Most businesses employ extensive processes and technology to prevent online attacks on their team members and IT systems – anti-virus, anti-spam and phishing prevention tools have become ubiquitous, and ongoing cybersecurity training for staff has become standard. But not enough security teams take steps to close an additional and sometimes non-obvious security gap: the risks posed by allowing the home addresses of executives and employees to flow unchecked and proliferate online.
Just do a Google search on a friend or colleague to see how easy it’s become for anyone to obtain someone’s home address from people search data brokers who openly post and sell people’s personal information online.
This type of information gets used by salespeople and recruiters, or to find long lost friends, but it’s also used for more dangerous activities. Adversaries have become much more sophisticated and are taking the time to study their targets in advance online.
Preventing data breaches and phishing are of course a major concern for businesses, but preventing physical attacks has also become increasingly critical. Every week I speak with company executives concerned with angry customers, disgruntled former employees, or public opponents potentially showing up to their homes uninvited.
For instance, I heard this from a technology company CEO: “I had a recent incident where an upset customer found my personal phone number, along with my wife’s, and started harassing us over the phone and with texts. This person also said they had our personal address and were going to show up at our home to confront me. I have young children at home, so these issues have become a bit more complex and worrisome for me.”
I also know a former high-ranking executive at a major social media platform who was targeted by an extremist group after that group was banned from the service. Representatives of the group obtained the home address of the executive and began making physical threats resulting in the social media platform needing to staff a private security guard at the executive’s home for several weeks until the threats died down.
My advice to those with similar concerns: here are steps to take that can minimize a home address from appearing online in the first place:
- Company officers should not use their home address for corporate filings.
- Use virtual mailboxes, package receiving services, personal mailboxes (PMB) and P.O. boxes wherever possible instead of a home address for mail.
- Consider using a virtual credit card company with an alias name to purchase items online: there are several virtual credit card companies that let people use an alias name when making purchases.
- When moving, do not use the United States Post Office’s permanent change of address form. They frequently sell this information to third parties. Instead, use the temporary change of address form, and manually change the address for your important accounts.
- One of the biggest sources of publicly available home address data is when purchasing a home because the purchase is public record. Once a name is tied to a home address via a public record, it is very difficult, and in many cases impossible to get removed. You can purchase a home using a trust, instead of in your own name, but you must consult with an estate planning attorney that is skilled in privacy protection to ensure you do it right.
If the home address has already been posted online, here are the three steps for removing it:
- Assess what’s out there: Start by assessing the scope of the problem by conducting online searches or scans. Do this with popular search engines, or using a free or paid service that scans the internet for an individual’s information online. At a minimum, the scan should incorporate first name, last name, city, state and age. Our scans find approximately 100 exposed profiles per person at data broker sites. Also consider dark web scanning when assessing risk exposure, however, it’s not possible to remove personal information from the dark web if it’s found.
- Remove it: Once the problem has been assessed, request the information be removed. People search data broker sites are the most common source of unwanted home address publication in the U.S. With the passage of new privacy laws across a growing number of states, nearly all U.S. data brokers have an opt-out procedure, though the ease of the process varies greatly by the data broker. People are typically required to fill out an online form for each person opting out, and then it can take anywhere from a few days to several weeks to remove the data.
- Monitor to make sure it isn’t reposted: Respect for privacy regulations and opt-out preferences varies widely across data brokers. Data brokers also synthesize their own proprietary datasets from a large number of upstream sources, such as public records databases, web scraping, and data purchases from other companies. So home address data frequently re-populates, either intentionally and unintentionally. Keep in mind that there’s a lot of activity in the data broker space, with lots of mergers and acquisitions activity and new entrants popping up all the time. Unfortunately, this creates a monitoring burden to ensure that when data repopulates, it’s quickly located and removed. This means automated scans at regular intervals are critical – at least monthly.
If all of this sounds difficult and time-consuming – it is. Solutions to these problems run the gamut. Everything from manual searches and removals by hand, to dedicated white glove security and legal staff doing the work in-house, full-time. It’s also possible to use scanning and removal services with enterprise features such as SSO, SAML and SCIM for automated provisioning, AICPA SOC 2 audits, removal validation through screenshots and deep links, and custom requests workflows.
However the company approaches it, it’s important to think about and address availability of home address information online. Start by ensuring personal details aren’t found in the first place, and then start finding and removing everything possible. This can go a long way towards keeping the company’s employees and executives safe and protected.
Lawrence Gentilello, founder and CEO, Optery