How do data brokers affect the threat ecosystem?

In today’s interconnected world, data is considered the blood of companies, and data brokers are the main suppliers of customers’ personal information to different entities around the world.

A data broker is a company that collects and aggregates customer personal information from a wide range of sources. They group this information meaningfully, such as creating a profile for each user, and sell it to interested entities, such as commercial organizations and even government agencies.

When reading a discussion about data privacy and online security, especially in the cyberworld, most attention is given to giant tech providers, such as Facebook, X and Google, and the amount of personal information they collect and store about their users. However, people pay little attention to companies whose sole job is collecting and selling individuals’ personal information. These types of companies are known as data brokers.

How are data brokers getting your personal information?

Data brokers collect their data from a variety of sources, both online and offline, such as:

• Browsing history: Anything we do online is recorded in some way. Data brokers collect online users’ information when using social media platforms, conducting online searches using their preferred search engines, checking their email, or making online purchases—such as purchasing goods from Amazon. There are different mechanisms to track online users across the web. The most prominent ones are digital fingerprinting, web cookies and entity tags. For instance, data brokers can track when you search for specific products and later target you with similar advertisements across different websites.
• Public records: Public sources such as vital records, property records, criminal records, court and voter registration databases, and vehicle records. For example, property tax records reveal your home value, location, and, potentially, your financial status.
• Commercial sources: Such as people’s purchase history. For example, when buying a product from Amazon, information such as your payment method (credit card, Paypal or gift cards), product name and specification, in addition to purchase history can help create a detailed profile about a user’s interests and habits. Loyalty programs from retailers like grocery stores and pharmacies are particularly valuable sources that reveal purchasing patterns and health-related information.
• User consent: Many programs downloaded from the internet, such as productivity tools, have a consent agreement that users must agree to before installing the program on their PC or smartphone. Such agreements commonly contain consent to use user data and allow handling it to third parties. This creates a legally protected mechanism for harvesting and distributing personal information while maintaining technical compliance with privacy regulations, such as GDPR.

Who is buying information about you?

Data brokers sell their data to a wide range of customers, such as:

• Marketing and advertising companies—This allows them to target internet users with customized ads based on browsing habits, interests and demographics. For example, car manufacturers might purchase data about consumers who have recently searched for vehicle information or visited automotive websites.
• Financial institutions and insurance companies purchase customers’ data for various reasons, such as determining customers’ eligibility to take loans, assessing risk, and detecting fraud. Insurance companies may examine lifestyle data to adjust premiums or assess claim validity without directly surveying customers.
• People search websites—These websites collect personal information about users and create a complete profile for each one, including their mailing address, email and phone number. They sell their services for a fee, which in turn could be used by other parties for varying purposes, from background checks to identity verification.  
• Government agencies—This group purchases customers’ data for different reasons, such as bypassing local data privacy laws and countering criminals and terrorist activities. For instance, law enforcement agencies might acquire location data without obtaining warrants by purchasing it from commercial brokers. 
• Cybercriminals—This group purchases personal data to execute targeted social engineering attacks such as spear phishing and smishing attacks. With detailed profiles, attackers can craft compelling messages that reference specific personal details. This dramatically increases success rates compared to generic campaigns.

What role do data brokers play in the threat ecosystem?

Data brokers act as significant enablers within the modern cyberthreats ecosystem. For instance, they create, amplify, and facilitate executing various security risks by collecting and distributing vast amounts of personal and organizational data. Data brokers operations intersect with cybersecurity threats in many sophisticated ways:

Risk of hackers

Data brokers collect a vast amount of sensitive information about people. For instance, a typical data broker personal record may contain the following information and more about each person:

• Full name
• Mailing address
• Email
• Phone number
• Work location
• Marital status
• Number of children
• Study information

A single record in a data broker database will not only contain such information, but it will also contain thousands of attributes linked to each user, such as purchase history, online activities and other name aliases they use online. Centralizing all this information in one place makes data brokers’ systems a lucrative target for threat actors such as hackers and cybercriminals backed by nation-states.

Facilitate reconnaissance

Threat actors such as hackers and advanced persistent attackers use data brokers’ services to collect information about their potential targets. For example, hackers may use information gained from data brokers about a specific person to craft persuasive phishing emails. In this space, data brokers work as prime facilitators for executing different crimes requiring personal information. During the SolarWinds attack, threat actors used information from data brokers to identify key personnel within target organizations for spear phishing attacks.

Enrich data breach activities

When a data breach occurs, hackers can use data broker databases to enrich stolen data with more information. For example, breaching a Zoom account containing a username “email address” can be linked to other information in the target user’s data broker record to create a full profile about the user. Such profiles can be later sold at a high price to interested parties. Cybercriminals frequently combine partial datasets from multiple breaches with data broker information to create comprehensive profiles, which command premium prices on Tor dark web marketplaces. 

Data brokers collect and sell vast personal information from various sources, including browsing history, public records, commercial databases and user consent agreements. Their customers include marketers, financial institutions, search websites, government agencies and cybercriminals. These brokers present significant security risks by centralizing sensitive data in one location, facilitating reconnaissance for attackers, and enriching stolen information from data breaches. Their operations intersect with cybersecurity threats in multiple sophisticated ways.

Barracuda can help

Approximately 20% of organizations experience at least one attempted or successful account takeover (ATO) incident each month. These attacks often exploit personal data stolen through phishing or other data breaches. Barracuda Email Protection provides everything you need to protect against all email threat types, eliminating the need for separate email and data protection solutions.