Do you know what information can be found online out about you or your employees? Are you aware of the risks of personal information falling into the wrong hands?

Let’s face it: it’s probably not something you consider very often. However, there are occasions in business when you do need to know, and sometimes, the results can be

pretty shocking!

At the South East Cyber Resilience Centre, we recently delivered two of our Cyber PATH services, our Corporate Internet Investigation and Individual Internet Investigation,

Overview:

The client was completing a risk assessment of their business prior to the commencement of a high-profile contract. They wanted to review the higher-risk individuals within their organisation and understand more about what information was publicly known and readily available about each of them on the Internet so they could manage that information and reduce the risk.  

The organisation contacted us and it was identified that the two appropriate services were the Corporate Internet Investigation and Individual Internet Investigation services.

Working with the Cyber PATH team, a proposal was submitted to the clients that highlighted the work that would be carried out and how findings would be recorded in a comprehensive and digestible report.

Investigation findings:

Using #OpenSourceIntelligence, Looking at one of the employees and using only their first name, last name and company name alone; we were able to present a surprisingly revealing and stunningly detailed report which was far beyond the company’s and the individual’s expectations!

To the clients horror, in a very short space of time we were able to:

• Establish their work and home email addresses with breached passwords linked to both accounts

• View their home broadband router details

• Identified an unsecured electronic car charging point which could have been hacked

• Social media images were also used to confirm the geographical location of the house as could not be found on the usual satellite imagery solutions.

• We then identified the person’s hobbies; places often visited, and immediate family, all with pictures.

• Reviewing social media platforms and other applications, we uncovered further frequent places they visited, including sporting activities they were involved in.

• Immediate family members had incorrect or inadequate privacy settings on their social media accounts.

• Found websites that had previously been used and closed down; however, we were able to locate information and resurrect them from Internet archives, which enabled the confirmation of further personally identifiable information.

What are the risks associated with these findings?

• Compromised broadband router - We could have got close to their home address and pretended to be their home Wi-Fi.  This is called an #EvilTwinAttack, whereby a rogue Wi-Fi hotspot with same name but a stronger signal than the legitimate one is set up, tricking employees or devices into connecting to it instead and capturing their data.  Knowing the places staff regularly visit, we also create  a #MachineintheMiddleAttack, enabling the interception of communications between employees’ devices and a #WifiHotspot to eavesdrop on sensitive information.

• Personal Identifiable Information – When your personal information is not adequately protected online, it becomes vulnerable to data breaches.  Hackers may gain unauthorised access to databases or systems containing your sensitive data, such as login credentials, financial information, or personal details. These breaches can result in further email and /or social media account compromises, and additional crimes linked to identity theft, financial fraud, and other forms of exploitation.

• Lack of Online Privacy — Knowing key information could enable us to conduct targeted #SocialEngineering through email, texts, or even traditional communications on key days/anniversaries to achieve a bigger compromise. This is also known as #SpearPhishing.

• Lack of Regular Updates – Outdated devices often lack the latest security patches and updates, leaving them vulnerable to exploitation by cyber attackers. Hackers are constantly discovering new vulnerabilities and developing ways to exploit them. Without regular updates, your devices remain susceptible to these threats, potentially leading to data breaches, identity theft, or malware infections.

• Physical Risks – A young family member linked to a subject, was found to a be fitness app user, and went on the same run at the same time, every night.  This knowledge of their route and location could have led to #Safeguarding issues.  Constantly broadcasting your location can also make you vulnerable to physical threats such as stalking, burglary, or even physical harm. If malicious individuals or organisations know your exact whereabouts at all times, they could use this information to target you in various ways, potentially putting your safety and security at risk.

The report also enabled guidance to be provided to staff about #OperationalSecurity for example, segregating Work and Home lives, sharing email addresses and email passwords across multiple platforms.

OUTCOMES:

The #CyberPATH team provided a report to the client, highlighting where we found risk. Doing so enabled the organisation to take the below steps to mitigate, making staff safer and reducing the risk to the company:

• Management amended the companies corporate #MediaPolicies so the workforce had better guidance on what could be published, enabling them to control information in the public arena.

• As a result of the report, the IT teams completed a Cyber Health Check of the compromised details within the report. The added protection didn’t only apply to the workplace; the information allowed the company to amend their remote working policy, enabling staff to work from home safely.

• The report also highlighted the risk posed by online privacy settings not being correctly set up, meaning everyone sees everything so this was amended and privacy settings were adjusted.

Overall, the report enabled the business to understand the threats and reduced the risk to staff at work and at home, dealing with the issues before the issues became a headache.

The organisation saw this as a very worthwhile threat assessment and was grateful to accept the findings and implement our recommendations.

It’s an insightful case study that hopefully acts as a cautionary tale for other companies who haven’t adequately assessed the risks or given due consideration to ensuring staff are aware of the threats.

Join our community and receive a FREE information pack, becoming one of the many businesses benefitting from expert guidance and toolkits designed to help boost your organisation's cyber resilience against fraud and cyber-attacks.