Doxxing – The Weaponisation of Personal Data

Within the last few years, the public has woken up to the value of their personal data. The growth of social media, the continual stream of data breaches, as well as the recent Facebook Cambridge Analytica scandal, has highlighted just how much of our personal data is available online and how it can be misused.

Data has become a valuable commodity, not only for monetary gain but also for its use in harassment and intimidation campaigns. This has become increasingly apparent with the growth of doxxing.

Doxxing is the practice of researching and publishing someone’s personal information, either to embarrass them, expose them to legal prosecution or harass them. It has become a serious online threat to privacy and has destroyed many people’s lives in the process.

The term ‘dox’ first surfaced over a decade ago and referred to the practice of hackers exacting revenge on a rival by collecting their personal and private information. They would then alert authorities to their illegal activities and attempt to have them arrested.

Since then, the practice has gone mainstream and anyone can be doxxed because of the vast quantities of personal information that exist online. It’s easy for hackers to extract information from social media accounts, find out where people live, source their telephone number, email address and pretty much any other information that’s been submitted online.

Although ethically questionable, doxxing is not illegal as it falls within a person’s legal rights to find someone’s publicly available information and repost it online. However, it crosses the boundary into illegality if the information is obtained through hacking. The laws on this could quickly change as the method gains traction as a means to discredit individuals, governments and institutions.

The weaponisation of data

A worrying development has been the weaponisation of data in politically motivated attacks. We’ve seen this as far back as the early 2000’s when the hacktivist group ‘Anonymous’ exposed the detailed information of over 7000 law enforcement officials in retaliation for investigations into hacking attacks.

This marked the start of other high-profile attacks including the 2014 hack of Sony Pictures. Using a phishing malware attack, North Korean hackers broke into the company’s networks and stole a large amount of corporate data which they then published. This included employee salaries, company plans, and unreleased movies. The reputational damage was huge and cost the company $41 million.

This trend has continued, and in recent months, Hong Kong has seen an unprecedented wave of doxxing. Supporters of the Hong Kong government have identified masked protesters at demonstrations, whilst the protesters have in turn shared private information about the police officers and their families online.

There’s no doubt the implications of doxing can be severe. As more nations realise how effective it can be in discrediting their opponents, we can expect to see a lot more of these attacks in the future.

How to avoid doxxing

Doxxing is by no means just restricted to nation-states, politicians and high-profile celebrities. Many individuals are stalked online and have their personal details published out of revenge, jealousy or simply to embarrass them. To avoid being doxxed online, there are a number of preventative measures you can take:

1. Use a Virtual Private Network (VPN) – Every connection that you make on the internet has your IP address on it and can be traced back to a specific location. A VPN is a piece of software that changes your IP address and encrypts all your internet traffic.
2. Don’t use single sign-on buttons –Most apps and websites will ask you to register using a ‘Login with Google’ or ‘Login with Facebook’ button. These login methods will automatically register you with the initial email address set up on your accounts. However, not only is the site collecting your email address, but they are also gaining access to all the information attached to your social media account. This includes where you live, your job title, phone number and any other information you have provided.
3. Keep your WHOIS information private – If you own a website, you will have to register the internet domain with some personal information. This information is then publicly available on a database called WHOIS. This means that anyone can go on to the database and find out your name, company name, country, city, telephone number etc. Fortunately, for a small fee, you can hide some of your personal information from the public search.
4. Increase social network privacy settings – To keep your information as secure as possible from strangers, you should regularly check and adjust your privacy settings on social media. This will restrict what people can and can’t see on your profile. You should also be extremely cautious of accepting a friend request from someone you’re not familiar with.
5. Create multiple email addresses – If you visit lots of different websites, you should consider the use of multiple email addresses to protect your online identity. Some websites may be specifically set up to harvest personal details so by creating multiple accounts you reduce the chance of being hacked.
6. Avoid clicking on links or opening attachments from unknown sources –To maximise their return on investment, hackers have developed a specific type of malware called doxware. Doxware is a type of ransomware that threatens to release personal data to the public if the user does not pay the ransom. The primary delivery method for doxware is through phishing emails so users should remain vigilant and avoid clicking on links or opening attachments from unknown sources.
7. Alternate usernames and passwords – Most people tend to use the same username and password to log into multiple accounts and websites. For the simple reason that it’s convenient and easy to remember. However, if you stray on to a phishing website that has been set up to steal your details, hackers could potentially access every account you have. Your passwords should be strong and complex, ideally, between 8-15 characters long, contain a mix of uppercase and lowercase letters and include numbers or symbols. For extra security, a passphrase can be created which is a password composed of a sentence or combination of words.
8. Exercise your right to be forgotten – Under the GDPR, individuals can request to have their personal data erased. This means you can ask for information, videos, or photos to be deleted from certain internet records so they can’t be found by a search engine.

MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Get in touch for further information on our extensive range of Cyber Security awareness courses.