Get interested in your data before someone else does
09 August 2019
Offshore Leaks, in which hundreds of thousands of pieces of data from offshore accounts were released, sparked a global trend toward increased transparency over how we do business and with whom in an effort to counter money laundering, corruption and terrorism.
The manifestation of this has been new legislation aimed at increasing regulation and reporting standards. For example, the register of ultimate beneficial owners (‘UBO’). The dilemma this creates for previously low profile ultra high-net-worth individuals (UHNWIs) and their families, is that now their names and personal information are thrust into the spotlight. This publicity may mean increased public scrutiny of their private lives, or intrusion from the press, or at worst it increases the risk of being the target of extortion, blackmail, cyber attack or social engineering.
So, how might these registers and the personal information included in them be of use to hostile third parties? The 4th and 5th Anti-Money Laundering Directives from the European Union (EU) are designed to strengthen the EU’s defences against money laundering and terrorist financing. A specific requirement is that EU member states set up registers of the UBOs of legal entities. Application of this legislation is at the discretion of national governments, which has led to some inconsistencies across Europe as to what information is available and to whom. At least the following information must be included in the UBO register: name, month of birth, nationality, country of residence and nature and size of the interest held by the beneficial owners. Although, as stated, some countries require additional information to be reported. The Directive also states this information should be available to the relevant authorities, financial intelligence units and any person or organisation who can demonstrate a ‘legitimate interest’. With regards the latter it remains to be seen how strictly each member state will define this. In some European states everyone has access to all official registers but the detail available, including shareholders, is restricted; while in others the access is limited to those with ‘legitimate interest’ which may include journalists.
The immediate concern is that the inclusion on these registers, possibly highlighted by media interest, may put an UHNW and their family in the cross hairs of criminal gangs. How though can this relatively limited personal information be of use? The reality is that in this age of connectivity and big data it need only take one small nugget of personal information to begin ‘mining’ public sources for further information. The most obvious of these sources is social media, in which just a relatively distinct name can give you access to reams of personal data across various platforms. We are all very adept at sharing photographs, biographical data, names of family members and even geotagging our favourite locations, including homes and holiday destinations. We often do all this without even a thought to our privacy settings and that as a consequence it is all free for any user to view. Even if you do not have a social media profile, it doesn’t mean that relatives are not sharing information about you among their followers. This suddenly becomes a relative treasure trove of information for a hostile third party intent on targeting you, whether physically by kidnap or via social engineering. Social media, while often the most abundant source, is not always the most lucrative in terms of sensitive data. In the UK, for example, publicly accessible portals allow access to planning applications. These can often include names of the residents of the property and detailed building plans of the property, including floor plans and security features. Individuals unwittingly share this because it is required, very often without consideration for how it is stored.
The worrying thing is that it doesn’t take high level security clearance to find and access all this information; but simply the time and compulsion to do so. The use of open source intelligence (OSINT) can return a huge amount of personal data to a skilled user accessing the right sources. People are very often unaware of their own digital footprint or the potential privacy and reputation risks associated with it, until it’s too late. While much of the information may appear benign in isolation, once assembled, it could be of great interest to a third party looking to formulate a hostile campaign. Jersey, Guernsey and the Isle of Man have recently committed to meet EU transparency standards and those in favour of the new legislation argue that if companies have not done anything wrong, or have nothing to hide, they shouldn’t be worried about the scrutiny of public registers. The concern though revolves around what information is available and who should be given access to the register and for what purpose. An exemption from access to the register may be allowed in exceptional cases — such as the exposure of the beneficial owner to a risk of fraud, kidnapping, blackmail, violence or intimidation. The concern though is being able to evidence this risk.
So what can UHNW individuals do? Our advice is to get interested in your data before someone else does and be cautious of what you share publicly. By pre-emptively ascertaining what is already available about you in the public domain you can better mitigate the threat of your data being used against you. The solutions are often straight forward, such as enabling the highest security settings on your social media profiles, but will allow you to handle any concerns in the appropriate manner.
This article by Matthew Newton was originally published in Schillings June edition of Critical Risk BriefReceive our monthly newsletter