Srsly Risky Biz: Data brokers are a killer's best friend - Risky Bulletin

Summary6 min read

Risky Bulletin: Episode Summary
“Srsly Risky Biz: Data brokers are a killer's best friend”
Release Date: June 19, 2025
Host: Patrick Gray
Guest: Tom Uren, Policy and Intelligence Editor at Risky.biz

Introduction

In this episode of Risky Bulletin, host Patrick Gray engages in a compelling discussion with Tom Uren, Policy and Intelligence Editor at Risky.biz. The conversation delves into the alarming role of data brokers in facilitating political violence and the recent cyberattacks conducted by the group Predatory Sparrow against Iranian financial institutions. The episode provides in-depth analysis, expert insights, and thought-provoking perspectives on cybersecurity, privacy, and geopolitical tensions.

Data Brokers and Political Violence

Incident Overview:

The episode begins with an examination of a tragic incident where an individual murdered a state representative, Melissa Hawtman, and her husband Mark, while also attempting to kill another couple in Minnesota. The assailant obtained personal addresses from commercial data brokers, highlighting a significant cybersecurity and privacy concern.

Key Points:

Ease of Access to Personal Data: Tom Uren emphasizes the simplicity with which malicious actors can access sensitive information, stating, “It's tremendously easy. It's quite frightening the amount of data that's available” (03:32).
Sources of Data Brokers: Data brokers compile extensive profiles using public records such as voting registries, property filings, marriage certificates, and more. Uren notes, “They contain names, addresses, family information, information about finances” (03:45).
Impact on Public Figures: Politicians often publicize their home addresses to appear accessible to constituents, inadvertently increasing their vulnerability. Uren remarks, “They had deliberately chosen to publicize their home address. It feels like a choice they deliberately made based on the risk-reward” (07:55).
Privacy vs. Transparency: Patrick Gray highlights the contrast between the accessibility of voter data in the United States and Australia, suggesting that the ease of purchasing compiled data online exacerbates security risks: “It almost seems like it's that good customer experience that might be making this sort of violence more likely” (09:17).

Quotes:

Tom Uren: “The seed information, you need to be able to really dive in deep. Now in the case of the judge, the assailant murdered her son and also seriously wounded her husband” (03:50).
Patrick Gray: “This seems like a bad recipe” (04:50).

Discussion:

The conversation underscores the perilous intersection of accessible data and rising political tensions. The availability of personal information online not only facilitates stalking and harassment but also enables premeditated violent actions against public figures. The hosts debate the balance between necessary public transparency and the imperative to protect individual privacy, especially in a volatile political climate.

Cyberattacks by Predatory Sparrow

Overview of Attacks:

The discussion transitions to recent cyberattacks by Predatory Sparrow, a group believed to be affiliated with the Israeli government. Their targets include SEPA Bank in Iran and an Iranian cryptocurrency exchange, aiming to disrupt financial activities and enforce sanctions.

Key Points:

Nature of the Attacks: Predatory Sparrow conducted a wiper attack on SEPA Bank, potentially deleting critical data and crippling the bank's operations. They also targeted a cryptocurrency exchange, resulting in the destruction of approximately $90 million in digital assets (15:26).
Justifications and Messaging: The group justifies its actions by linking them to Iran’s sanctions violations and support for malign activities. Uren points out, “They are trying to both really push the boundaries while at the same time push the boundaries of what we would consider acceptable while at the same time justifying it” (21:26).
Impact and Collateral Damage: While targeting specific financial entities, these attacks risk broader economic destabilization. The potential permanent loss of a major bank could lead to a financial crisis in Iran, raising ethical and strategic concerns about the collateral damage inflicted (18:14).
Strategic Objectives: Predatory Sparrow aims to send dual messages: discouraging Iran by demonstrating capability and resolve, and justifying their actions through alleged associations with terrorism and sanctions evasion (16:49).

