Doxing is one of those new terms that have evolved with the information age. It comes from a combination of the words “dropping” and “documents” (or “docs” for short) meaning to release information about someone. Basically, it’s just another form of cyber crime.
The most recent example was May 11, 2021, when the personal information on 22 Washington, DC Metro Police officers was publicly released by cyber criminals who had hacked the police department and accessed the information. They demanded $4M in ransom in order not to release the data of the officers. The department counter-offered $100K which was not sufficient to the attackers resulting in their releasing the information on the 22 officers.
The information included names, phone numbers, Social Security numbers, dates of birth, marriage records, personal financial and residential data, fingerprints, lie detector test results and even psychological assessments. For anyone, the release of such personally identifiable information (PII) is dangerous, but imagine how much more so it could be for a police officer.
Threat actors use a variety of methods to gather this information. They can collect it legally via open sources like public records websites (such as Beenverified, Intelius, Peoplefinders, Spokeo, Truthfinder, Whitepages and more), social media profiles, real estate records, obituaries, and more. They also use nefarious methods such as data breaches.
The many reasons that a cyber criminal would execute a doxing attack include revenge, stalking, identity theft, encouraging physical harm, bullying or harassing (e.g., ordering 100 pizzas delivered to the person’s home).
One of the most dangerous uses is “swatting” in which the information is used to report an emergency situation under false pretenses in order to get tactical law enforcement to respond to the target’s location. By reporting hostage situations, active shooter or other violent events, the police respond in emergency mode. The results of these “pranks” have included officers who were shot and even a victim who was shot and killed.
So if you ever wondered how serious cyber crime could be, the extent is limitless.