Data Privacy Week is here, and there’s no better time to shine a spotlight on one of the biggest players in the personal information economy: data brokers. These entities collect, buy, and sell hundreds—sometimes thousands—of data points on individuals like you. But how do they manage to gather so much information, and for what purpose? From your browsing habits and purchase history to your location data and even more intimate details, these digital middlemen piece together surprisingly comprehensive profiles. The real question is: where are they getting it all, and why is your personal data so valuable to them? Let’s unravel the mystery behind the data broker industry.

What are data brokers?

Data brokers aggregate user info from various sources on the internet. They collect, collate, package, and sometimes even analyze this data to create a holistic and coherent version of you online. This data then gets put up for sale to nearly anyone who’ll buy it. That can include marketers, private investigators, tech companies, and sometimes law enforcement as well. They’ll also sell to spammers and scammers. (Those bad actors need to get your contact info from somewhere — data brokers are one way to get that and more.)

And that list of potential buyers goes on, which includes but isn’t limited to:

• Tech platforms
• Banks
• Insurance companies
• Political consultancies
• Marketing firms
• Retailers
• Crime-fighting bureaus
• Investigation bureaus
• Video streaming service providers
• Any other businesses involved in sales

These companies and social media platforms use your data to better understand target demographics and the content with which they interact. While the practice isn’t unethical in and of itself (personalizing user experiences and creating more convenient UIs are usually cited as the primary reasons for it), it does make your data vulnerable to malicious attacks targeted toward big-tech servers.

How do data brokers get your information?

Most of your online activities are related. Devices like your phone, laptop, tablets, and even fitness watches are linked to each other. Moreover, you might use one email ID for various accounts and subscriptions. This online interconnectedness makes it easier for data brokers to create a cohesive user profile.

Mobile phone apps are the most common way for data brokerage firms to collect your data. You might have countless apps for various purposes, such as financial transactions, health and fitness, or social media.

A number of these apps usually fall under the umbrella of the same or subsidiary family of apps, all of which work toward collecting and supplying data to big tech platforms. Programs like Google’s AdSense make it easier for developers to monetize their apps in exchange for the user information they collect.

Data brokers also collect data points like your home address, full name, phone number, and date of birth. They have automated scraping tools to quickly collect relevant information from public records (think sales of real estate, marriages, divorces, voter registration, and so on).

Lastly, data brokers can gather data from other third parties that track your cookies or even place trackers or cookies on your browsers. Cookies are small data files that track your online activities when visiting different websites. They track your IP address and browsing history, which third parties can exploit. Cookies are also the reason you see personalized ads and products.

How data brokers sell your identity

Data brokers collate your private information into one package and sell it to “people search” websites. As mentioned above, practically anyone can access these websites and purchase extensive consumer data, for groups of people and individuals alike.

Next, marketing and sales firms are some of data brokers’ biggest clients. These companies purchase massive data sets from data brokers to research your data profile. They have advanced algorithms to segregate users into various consumer groups and target you specifically. Their predictive algorithms can suggest personalized ads and products to generate higher lead generation and conversation percentages for their clients.

Are data brokers legal?

We tend to accept the terms and conditions that various apps ask us to accept without thinking twice or reading the fine print. You probably cannot proceed without letting the app track certain data or giving your personal information. To a certain extent, we trade some of our privacy for convenience. This becomes public information, and apps and data brokers collect, track, and use our data however they please while still complying with the law.

There is no comprehensive privacy law in the U.S. on a federal level. This allows data brokers to collect personal information and condense it into marketing insights. While not all methods of gathering private data are legal, it is difficult to track the activities of data brokers online (especially on the dark web). As technology advances, there are also easier ways to harvest and exploit data.

As of March 2024, 15 states in the U.S. have data privacy laws in place. That includes California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire.[i] The laws vary by state, yet generally, they grant rights to individuals around the collection, use, and disclosure of their personal data by businesses.

However, these laws make exceptions for certain types of data and certain types of collectors. In short, these laws aren’t absolute.

Can you remove yourself from data broker websites?

Some data brokers let you remove your information from their websites. There are also extensive guides available online that list the method by which you can opt-out of some of the biggest data brokering firms. For example, a guide by Griffin Boyce, the systems administrator at Harvard University’s Berkman Klein Center for Internet and Society, provides detailed information on how to opt-out of a long list of data broker companies.