Quotes:

Patrick Gray: “If this bank is able to recover, like the cryptocurrency exchange. Yeah, fair enough. If there's a cryptocurrency exchange involved in this sort of activity, you've burned 90 million bucks” (19:10).
Tom Uren: “I'm extremely uncomfortable with destroying a whole bank permanently because there's just so much collateral damage” (18:14).

Discussion:

The hosts critically assess the implications of cyberattacks on national financial infrastructures. While intended to enforce geopolitical stances and sanctions, such actions carry significant risks of unintended economic fallout. The ethical dilemma revolves around balancing strategic objectives with the potential for widespread harm to ordinary citizens and the national economy.

Analysis and Insights

Privacy Legislation and Protection:

Tom Uren discusses existing legislative measures that protect certain professions, such as federal judges and law enforcement officers, from having their personal data sold by brokers. However, he emphasizes the need for broader protections to safeguard all individuals from similar threats (14:04).

Comparative Perspectives:

Patrick Gray contrasts regulatory environments, noting that countries like Australia swiftly regulate data sales to protect citizens, whereas the United States lags, making comprehensive reforms challenging amid diverse political interests (13:28).

Future Implications:

The episode concludes with a contemplation of future developments. The ongoing cyber conflict and evolving data privacy issues suggest a need for proactive measures to mitigate risks associated with data accessibility and cyber warfare. The hosts advocate for a reevaluation of public data dissemination practices to enhance security without compromising necessary transparency.

Quotes:

Tom Uren: “They just are taking public records and we're just compiling them in a nice format” (09:17).
Patrick Gray: “It’s a good move, but I think it needs to be broader than that” (14:04).

Conclusion

This episode of Risky Bulletin illuminates the critical vulnerabilities arising from the intersection of accessible personal data and escalating geopolitical cyberattacks. Through insightful dialogue, Patrick Gray and Tom Uren highlight the urgent need for robust data privacy protections and thoughtful cybersecurity strategies to prevent misuse of information and mitigate the risks of large-scale cyber conflicts. The discussion serves as a poignant reminder of the evolving challenges in safeguarding personal and national security in an increasingly digital world.

Notable Quotes

Tom Uren:
“It's just that the more common cases you don't, you don't hear about because they're not so high profile or there's not the same explicit trail of evidence.” (07:00)
Patrick Gray:
“It almost seems like it's that good customer experience that might be making this sort of violence more likely.” (09:17)
Tom Uren:
“I'm extremely uncomfortable with destroying a whole bank permanently because there's just so much collateral damage.” (18:14)
Patrick Gray:
“If there were some websites selling this information on Australians and a crime like this happened, I mean, that website would disappear pretty bloody quickly.” (13:28)

Timestamp Reference Key

Note: The timestamps correspond to the minutes and seconds in the transcript where the quotes occur.

This comprehensive summary provides an in-depth overview of the podcast episode, capturing all critical discussions, insights, and conclusions. By highlighting the role of data brokers in enabling political violence and analyzing the ramifications of sophisticated cyberattacks, the episode underscores the pressing need for enhanced cybersecurity measures and data privacy protections.

