In addition to our personal and private information being stolen by foreign cyber threat actors, these same criminals can now quickly obtain sensitive information on US military members from data brokers, according to a new Duke University study whose results were recently published.
Data brokers collect and aggregate information and then sell it, license it or share it directly or through services that leverage the data. Data brokers include credit reporting agencies like Equifax and Experian, marketing companies such as Acxiom, and data analytics and risk assessment firms like Verisk. Another major player in this space is mobile applications that collect and sell their users’ information to third parties, often without their knowledge or consent.
Data brokers collect and sell a wide range of information, including name, demographic data, political preferences, lifestyle details, home and email address, GPS location, financial situation, and health information. This information can benefit threat actors, including scams, blackmail, profiling, causing reputational damage, and stalking. In the case of military members, the exposure of this data could pose a risk to national security.
While some data brokers take steps to ensure that this type of data does not fall into the wrong hands, the study conducted by Duke University researchers found that, in many cases, it’s easy and inexpensive to acquire the information of military service members and veterans, with some brokers specifically advertising such data. The Duke researchers contacted a dozen brokers in the US to purchase information on military service members and veterans. They found that the methods used by brokers to verify the identity of customers are inconsistent and noted that these practices are highly unregulated by the US government.
While some brokers refused to sell the data to an unverified organization, others seemed more interested in ensuring confidentiality around purchasing the data, not the confidentiality of the actual data. The researchers acquired sensitive information for as little as $0.12 per record when buying thousands of records, and the price can go as low as $0.01 per individual for larger purchases.
The researchers attempted to buy data using a US domain and a .asia domain name that had been linked to a Singaporean IP address. Even when the .asia domain was used, several brokers agreed to provide thousands of records, including data geo-fenced to strategic locations such as Washington DC, Fort Bragg in North Carolina, and Fort AP Hill and Quantico in Virginia. “Foreign governments have historically sought data about American persons and organizations for espionage, election interference, and other purposes. Their interest in the U.S. military in particular is high, and they could obtain such data through the data brokerage ecosystem, either by purchasing it legally or by hacking into the databases of brokers or their customers,” the researchers wrote in their report.
The researchers recommended that lawmakers pass a comprehensive privacy law with strong controls on the data brokerage ecosystem. Congress was advised to provide more funding to regulatory agencies that can enforce new policies. In addition, the Department of Defense should conduct an internal contractual data flow assessment, which may help restrict the exposure of sensitive military information to data brokers.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments