In Plaintext: Data Brokers and the Privacy Challenge

Welcome to the inaugural issue of Dark Reading in Plaintext, where each day we bring you insights on topics important to cybersecurity professionals. Did someone forward this newsletter to you? Subscribe to get this delivered to your inbox!

The Danger of Online Data Brokers

A few weeks ago, HBO's Last Week Tonight with John Oliver described online data brokers as a "sprawling, unregulated ecosystem, which can get really creepy, really fast." Why creepy? We know cybercriminals and other online adversaries regularly trawl social media to gather information about their targeted victims, and data brokers sit on top of even more information. Data brokers have even more data, with up-to-date records on everything from personal emails, phone numbers, family relationships, geographic locations, home and business addresses, browsing and search history, financial assets, and even voting records. Virtually everything needed to deploy an online scam, fraud, account takeover, or digital theft is readily available on more than 200 data brokers' websites – sometimes free of charge, and always easily hackable by those with the means and motivations. Indeed, a study of more than 750 enterprise senior leaders by BlackCloak found that an astounding 99% of executives have their personal information available on more than three dozen online data broker websites.

Data ethics and the CISO: The concern around how data is handled – and potentially misused – is something enterprise security teams have to pay close attention to if they want to avoid angering consumers or running afoul of data regulators. "Cybersecurity team are enablers of data ethics strategies,” Jason Albuquerque, COO of Envision Technology Advisors, told Dark Reading. “There are several core ideals of data ethics and how security plays a critical role in their success. The first is obvious: is your organization protecting sensitive data to the best of its ability?"

What is your personal privacy risk tolerance profile? Everyone has to figure out what level of privacy they are comfortable with before deciding what privacy protections they need. Questions to ask include: what kind of personally identifiable information to share, and with whom, as well as what level of online advertising is acceptable. Privacy laws (such as CCPA and GDPR, to name just a couple) give residents a mechanism to force online services to delete their information. Some data entities will respect the request to delete personal data even if the person asking doesn’t live in those geographic locations. There’s no easy way to do it, but depending on your risk tolerance, it may be worth spending several hours periodically to send data brokers those requests.

Speaking of GDPR... Making sure your organization is in full compliance with the European Union’s General Data Protection Regulation may seem daunting, but the good news is that you don’t need an army of privacy and compliance professionals on staff to embark on your GDPR journey.

Headlines on Tap

• Microsoft allows manual patching for Exchange Server without requiring elevated permissions.
• Emails that appear to be from the World Health Organization are spreading a never-before-seen Nerbian RAT.
• US State Department outlines coordinated efforts to provide Ukraine with security intelligence, expertise, and resources.

Subscribe to get the latest headlines delivered to you each day with Dark Reading Daily.

On That Note

Enjoy this gem from our cartoon archives:

Feeling inspired? Send in your wittiest security-themed caption for this month’s cartoon contest. The winner gets a $25 Amazon gift card!