Loading summary

Transcript35 lines

[00:00]
Tom Uren
Foreign.
[00:05]
Patrick Gray
And welcome to Seriously Risky Business, the podcast we do here at Risky Biz, which is all about cyber policy and intelligence and big picture stuff. My name's Patrick Gray. Before we get going, I'd like to thank the William and Flora Hewlett foundation for supporting this work. And also Lawfare, Lawfare Media, who syndicate Tom Uren's column, which we're about to discuss with Tom himself, to the Lawfare Media website. We also have a corporate sponsor this week which is island and island make an enterprise browser which is useful for doing all sorts of things like, you know, secure remote access. It's got DLP features. It just does all of the sort of stuff that you would expect from a, you know, properly constructed enterprise browser. So, yeah, if you search for island browser, you will find them. Joining me now is Tom Uren, who is our policy and intelligence editor. G' day, Tom.
[01:01]
Tom Uren
Good day, Patrick. How are you?
[01:02]
Patrick Gray
Good, good. So we have just finished. Well, you and our wonderful editor, Amberly Jack, have just finished putting together your newsletter for the week in which you've written about a couple of things. Let's start with the first story here, which is, you know, you've taken a look at the issue of data brokers in light of these political assassinations in the United States. It turns out that this guy who went and killed a state representative, a Democratic state representative and her husband, and also shot another couple, although they survived, it turns out he was getting these addresses from commercial data sources, which is, you know, a little bit alarming.
[01:43]
Tom Uren
Yeah, it's. The story is that he managed to actually kill one couple, a politician and his wife. He shot another two who survived despite, I think, like, being shot eight or nine times each. He also went to two other addresses on that same night, and one, the person wasn't home, and the other he was actually interrupted by police and he drove away. So he had, the FBI says that they found multiple notebooks in his vehicle that he was using. And he had a list of 45 politicians. Many of them had their home addresses. And he also had a list of people search websites, something like 11 different ones, and he'd starred one of them, and he was getting addresses, figuring out where these people would be, had details about their houses. And now it's a very straight line, obviously, between developing some sort of mental illness and that acting as a massive enabler of being able to do pretty severe harm. Now, it's always possible to go, especially for a public figure who works at a known location, like a politician, to go to the legislative assembly or the Capitol building or whatever and like physically stalk them. But that gives law enforcement and authorities a chance to identify them. And it makes it much harder to come up with a list of 20, 30 people and I guess pretty systematically try and step through that list. So it's remarkable and lucky in a way that this wasn't. I mean, it was a small murder spree, but not a huge murder spree.
[03:32]
Patrick Gray
Well, only because they got him in time. I will just pick you up on one thing, though. You said that the murdered politician and his wife. It was actually the wife who was the politician. It was Melissa Hawtman and her husband, Mark. I'd also say too that I think we should be careful not to tie a very well calculated attempted murder spree targeting people of a particular political stripe to mental illness. I don't know that we can say that some people are just very committed to their politics and choose rationally in their minds to go and do something like this. That does not mean they're mentally ill. They might just be awful. But I mean, look, the issue here is that we've got this odd situation where the political climate in the United States. States is such that people are motivated to commit acts of violence based on politics. I mean, we saw this with the Nancy Pelosi stuff a couple of years back. We're seeing it with this. We've seen judges targeted and whatnot. And it feels like the temperature is just rising. And concurrently with that, we have a situation where it's possible to buy the personal details of most people in the United States on a website. This seems like a bad recipe.
[04:50]
Tom Uren
Yeah, so it's tremendously easy. It's quite frightening the amount of data that's available. So there's a piece I reference in lawfare by Justin Sherman, who's reported and written about data brokers for a long time. And it talks about the different sources that they use to create essentially like profiles of people. So voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and much more. So they contain names, addresses, family information, information about finances. And so for someone who's committed to doing harm, the address is basically the starting point because then you can find where they live, you can follow them, you can stalk them, and that makes it just so much easier to get a foothold into a person. And there's a couple of examples where, for example, a judge's son was shot. And again, it seems that the buying the address online allowed him