Executive Privacy Breaches: Serious Risks for Banks

By Rich Matta

A bank’s brand is built on reputation and trust. In the interest of protecting these priceless assets, most banks are continuously upgrading and hardening virtually every aspect of their information security defenses.

Awash in layers of systems, policies, training sessions, audits and every other security solution imaginable, banks sometimes overlook one of the most basic yet menacing threats lurking right under their noses: the online personal information of their executive team. Increasingly, protecting the bank and its customers necessarily includes guarding the privacy of the bank’s executives, whose personal information is highly exposed online.

It’s no secret that executives are the most common and valuable targets for cyberattacks because they have the highest public profile, the most authority and the broadest access to sensitive information within the bank. Attackers exploit personal information to phish, dupe or impersonate bank executives online or sometimes even to locate them in the physical world.

Criminals do not need to bother scouring the depths of the dark web to dig up this personal information—it’s sitting right on the clear web for all to see. There are well over 100 large people-search sites and data brokers in the U.S. whose entire business model depends on gathering personal information from public records, plastering this information online and selling it for a quick buck or a few monetized ad impressions. With a simple Google search of a person’s name, plus their city of residence or the word “address,” one can easily locate home addresses, email addresses, phone numbers, streets where people grew up, high school mascots, mothers’ maiden names, children’s and relatives’ names, and more.

Online vulnerabilities in the wake of the pandemic

As you probably know, the problem is only growing. According to the Modern Bank Heists 3.0 report, cyber attacks targeting banks have increased 238 percent in recent months. Unfortunately, the generic phishing emails you can easily spot in your spam folder are not the most dangerous problem. The biggest threat comes from highly personalized and believable executive spear-phishing schemes that can fool even the most cautious individual.

A common example of this type of attack is a “fake flight” confirmation email that uses the actual details of an executive’s upcoming trip to trick the target into opening a malicious attachment or link. According to a 2019 FBI Internet Crime Report, business email compromises and social engineering attacks like this cost enterprises $1.7 billion in 2019.

Attacks like these are much more likely to succeed if someone gains access to an executive’s personal details. A common attack might start with finding an executive’s personal email address on a people-search site, phishing their password with a targeted email to their personal inbox and then attempting to use this stolen password to gain access to bank systems.

If you are uncertain how this works, take a look at how hackers spear-phished John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, by targeting his personal Gmail account and then re-using the stolen password to access his entire history of email conversations with other senior officials and politicians. Around the same time, Vice President Mike Pence experienced this same kind of attack on his personal email account.

For a typical executive, privacy services tend to find and remove between 300 and 1,000 instances of personal information across more than 100 people-search and data-broker sites, helping to make covered executives much harder targets. Removing personal information is also important because it helps secure the physical safety of the executive and his or her family, making it much harder for bad actors to target them in person.

An investment too costly to ignore

The rapid rise in state-sponsored cyber attacks is just one reason why investing sufficient time and resources into executives’ privacy is a cost-effective risk-management strategy. In fact, a recent warning from a collection of U.S. government agencies found that a North Korean group stole tens of millions of dollars in 2020 alone in the wake of the COVID-19 pandemic. Though state-sponsored attacks may only account for an estimated 10 percent of cyber attacks, they can be especially difficult and costly for banks to stop.

A 2019 report from Accenture and the Ponemon Institute points out that the cost to address and contain cyber attacks is greater for financial services firms than for companies in any other industry, and the containment costs are only continuing to rise. Additionally, the report found that investments in security intelligence and threat-sharing technologies have an estimated annual return on investment of 22.5 percent.

Smaller banks, which often have fewer resources to defend against sophisticated cyberattacks, are even easier to infiltrate. Earlier this year, the Federal Reserve Bank of New York warned that a cyberattack on a subset of small or midsized banks could have a domino effect on larger banks.

Proactive steps banks can take

One of the best defensive actions is to scrub the internet of the personally identifiable information that cyber criminals can use to mount such attacks. Here are three ways to do so:

1. Google your executives regularly. Find out what the attackers will learn when they search. What information, from addresses and charity causes to other interests, can criminals use to dupe others?

2. Have your executives opt out of people-search sites. This can be an arduous and confusing process, but it’s an important one to take. Data is the most valuable stock that is being traded online every second.

3. Have your executives (and their families) lock down their social media privacy settings. This can help reduce the digital breadcrumbs that attackers use to sniff out the most personal details.

Some people assume that without a long-awaited federal data privacy law, true privacy protection is impossible. This may be true in an academic sense, but it’s simply not true in practice. By protecting your executives and helping them control their own personal data, you can significantly reduce the risk of criminals finding a way into your bank’s systems—a move that will preserve invaluable customer trust and goodwill in the long run.

Rich Matta is a data privacy advocate and chief executive officer of ReputationDefender, a global digital privacy and online reputation management firm.