Why Executive Home Addresses Remain a Top Exposure Risk
Open-source data has made it easier than ever for attackers to uncover executives’ home addresses, exposing them to real-world and digital threats. In this interview, Matthew Golabek of Hetherington Group explains where that information comes from and how security leaders can stay ahead of it.
Every executive’s digital footprint tells a story. And too often, it ends at their front door. Despite years of investment in executive protection, home addresses and property records remain just a few clicks away. Attackers use open-source data to track routines, locate family members, and plan intrusions. For security teams, the question isn’t whether executives are exposed, but how quickly that exposure can be reduced.
To explore this issue, we spoke with Matthew Golabek, a Senior OSINT Instructor with Hetherington Group, which specializes in open-source intelligence and cyber investigations. Matthew works directly with organizations and protective teams to locate and remove sensitive personal data, helping them reduce the risk of doxing, harassment, and targeted attacks.
Below is a transcript of our conversation. It has been lightly edited for clarity.
What’s the real danger when attackers get ahold of an executive’s home address?
The immediate concern is always physical. Someone could visit the residence, follow the person, or even appear at a polling location or place of business. But the bigger and longer-term danger is digital and social.
When personal information like a name, date of birth, address, or social media details are compiled and broadcast, it undermines privacy and security. Once that information is out there, it can be difficult to control. Adversaries can use it for harassment, social engineering, scams, or even to build a larger security breach.
When you’re red-teaming, what are the most common or surprising places you find residential information?
Three big sources stand out: social media posts, political donation receipts, and state property assessor databases.
Social media posts often reveal a lot: routines, locations, even home layouts through background photos or videos. We’ve seen situations where someone’s home camera feed, unintentionally shared, exposed their family’s daily schedule and the layout of their home.
Political donation receipts are another overlooked risk. Many people use their personal addresses for donations, and those records are searchable through the FEC’s public database. Anyone can look up names and find addresses associated with donation receipts.
Finally, property assessor databases and third-party real estate sites can contain a surprising amount of personal data. Depending on the jurisdiction, you might find ownership records, signatures, or even scanned deeds. Personal signatures can be used for identity theft or fraud.
What are some of the most common mistakes you see high-profile individuals or their security teams make?
A big one is ignoring recommendations after a privacy assessment.
We can identify what needs to be removed and where vulnerabilities exist, but ultimately, the decision to act belongs to the client. Some choose not to deactivate old social media profiles or fail to move property ownership into a trust when advised.
We spend weeks researching and producing detailed, tailored recommendations. If those aren’t followed, the person remains at risk. We can mitigate exposure, but we can’t eliminate it without full cooperation.
If you had one piece of advice for security leaders, what would it be?
Be proactive instead of reactive.
That’s true across the security industry, but it’s especially critical in open-source intelligence. The goal is to protect executives and their families before an incident occurs, not after.
Security teams should regularly monitor exposure, educate their principals, and make sure remediation is ongoing. The protectee’s privacy is your responsibility — but so is your own.
If you’re managing someone else’s security, your personal exposure can also become a link in the chain. Staying private and vigilant helps ensure that both you and your clients remain protected.
AI is no longer a future concern. It’s reshaping executive risk right now. Our team at 360 Privacy recently tracked and dismantled two AI-built doxing platforms targeting more than 23,000 executives. The full investigation is detailed in our new technical brief: From Prompt to Platform: AI and the New Era of Executive Targeting. Download it today to see exactly how these platforms were built, why the threat is growing, and how leaders can get ahead of it.
