Do you know what they know?

Do you know what others can find out about you or your employees? Let’s face it: it’s probably not something you consider very often. However, there are occasions in business when you do need to know, and sometimes, the results can be pretty shocking! In the course of providing our Cyber PATH services, we recently came across a fascinating but not uncommon story. It is a cautionary tale for all.

The client was completing a risk assessment of their business prior to the commencement of a high-profile contract. They wanted to review the higher-risk individuals within their organisation and understand more about what information was publicly known and readily available about each of them on the Internet so they could manage that information and reduce the risk.  

The organisation contacted the South East Cyber Resilience Centre, which highlighted two services, Corporate Internet Investigation and Individual Internet Investigation, as suitable solutions. A proposal was duly submitted. The client provided the details of a number of individuals to be researched, and using our talented Cyber PATH students, we spent a couple of days looking at each of the people, recording our findings in a comprehensive report.

Taking just one person as an example, we were able to present a surprisingly revealing and stunningly detailed report which was far beyond the company’s and the individual’s expectations!

Using only their first and last names and their company name, with online reconnaissance, often known as open-source intelligence, we established their work and home email addresses with breached passwords linked to both accounts.  We then identified a home address and pictures of the house inside and out! We could also see their home broadband router details and also identified an unsecured electronic car charging point.  Social media images were also used to confirm the geographical location of the house as could not be found on the usual satellite imagery solutions.

We then identified the person’s hobbies; places often visited, and immediate family, all with pictures.  Reviewing social media platforms and other applications, we uncovered further frequent places they visited, including sporting activities they were involved in.  This was made more accessible because some of their immediate family had social media channels with incorrect or inadequate privacy settings.  We also found websites that had previously been used and closed down; however, we were able to locate information and resurrect them from Internet archives, which enabled the confirmation of further personally identifiable information.

What does this mean?

Personal identifiable information – When your personal information is not adequately protected online, it becomes vulnerable to data breaches.  Hackers may gain unauthorised access to databases or systems containing your sensitive data, such as login credentials, financial information, or personal details. These breaches can result in further email and /or social media account compromises, and additional crimes linked to identity theft, financial fraud, and other forms of exploitation.

Lack of privacy online—Knowing key information could enable us to conduct targeted social engineering through email, texts, or even traditional communications on key days/anniversaries to achieve a bigger compromise. This is also known as spear phishing.

Lack of regular updates – Outdated devices often lack the latest security patches and updates, leaving them vulnerable to exploitation by cyber attackers. Hackers are constantly discovering new vulnerabilities and developing ways to exploit them. Without regular updates, your devices remain susceptible to these threats, potentially leading to data breaches, identity theft, or malware infections.

Physical risks – A young family member linked to a subject, was found to a be fitness app user, and went on the same run at the same time, every night.  This knowledge of their route and location could have led to safeguarding issues.  Constantly broadcasting your location can also make you vulnerable to physical threats such as stalking, burglary, or even physical harm. If malicious individuals or organisations know your exact whereabouts at all times, they could use this information to target you in various ways, potentially putting your safety and security at risk.

The report also enabled guidance to be provided to staff about operational security for example, segregating Work and Home lives, sharing email addresses and email passwords across multiple platforms.

We could have got close to their home address and pretended to be their home Wi-Fi.  This is called an Evil Twin Attack, whereby a rogue Wi-Fi hotspot with same name but a stronger signal than the legitimate one is set up, tricking employees or devices into connecting to it instead and capturing their data.  Knowing the places staff regularly visit, we also create a Machine-in-the-Middle Attack, enabling the interception of communications between employees’ devices and a Wi-Fi hotspot to eavesdrop on sensitive information.

What did we do?

The Cyber PATH team provided a report to the client, highlighting where we found risk. Doing so enabled the organisation to take steps to mitigate, making staff safer and reducing the risk to the company.

Management amended corporate media policies so the workforce had better guidance on what could be published, enabling them to control information in the public arena.

The report also highlighted the risk posed by online privacy settings not being correctly set up, meaning everyone sees everything.

The report enabled IT to complete a cyber health check of compromised details.  The added protection didn’t only apply to the workplace; the information allowed the company to amend their remote working policy, enabling staff to work from home safely.

Overall, the report enabled the business to understand the threats and reduced the risk to staff at work and at home, dealing with the issues before the issues became a headache.

The organisation saw this as a very worthwhile threat assessment and was grateful to accept the findings and implement our recommendations.

It’s an insightful case study that hopefully acts as a cautionary tale for other companies who haven’t adequately assessed the risks or given due consideration to ensuring staff are aware of the threats.

Corporate Internet Investigation and Individual Internet Investigation services are available from any of the Regional Cyber Resilience Centres, find your local Centre using our postcode tool here.