to map out the neighborhood, find her routes to and from work. But it's the, I guess it's the seed, the seed information, you need to be able to really dive in deep. Now in the case of the judge, the assailant in that case murdered her son and also seriously wounded her husband. And that eventually led to legislation that protects federal judges so they can opt out of having data brokers sell their information. And there have been a number of state laws that have given the same rights to police officers. But this actually like, affects everyone. So there's also stories of just people who've been stalked and harassed. Their information's bought online and you know, in the worst cases they've been killed. And so this is a problem that potentially affects everyone. And it's just that the more common cases you don't, you don't hear about because they're not so high profile or there's not the same explicit trail of evidence. So in this case in Minnesota, with the person who attempted multiple murders in the same night, you know, the notebooks with the people search websites, that's the explicit trail. But it seems like it's, it's like the default way you start to stalk someone is by starting online. I mean, that's the time we live in and that this information is so easily available. Like, I can't see a reason for most people why you would want that. So for some politicians, they, and in fact for some of the people who were attacked the other night, they had deliberately chosen to publicize their home address. And part of that was because it reassures the electorate that we were actually part of the community, that if you wanted to contact us, that you could. But that feels like a choice they deliberately made where they were deciding based on the risk reward, they got something out of it.
[08:16]
Patrick Gray
Whereas for ordinary people, it's, it's not so much like that. I mean, I mean, just one, one thought that's occurred to me here is the online aspect of this is what makes it very, very easy to get this information. But like, I'll give you an example here in Australia, and I imagine in most places in the United States, like voter databases, voting rolls are public. And this is very important for the transparency of elections, to make sure that the people who are on the voter rolls are actually real people and whatnot. So anyone can sort of go along to a building, you know, a government building, and like flip through these voter rolls. So this data, people, you know, who might know roughly where I live could go and look up my address in a vot. I Guess what is different, though, is that requires just that little bit of extra effort. Right. So when it's this easy, where it's like, plonk down your credit card, here's a list of my targets. Bang, bang, bang. It almost seems like it's that good customer experience that might be making this sort of violence more likely. And it's just an odd phenomenon.
[09:17]
Tom Uren
Yeah. So part of the justification for these people search companies is that almost all of the data that they use is public. So their defense, I guess, is that we're just taking public records and we're just compiling them in a nice format. We're not doing anything that you couldn't do yourself. And that's true, but I think you're exactly right. It just makes it so much easier. In the case of the attempted assassinations in Minnesota, the guy had a list of 45 politicians. And so it just is a massive enabler. He could have done a lot more harm a lot more easily. And like, I think there's reasons that those records should be public. I don't necessarily think that there's a reason that they should be so easily accessible and compiled by third parties to make it just, you know, buy it with your credit card.
[10:12]
Patrick Gray
Yeah, I mean, I guess. I guess, you know, this, all this. I mean, God, we've been talking so much about the privacy risks from things like mobile app data. Right. Like previously, that's when you've covered this issue. That's where you focused your attention. But, you know, something as simple as names and addresses, I also think that, you know, given the political climate in the United States right now, it makes this a more critical issue. Would you agree with that?
[10:39]
Tom Uren
Yes. I thought a lot about this piece in terms of how to tie it to some of the other things I've written before. And for example, I guess the reason I've talked about geolocation data is because it provides other states with the capability to things they couldn't do at all.
[10:59]
Patrick Gray
Yeah. So that's more of like an intelligence risk, I guess.
[11:01]
Tom Uren
Yeah, yeah, that's right. But this seems to be like just a personal, individual privacy risk, regardless of what foreign states are doing. I mean, they could also take advantage of this data. But it seems that the, you know, most of the people who are murdered are murdered by people they know. This is the kind of thing that enables that kind of personal, malicious interaction. Makes it just so much easier.
[11:28]
Patrick Gray
Grievance murders. When you don't actually know the person, you don't know much about them, but, you know, they're a public figure or whatever. I mean, I know people who've wound up on the wrong side of various political factions in the United States as well. And the thought that someone can just look up their address and pay them a visit, I mean, it's pretty alarming.
