'Doxxing' Incidents Highlight Risk of Disclosing Personal Info
Against the backdrop of finger-pointing between the U.S. and China on the cybersecurity front, there's a new security scandal of Hollywood proportions going on. More than a dozen celebrities and officials have witnessed their personal information leaked onto the Internet.
The list of victims reads like a Who's Who and includes Secretary of State Hillary Clinton, Beyonce, First Lady Michelle Obama, Jay-Z, Kim Kardashian, Britney Spears, Ashton Kutcher, U.S. Attorney General Eric Holder, Los Angeles Police Chief Charlie Beck and Paris Hilton. The personal information -- everything from Social Security numbers to dates of birth to phone numbers -- was posted on a Web site called Exposed.su.
Both the LAPD and the FBI are investigating.
"LAPD detectives are investigating the recent disclosure of Chief Beck's personal information. Apparently this is not necessarily a hacking incident. It is called 'doxxing.' This has happened to the chief on two other occasions prior to this in a similar nature, post-Occupy L.A.," the LAPD said in a statement. "We are not at liberty to discuss the others mentioned in the Web post. There will be no further comments or press conferences on this matter."
With doxxing, an individual's persona is tracked online, and through deduction and various information services, meant to be private is exposed and publicized. This differs from hacking, in which a computer or computers are broken into and information is stolen.
The New Doxxing
Brian Contos, worldwide vice president of field engineering at Solera Networks, said doxxing has moved attacks from targeting nameless, faceless organizations and governments to individuals.
"We've seen examples of this type of incident in Latin America, where hacktivists targeted specific individuals at organizations like police forces and published their names, photos, address, phone numbers, and other personal information," he told us. "With vast amounts of personal information available about most people online -- much of which is shared voluntarily via social networking sites -- nefarious individuals are finding doxxing to be easier than ever."
Wanted: Personal Details
The use and impact of this information isn't just limited to users' personal accounts, Contos said. Attackers increasingly look to obtain personal details about unsuspecting employees to inform advanced targeted attacks that can lead to massive data breaches at companies.
"Exacerbating the situation, many organizations are unaware they've been compromised until it's too late," Contos said. "On average, it's taking companies nearly three months to discover a malicious breach and more than four months to resolve one, according to recent research."
Furthermore, many organizations report they don't have the tools, personnel or funding to pinpoint the root cause of breaches. Contos' conclusion: These high-profile attacks underscore the importance of being careful about the information individuals share in public forums, as well as the need for businesses to have a comprehensive security strategy in place so they can respond swiftly when a breach occurs and minimize its impact.