Doxxing or doxing comes from the word ‘documents’ or ‘dropping docs’. It’s been around for decades but the term has been popularised by the hacktivist group Anonymous.
How does it work?
Doxxers collect small pieces of personal information about an individual or an organisation, such as a real name, address, job, account numbers, photographs etc, from across the internet and then expose it publicly, usually online.
Commonly, doxxing attacks are used to harass, threaten, get revenge, online shame, extortion and as a vigilante aid to law enforcement, such as targeting those anonymously posting bigoted, offensive or racist comments online. Conversely, law enforcement agencies also use doxxing. Countries such as India and Tunisia use the method to identify human rights activists and harass minorities and discredit demonstrations demanding economic and social reform.
Doxxing attacks employ a range of methods; exploiting an IP address, social media profiles, buying data from data brokers, phishing, sniffing and intercepting internet traffic. These attacks range from fake email sign ups, food deliveries, harassing that person’s family or employer, swatting, identity theft, threats, cyber bullying, and ‘in person’ harassment. Additionally, a doxxer may also buy and sell the information they have gathered on the dark web.
Doxxing using the UK GDPR (General Data Protection Regulation)
Data protection rights are also another way hackers, harassers and malicious social engineers can dox others. By using the personal data collected online, data protection rights may be exercised fraudulently. The information collected though doxing may be used to make subject access requests to gain further private and possibly sensitive information about an individual.
Not only should you do all you can to keep your information safe but the companies entrusted with your personal data should do so too. Companies processing your personal data are legally obliged to ensure they do so in accordance with the UK GDPR. This includes having robust verification policies and procedures in place. Providing personal data to another who is not entitled to it will result in a personal data breach. Personal data breaches are commonly made public affairs and widely reported upon in the media. Such media attention often results in a loss of trust, confidence and damage to an organisation which is often difficult to quantify.
Is Doxxing legal?
As with all things data protection, it depends. Depending on the circumstances, doxing may constitute a criminal offence. It could amount to offences of harassment, stalking, malicious communications, computer misuse, assault and data protection.
For organisations subject to doxxing and not using robust verification methods, there is the risk of a personal data breach which attracts the highest fines from Regulators.
How to protect yourself
- Consider – Think about what you put online. Do you need to put it online? Will it come back to bite you? We’ve all felt the acute cringe feeling when social media memories pop up from ten years ago.
- Passwords – Make sure your passwords are strong and secure. Change them regularly, make them unique, at least ten characters long with a combination of upper and lower case letters, numbers and symbols.
- Log in – don’t be tempted by the convenient offer of logging into a website through Facebook or Google. By doing this, you are allowing the site access to the data in those accounts.
- Privacy settings – this goes without saying; check all app permissions when online and think about what is public.
- Emails – have a separate email account for shopping sites, forums and other website.
- Telephone numbers – keep your telephone numbers private by not putting them online unless it is a mandatory requirement.
- Exercise your right to be forgotten – in some circumstances, you can make a request to an organisation to delete the information they hold on you.
How to protect your organisation
- Know your personal data – make sure to keep your Record of Processing Activities up to date so you know what data you’re collecting, where it’s stored, for how long and with whom it’s shared.
- Policies and Procedures – make sure to have robust and effective verification procedures for individuals exercising their rights.
- Awareness and training – make sure everyone in the organisation knows how to recognise a rights request and what to do with one.
- Contracts – Ensure all contracts with third parties processing personal data on your behalf meet the legal requirements.
Oh, and don’t forget to regularly check your privacy settings!