[11:43]
Tom Uren
Yeah, yeah. So one of the articles I read, I guess the politician that they were, they had received threats, death threats in the past, and their, I guess their compensating control was to carry a gun. And that seems to me to be. Well, I mean, that's their choice. They can do that, but it seems better for people not to have their address so easily available in the first place.
[12:11]
Patrick Gray
Yeah. I think you just reminded me of that Jim Jefferies stand up bit about guns where he described a, you know, he experienced a home invasion and people said to him, well, if you had a gun, you know, he's, you know, you would have been okay. And he's like, okay, well, I was naked at the time.
[12:29]
Tom Uren
Well, in fact, one of the couples who was attacked by the Minnesota guy, they did have guns, but they were responsible gun owners and had them locked up. So at the point that someone knocks on your door, like, I don't think it's the rational first response is to go and unlock your gun cabinet and get the weapons out, just in case he had dressed up as a law enforcement person. So he had a rationale or a cover for knocking on their door. And in fact, he asked.
[13:01]
Patrick Gray
It's interesting, like when I think to just, you know, about a difference between sort of Australia and the United States. And of course, as a smaller country, we get to be more agile, smaller in terms of population at least we get to be more agile, agile when it comes to laws like these. But, you know, if there were some websites selling this information on Australians and a crime like this happened, I mean, that website would disappear pretty bloody quickly. Right. But the United States just has such a different approach to this sort of regulation that I can't really imagine much is going to change here.
[13:28]
Tom Uren
What they've done so far is to address individual occupations on a case by case basis. So federal judges, law enforcement officers in some states. But it requires a pretty high profile incident and it also requires, like, people who are willing to push the political process and maybe this will do it for legislators. I don't think that we can hope that that will happen. I think that would be a good move, but I think it needs to be broader than that.
[14:04]
Patrick Gray
Yeah, I think here in Australia too, if you are at someone at serious risk, you can even have yourself removed from the like, license database, like the driver's license database and stuff, and have certain redacted fields. You've got to have a good reason for it so that your, like, license plate on your car doesn't come back to your home address and things like that. So there are, you know, measures there. But yeah. Anyway, chilling story. Let's now talk about something. There's an update to this story that we spoke about yesterday on the weekly show. We discussed the wiper attack conducted by Predatory Sparrow, which is a pretend activist group which is almost certainly being operated by the Israeli government. So they managed to run a wiper attack against a bank, SEPA bank, in Iran. This is a bank that was involved in, you know, they're already sanctioned by the US since 2018 or something. They're involved in a lot of IRGC sort of transactions. So, you know, you can understand why they'd be a target. What's interesting though is that it's also a very large bank and if they manage to get the backups, which we're not sure about because Predatory Sparrow said they deleted all of the data. And some people have inferred from that that that meant backups as well. But I can't really find good sourcing on that. So we're just not sure whether that bank will be able to bounce back. But they've also gone after since then, just overnight, they went after some Iranian, an Iranian cryptocurrency exchange.
[15:26]
Tom Uren
And.
[15:27]
Patrick Gray
And they burned something like 90 million bucks worth of cryptocurrency by sending it to just dummy addresses and burn addresses.
[15:34]
Tom Uren
Yeah, yeah, that's right. So they explicitly, in both cases tied it to sanctions violations and supporting what they call, you know, malign Iranian activities like terrorism. So, for example, after the bank, after the bank attack, it said associating with the regime's instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long term financial health. Who's next? So there's. To me, there's two messages that Predatory Sparrow is trying to send. One is just to the regime, we don't like you go screw yourselves. But the other is, I think it's coming up with this justification for why it's acting. So I think destroying an entire bank, if that's what they've successfully done, is a huge move and it will cause a lot of collateral damage because it just will gum up the financial system is, you know, not everyone who uses a bank is a bad person.
[16:49]
Patrick Gray
