According to a leading security adviser at People Security, the proliferation of social networking sites and the careless use of their platforms by unsuspecting consumers is putting personal data at risk. During a speech at the European RSA Conference, Hugh Thompson outlined three techniques by which publicly available data harvested online could be used against the average consumer.
The first two techniques both involve the conversion of public data into private data; primarily by direct means and also through cumulative data strategies. This involves extrapolating private data from existing public data through combining various pieces of personal information. This can be used to find out credit card numbers, amongst other things.
The last of the trio of techniques is frequently used by the media in building stories from limited information. By collating data from various sources it can be possible to analyse and construct a larger picture. Thomson used the example of multiple executives from the same company seeking recommendations simultaneously. This would suggest that they were jumping ship to avoid disaster at a particular firm, rather than simply looking for a career change. This shows how publicly available data can be used to form a picture of a private individual’s situation if publicised carelessly.
Thompson identified one final weakness relating to online password systems operated by many sites. The ability to reset the password of an account with minimal information, often only the email address of the user, by using the ‘forgotten password’ function, is ripe for exploitation. Former Republican vice-presidential nominee Sarah Palin was subjected to an attack of precisely this nature during last year’s campaign.
Thompson did not offer solutions to all of the issues he raised. Rather, his intention was to raise awareness of the wider issue of personal data protection. One suggestion that anyone can follow in assessing their own vulnerability is to spend some time Googling their own name. Thompson believes that many will be dismayed as to the level of information that can be identified in this way, much of which could prove useful to a potential identity thief.
