You just found out your email address was part of a data breach. So what? It’s already on your website and your business card, and LinkedIn profile. Can a hacker really use data that is easily found against you in an attack?
The short answer is “Yes”. Data can be compiled to learn more about an organization and key staff. Hackers may start with a name and email and then determine that you are a C-level executive or a member of the internal IT staff. They find out about your interests when your email shows up in other data breaches for your favorite sports team, or travel website, or even your Facebook page.
With this intelligence added to the initial data, they can craft convincing email phishing campaigns against your business. Maybe they know that you, as the CEO booked a trip to Florida and are staying at a Marriott. They spoof email your CFO requesting payment of an invoice linked in the email and trick them into sending funds. Or they have the email of your IT Director and can log in to your network and crack the password, obtaining administrative credentials to your systems. They may have enough data to open a new credit account and charge thousands of dollars before it gets discovered.
The more they can know about a target, the more convincing email, telephone, or in-person phishing will be. They only need to trick one person into being allowed to connect to your network or let into a server room to download malicious software or steal data.
This use of using data to gain trust is called pretexting. By first establishing trust in a small interaction, they can build that trust to a higher level and get the unsuspecting target to assist them in the attack.
All exposed data increases your attack vector. Take care to protect yours, and even more so the data that you collect from others.