Well, and it will affect the other banks. As well, which has been my point on this, you know, it'll affect the entire banking system in Iran and the collateral damage from this could be gigantic. And at that point, like so, as you point out in this piece, which is excellent by the way, Predatory Sparrow has always gone to great pains to point out that when it disrupted the fuel card system in Iran, it did it temporarily and it pre notified emergency services saying, hey, go get some fuel now because your fuel cards won't work tomorrow because we're doing this thing. So it's always seemed like they're trying to show that their actions are sort of justified from a, you know, from a military, from a, you know, international law perspective. Yeah, they're trying to do the same thing here. And if this bank is able to recover, like the cryptocurrency exchange. Yeah, fair enough. If there's a cryptocurrency exchange involved in this sort of activity, you've burned 90 million bucks. When you're in a, you know, missiles are flying style war with that country, that seems like a pretty clear cut case of. Yeah, okay, but when you're talking about one of the biggest banks in Iran, if that bank cannot recover and we don't know if they've got backups, we don't know what the situation is. But if it cannot recover and this leads to some sort of, you know, artificially engineered financial crisis that affects the entire economy, you have to sort of start asking, well, is that still responsible activity? And you know, as you've written here, that's in the eye of the beholder.
[18:15]
Tom Uren
I think it really depends what you think the problem is, like whether you think Iran is a terrorist state and we need to do everything to stop it from getting a nuclear weapon. Whether you believe that the risk that it acquires a nuclear weapon is imminent or it could have been talked out of it. These are all things where I'm not an Iranian politics expert. I don't know. I'm extremely uncomfortable with destroying a whole bank permanently because there's just so much collateral damage. I don't know whether that is what has happened or what they intended. So, for example, in the gas station, the fuel subsidy attack, they could have gone a lot further, but they didn't. Maybe that's what's happened in this case. They. But we'll have to wait and see.
[19:06]
Patrick Gray
I mean, it just doesn't strike me that Israel is in a holding back kind of mood at the moment.
[19:11]
Tom Uren
No, you know, no, no, I don't think so either. But you know, we'll Wait and see. But I think that they are deliberately trying to come up with the justifications or present the justifications at the same time as they are conducting these actions. So, for example, the. When they attacked the bank, they produced documents that indicated links to the Iranian armed forces. And also the. I think it's the Quds Force or the Quds Force, which is. Finances terrorist organizations and kind of their covert operations type group. So they've leaked documents that support their justification for action. Whether. And I think it's the international community, whatever that means, like other states buy that as a legitimate justification. We'll have to wait and see.
[20:02]
Patrick Gray
Yeah, I mean, I think the interesting thing here is the entire. My entire opinion on this hinges on whether or not this is a permanent deletion or a temporary disruption. If it's a temporary disruption during a hot war, that seems pretty reasonable. If it's a permanent disruption, that would strike me more as an activity that's designed to massively destabilise the country. It's just a different type of operation. You wouldn't say that if it's that permanent deletion, that it's targeted at preventing sanctions evasion, it's something else. So that's why I find this one really interesting. It either has the ability to be something like the Iranian attack against Saudi Aramco, which was a wiper attack that they eventually recovered from, you know, and that's what this could be. Right. Which is a significant attack, but not like, oh, my God, you know, Absolutely one for the history books. But if this bank does go away, and I guess we'll know in coming weeks, then that is going to really change the entire dynamic of this. Of this conflict. So it could be one for the history books, but, yeah, we have to wait, don't we? It's annoying.
[21:12]
Tom Uren
Yeah, that's right. I found Predatory Sparrow a very interesting group because of the way there's just so much messaging in what they're trying to do.
[21:24]
Patrick Gray
I'm not clear on who the audience is for that, though.
[21:26]
Tom Uren
I originally thought it was Iran, but now I think it's always been aimed at other allies and it's trying to both really push the boundaries while at the same time push the boundaries of what we would consider acceptable while at the same time justifying it.
[21:45]
Patrick Gray
Yeah, I guess I'm with you on that. Because, you know, it's one thing to just vape a bank, but it's another thing to vape a bank and say, see, we did it, because they're doing all of this like, you know, sanctions. Sanctions violating stuff.
[21:57]
Tom Uren
Right.
[21:57]
Patrick Gray
So I. I kind of get why they would do that statement, but anyway, look, we'll obviously follow up on this one as things progress, but. Tom, you're in. That's all for today. Great to chat to you as always, mate. And I'll look forward to doing it again next week.
[22:11]
Tom Uren
Thanks, Patrick.