Doxxing has long been a problem for celebrities, politicians, alleged criminals and those unlucky enough to become figures of online controversy. As employees become targets, what should their employers do to protect them?
A phenomenon stretching back to the 1990s, doxxing involves collating as much personal information about a person as possible and then making it available online. A person’s name, phone number and address are typically released as part of the attack, but other information such as personal photos, financial information, and even Social Security numbers can be included. The results can be devastating, making that person electronically and physically vulnerable.
Doxxing targets is becoming easier as the average person’s digital ‘exhaust’ – the electronic trail they leave behind online – grows, and as the tools to find it become more accessible. It is also becoming a bigger danger for companies who risk seeing their employees doxxed by those with ideological or financial motives.
The more information that an attacker has on an individual, the more able they are to ‘dox’ the target, posting sensitive personal information about them online. We’re already seeing possible examples of employees being targeted.
Last month LeagueSharp, a firm that automates in-game tasks for players of online game League of Legends, was sued for among other things allegedly doxxing an employee of Riot, which develops the game. The doxxing supposedly occurred after Riot tried to negotiate an informal settlement with LeagueSharp to stop its scripting activities, the court filing said.
Employees at Kickstarter-backed firm Coolest Cooler were doxxed and threatened this spring by angry backers when the company ran into financial trouble and asked for more money to deliver its goods.
Although much doxxing information can be found legitimately online, some doxxing attacks occur as a result of hacks where malicious parties pick up all of the data in one place, and can target an organization’s customers or employees. One kid hacked a retail outlet and extracted the personal details of US government workers and soldiers – before handing them over to ISIS. In another attack, hackers published the personal details of 32,000 US government employees from the FBI and the DHS.
Some doxxing is indirect, thanks to organizations like WikiLeaks. When CIA director John Brennan’s email account was taken over by teen hackers, they gave his email archive to WikiLeaks, which published his SF-86 national security questionnaire. This contained his social security number and other data, including information about his family. Such is the threat of doxxing to public officials that the FBI has even published an official warning about it.
Cases are starting to emerge dealing with the online trolling of employees. A recent labour ruling called for companies to protect their employees from online harassment, for example. The problem with doxxing is that there’s little companies can do about it, as most of the information about their employees will often come from elsewhere.
Employees who are vulnerable can also make their employers vulnerable by association, so some education can go a long way towards helping both parties. A good personal filter helps a lot when trying to stop the doxxers, meaning that the less you post about yourself, the better. Locking down privacy settings in social media accounts and asking friends to be careful what they post about you is a good step, as can applying to have personal listings removed from PII search sites like Spokeo. Personal digital hygiene includes never using the same password across different sites.
This kind of education can benefit an employee both personally and professionally, and can therefore help to protect employers, too. Companies should also train employees to be on the looking for the kinds of social engineering attacks that can yield access to customer and employee files. After all, no one wants to be the next headline in a doxxing story.