New Joint CISA/FBI/CNMF Advisory Is Latest Confirmation that Attackers Use Commercial Data Brokers to Target Organizations

Advisory follows a string of evidence showing attackers leveraging data brokers for recon and social engineering

The joint CISA/FBI/CNMF updated advisory on Scattered Spider acknowledges what several analysts have previously noted: the threat group is using commercial data brokers as part of their reconnaissance toolkit and as fuel for social engineering.

In its July 29, 2025 update, the joint advisory states that Scattered Spider’s targeted social engineering campaigns are “enriched by access to personal information derived from social media, open-source information, commercial intelligence tools, and database leaks.”

What are “commercial intelligence tools” in this context? According to CISA, this refers to ‘commercial data aggregating and analytics services that can be purchased for use’ — in other words, the data broker platforms that sell employee and executive information.

The Gap in Mitigation Guidance

The updated Scattered Spider advisory underscores a larger issue: standard mitigation advice typically doesn’t account for the role of data brokers in fueling attacks, despite mounting proof that threat actors use these sites to target organizations.

Several examples from recent years illustrate this pattern.

• Analysis of leaked Conti ransomware chats revealed operators actively using ZoomInfo and RocketReach to profile potential victims and estimate their revenue.

• The more recently leaked Black Basta chats showed members using ZoomInfo and RocketReach to identify targets and craft social engineering campaigns.
• Okta’s investigation into the 0ktapus campaign concluded that the attackers, Scatter Swine, “likely harvested mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.”
• A joint FBI/CISA vishing advisory from 2020 describes attackers compiling employee dossiers using sources including “recruiter and marketing tools,” and “publicly available background check services,” both of which are types of data brokers.
• In the same year, attackers compromised Florida-based data broker Interactive Data LLC, resulting in personal data on people and businesses being used for impersonation, scams, and fraudulent emails targeting government agencies, while also enabling fraud at financial institutions, leading to tens of millions of dollars in losses.
• And the latest example is the joint CISA/FBI/CNMF advisory on Scattered Spider, placing commercial data aggregators alongside social media, OSINT, and leak data as inputs for social engineering.

Whether purchased directly, resold within the criminal ecosystem, or exposed through broker compromises, data broker profiles pose a major threat to businesses across industries, particularly as they are exploited for social engineering.

Personal Data Removal as a Security Imperative

CISA’s guidance on avoiding social engineering and phishing attacks is clear: ‘Do not provide personal information or information about your organization… unless you are certain of a person’s authority to have the information.’ Yet, data brokers effectively distribute that same sensitive information by default. This makes personal data removal a security imperative.

Read our full article on this: New Joint CISA/FBI/CNMF Advisory Is Latest Confirmation that Attackers Use Commercial Data Brokers to Target Organizations – Optery

IBM’s 2025 Cost of a Data Breach Report: Phishing Is the Most Frequent Attack Vector

IBM report reveals phishing overtaking stolen credentials, U.S. breach costs rise to over $10 million, and AI’s increasing role in facilitating and defending against attacks

IBM has released its 2025 Cost of a Data Breach Report, and its findings show phishing is the top attack vector targeting companies, breach costs are rising in the U.S., attackers are going after personal data, and AI is rapidly reshaping the threat landscape for both attackers and defenders.

Here are some highlights:

In the United States, the average cost of a breach “surged by 9% to USD 10.22 million, an all-time high for any region.”

• “The most frequent type of attack vector on organizations was phishing, at 16%, which averaged USD 4.8 million.”
• “16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).”
• “Attackers targeted customer PII over other types of data by a wide margin. At 53%, it was the most stolen or compromised data type.”
• “AI models and applications are emerging as an attack surface, especially in cases of shadow AI.”
• Among its mitigations, the report notes that “securing AI data is essential not just for privacy and compliance, but also to protect data integrity, maintain organizational trust and avoid data compromise.”
• On mitigating credential theft that stems from social engineering, IBM says “it’s critical to prevent attackers from obtaining those credentials in the first place. One of the most effective ways to do so is by ensuring all human users adopt modern, phishing-resistant authentication methods, such as passkeys.”

In addition to this, organizations can address the threat even earlier, before it ever reaches the employee inbox or phone, by removing the exposed personal data that fuels credential harvesting campaigns.

• The report emphasizes using AI for defense: “As attackers turn to AI to produce and distribute more adaptive attacks, security teams should also embrace AI technologies. Security teams can use AI to reduce or prevent attacks and their business impacts, proactively employing measures that improve the accuracy of detection (threat hunting) and reduce the time to respond.”

With AI-enhanced phishing as the leading attack vector, one way AI is being applied at the prevention layer is in automating the elimination of exposed personal data that supplies attackers with the raw material for phishing. Optery is applying AI in this way to minimize organizations’ attack surfaces for phishing and related threats.

Read the full IBM report here: Cost of a Data Breach Report 2025

Unit 42 Report: Social Engineering Is the #1 Initial Access Vector

Latest report from Palo Alto Networks echoes the findings of IBM and the Identity Theft Resource Center that social engineering is the top threat targeting businesses.

Palo Alto Networks’ latest Unit 42 Global Incident Response Report: Social Engineering Edition shows that social engineering remains the #1 initial access vector.

Among the more than 700 cases Unit 42 investigated between May 2024 and May 2025, 36% of all incidents began with social engineering. Of those:

• 65% were phishing
• 12% came from SEO poisoning or malvertising
• 1% involved smishing or MFA bombing
• The remaining 22%, listed as “other,” appear to involve predominantly vishing-style attacks, including phone-based impersonation, callback scams, and help desk pretexting.

More Stats from the Report

• 66% of social engineering attacks targeted privileged accounts
• 45% involved internal impersonation
• 23% used callback or voice-based lures (vishing)
• 60% led to data exposure
• ~50% were business email compromise (BEC), and 60% of those resulted in data loss

Additional Insights

• Threat actors are using GenAI to craft personalized lures using public information.
• Early Agentic AI usage was observed in chaining activities such as cross-platform reconnaissance and message distribution.
• Unit 42 urges defenders to move beyond user education and treat social engineering as a systemic vulnerability.
• Many attacks succeeded due to excessive permissions, weak MFA coverage, and over-burdened or undertrained frontline teams.

In addition to the mitigations recommended in the report, denying attackers the personal data they need to impersonate, pretext, and deceive is a necessary proactive (and offensive) step to reduce the volume of attacks and the burden on security teams.

Read the full report here: 2025 Unit 42 Global Incident Response Report: Social Engineering Edition