Yet the list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt-out.

Rather than removing yourself one by one from the host of data broker sites out there, you have a solid option: our Personal Data Cleanup.

Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically.

If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.

[i] https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/

The post How Data Brokers Sell Your Identity appeared first on McAfee Blog.

Last week in security news, a researcher found that malicious actors had abused the details of a test credit card just two hours after he posted the information online. The security community also learned of a survey in which three-quarters of respondents said that they had required a password reset after forgetting one of their personal passwords in the previous three months. Finally, researchers tracked several new malware samples along with a now-fixed WhatsApp vulnerability.

Top Story of the Week: The Spread of Exposed Credit Card Data

David Greenwood, a security researcher on the ThreatPipes team, wanted to find out how information posted online spreads throughout the internet and dark web. So he purchased an anonymous, prepaid Visa credit card and posted its full credentials on several paste sites. He then sat back and waited.

It took all of two hours until digital attackers sprang into action. They did so by using bots and scripts to make small purchases using the credit card information from a well-known retailer located in the U.K.

Source: iStock

Also in Security News

• Poison Frog Backdoor Samples Discovered in Aftermath of OilRig Dump: After a group of actors dumped OilRig’s attack tools online, Kaspersky Labs decided to scan its archives for new and old malware samples. In the process, it discovered Poison Frog, a sloppily designed backdoor that masqueraded as the legitimate Cisco AnyConnect application at the time of discovery.
• Most Users Required a Personal Password Reset in the Last Three Months: In a recent study, HYPR found that 78 percent of full-time workers in the U.S. required a password reset sometime in the last three months after forgetting a personal password. The rate was slightly lower for work-related reset requests at just over half (57 percent) of respondents.
• Lazarus-Linked Dacls RAT Makes Waves by Targeting Linux Machines: Back in October, Netlab 360 came across a suspicious ELF file that shared certain characters employed by the Lazarus group. This discovery of the file, nicknamed Dacls, marked the first time that researchers have detected a Lazarus-created threat that’s capable of targeting Linux machines.
• U.S., EU Users Caught in the Crosshairs of Zeppelin Ransomware: Blackberry Cylance spotted threat actors using the newly discovered Zeppelin ransomware to selectively target technology and healthcare organizations in the U.S. and the European Union. Further analysis helped determine Zeppelin to be a member of the VegaLocker ransomware family.
• Dudell Malware Leveraged by Rancor Digital Espionage Group: Palo Alto Networks’ Unit 42 threat research team analyzed the recent attacks of Rancor, a digital espionage group that targeted at least one Cambodian government organization between December 2018 and January 2019. In the process, it discovered a new custom malware family it dubbed Dudell.
• Vulnerability Allowed Threat Actor to Crash WhatsApp on Phones in Shared Group: In August 2019, Check Point Software discovered a bug that enabled a malicious actor to implement a WhatsApp crash-loop on the devices of users in a shared group. The security firm subsequently disclosed this vulnerability to WhatsApp, whose developers issued a fix in update 2.19.246.
• Lateral Movement Used by BuleHero Botnet to Spread Malware Payloads: Researchers at Zscaler observed in their analysis of BuleHero that the botnet used port scanning, Mimikatz, PsExec and WMIC to spread laterally on an affected network. These techniques enabled the threat to distribute both the XMRig miner and Gh0st RAT to a larger number of machines.
• Various Attack Techniques Used by MyKings Botnet to Deliver Forshare: SophosLabs took a deep dive into the workings of the MyKings botnet and found that the threat used various attack techniques against vulnerable Windows servers to deliver Forshare malware. Those tactics included using steganography to conceal a malware payload within an image.

Security Tip of the Week: Focus on Data Protection

Security professionals can help organizations protect their valuable data by using artificial intelligence (AI)-driven tools and automated monitoring solutions to gain intelligent visibility into the network. They can then use that visibility to monitor for suspicious activity that could be indicative of a threat moving laterally across the network.

In support of this monitoring activity, security teams should also consider embracing a zero-trust model for the purpose of setting up micro-perimeters on the cloud and elsewhere.

The post Weekly Security News Roundup: Exposed Credit Card Details Abused Within 2 Hours appeared first on Security Intelligence.