Cybersecurity

Why is there so much personal information about judges easily accessible online? How is it being weaponized – and what can be done about it?

To pay or not to pay – that is the question regarding ransomware attacks against municipal services. But if some states have their way, victims may no longer have a choice.

Two states – North Carolina and Florida – have passed legislation prohibiting public ransomware payments, and other states are considering similar measures. But it’s too early to tell yet whether such laws have had an impact. In the less than three years since the North Carolina bill passed, attacks have dipped slightly and still number in the hundreds.

QR codes. Some people love them, some people still haven’t figured out how they work. The tech-savvy among us might scoff at those folks, but at least they won’t be victims of the latest way hackers are stealing from us.

People across the US have received packages containing a ring and a few cards, one of which has a QR code on the back. Curious to find out why this unexpected gift arrived, they scanned the code with their phone and gave hackers access to personal information that could be used to access their bank accounts.

The message is finally sinking in.

We’ve been warning for more than a decade about the widespread dissemination of personally identifiable information (PII) about all of us on thousands of websites, available to anyone who asks for it.

For judges and police and others in high-risk, public-facing professions, accessibility to that content is life-threatening. For everyone else, it creates exposure to identity theft scams, annoying robocalls, and phishing attacks that extort money from panicked individuals who are told that a loved one is in danger.

“Thank you, but we already have identity theft protection.”

Our salespeople occasionally hear this response from decision-makers at prestigious national organizations. They believe identity theft protection is the same as online privacy protection, and assume that having one means they don't need the other.

The Crucial Difference

Think of it this way:

Colorado's new privacy legislation went into effect on July 1, joining several other states in enhancing privacy protections. That’s the good news. And now that residents in these states have a right to opt out of having their personal information collected, shared and sold, the next step is to find a way to make that happen, as quickly and efficiently as possible.

Spear-phishing is a dangerous and sophisticated form of cyber-attack, which is different from traditional phishing tactics because it’s highly targeted. Instead of casting a wide net, attackers craft personalized emails aimed at specific individuals within an organization, with the goal to trick employees into clicking on a bad link or download an infected file. Once an employee clicks, the attacker can take the next steps to compromise the company’s entire system.

Any company that tries to sell a product or service will experiment with several different approaches until they find one that is successful. Unfortunately, this same strategy is now being used by scammers to find the best content for a phishing email that will deliver a ransomware payload.

There’s an old saying that you can’t put toothpaste back in the tube. It simply means that some actions, once taken, can't be undone.

Sadly, many individuals believe that is true about their online privacy, and the copious amount of personal information now accessible about them online. Many organizations with hundreds or thousands of employees feel the same way – it’s too late now to turn back time and retroactively remove that content before it can be weaponized.

But that’s not true.

Data breaches and ransomware attacks are a global threat – but a recent report revealed that American organizations are a favorite target.

According to critical infrastructure security company Dragos, 44% of ransomware attacks last year targeted North American organizations. And every year, the number of breaches goes up, as does the number of victims. In January of 2023, T-Mobile announced that an unidentified malicious intruder breached its network and stole data on 37 million customers, including home addresses, phone numbers and dates of birth.