal, and mobile computers of the general public logged on to it. Nearly everyone became an active, engaged internet user.

Nowadays everyone is online. Just as there are good and not-so-good people in the physical world, there are also good and not-so-good people in the online world. With ubiquity and facility come threats and need for caution. Losing your identity to online theft is a serious—and all too common—concern. With malware and viruses so covertly blended into today’s modern communications tools, even a software engineer might get duped into identify theft from the most benign looking email.[1]

Social Networks & Identity Theft

It is incongruous that we fear identity theft from online financial services, e.g., our credit card and bank accounts, yet we disregard the risk of identity theft through our social network profiles. In truth, the established online financial and commerce systems are some of the most trusted sites available, using multi-layered encryption software to protect our financial transactions. Of course, no one system is impenetrable, but why would a cyber-thief choose to battle multi-layered encryption software to steal your credit card information when the open Internet offers up much more easily attainable information?

Today, an identity thief need only turn to the personal profiles posted in social network sites, such as Facebook, Instagram, and LinkedIn, to capture key information about a targeted individual. A full name (even maiden name), date of birth, and current home location gleaned from an open social network account are sufficient data points for a thief to start creating a fraudulent profile. In fact, LinkedIn—the professional’s social network workhorse—holds a veritable goldmine of personal information for identity thieves.

Consider this: LinkedIn requires users to post schools attended and jobs held with corresponding dates. Now, layer on the personal details gleaned from LinkedIn-linked colleagues and friends in the network and you can rather easily crib together a good list of controlled answers for most challenge questions—those security questions used to prompt for a forgotten password.

It is possible that you could lose access to your personal web-based email account simply because an identity thief was able to hijack the account by answering the security challenge question. After gleaning the information from open source search engines, or from unprotected social network profiles, the security challenge question can be mere child’s play for a savvy identity thief.

Should you find yourself discovering the internet’s dark side of personal identity theft, do not pack up, shut down, and remove yourself wholesale from the online world. Instead, alter or completely delete your pertinent information (i.e., date of birth, hometown name, identifying photos, etc.) from your social network profile. Edit the profile before deleting it, so the internet crawlers will capture misinformation, not accurate information, for the caching servers, including Google and others.

[1] The prevalence of online identity theft is indeed significant, but do not overlook the traditional venues—the places where you regularly use your credit card. It is sadly almost predictable how often private, financial information will likely be compromised (hacked) from point-of-sale equipment in the commercial establishments you patronize.

Are you an analyst or investigator looking for advanced OSINT training on risk assessment and risk monitoring? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your investigative skills.

Are you concerned about your company’s or employees’ points of vulnerability through online and open sources? Our skilled analysts are experts at removing personal information that puts you, your business partners, and your family at risk. Learn how our team can assist you in assessing and monitoring your risks. 

Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.