Learn more about Photolok | Click Here

Learn more about Photolok | Click Here

A.R. Perez, Netlok, June 17, 2025

The pace of technological change is accelerating crime. For example, cybercrime has undergone a fundamental transformation over the past two decades, evolving from isolated hackers operating in basements to sophisticated criminal enterprises that mirror legitimate business models 1, 2. What was once the domain of technically skilled individuals driven by prestige and ideology has become a $1.5 trillion in cybercriminal revenue/earnings that operates with the professionalism and structure of Fortune 500 companies 3, 2. In this article, we will examine how cybercrime has evolved into a modern business model that is profitable and built to attack you, your family, and business.

The Evolution from Individual Hackers to Criminal Enterprises

Early Days: Prestige Over Profit

The first phase of cybercrime, roughly spanning from 1990 to 2006, was characterized by hackers motivated primarily by personal prestige and technical challenge rather than financial gain 4. These early cybercriminals operated as lone wolves, requiring extensive technical knowledge and specialized skills to execute attacks 4. The underground economy was fragmented, with limited collaboration between different criminal actors5.

The Dotcom Realization

The dotcom boom fundamentally shifted the cybercrime paradigm by demonstrating the immense financial potential of internet-based activities 4. Criminals began to recognize that the same digital infrastructure powering legitimate e-commerce could be exploited for illicit profit 4. This realization marked the beginning of cybercrime’s transformation into a business-driven enterprise 4.

The Birth of Crime-As-A-Service

Defining the CaaS Model

Crime-as-a-Service (CaaS) represents a business model where cybercriminals provide various hacking and cybercrime services to other individuals or groups, typically for financial gain 6. This model essentially commodifies and commercializes cybercriminal activities, allowing even those with little technical expertise to engage in sophisticated cyberattacks 6. The CaaS framework mirrors legitimate Software-as-a-Service (SaaS) business models, transforming hacking into a subscription service available to individuals, groups, and even nation-states 1.

The Democratization of Cybercrime

The emergence of CaaS has fundamentally democratized cybercrime by lowering the barriers to entry 7, 5. Previously, successful cyberattacks required exceptional technical abilities that were limited to a small group of highly skilled individuals 5. Today, budding cybercriminals need only a rudimentary understanding of cybersecurity, internet access, and a few dollars in cryptocurrency to initiate sophisticated attacks 6, 7.

This democratization is exemplified by cases like the infamous Lapsus$ hacking group, where several members were renegade teenagers who managed to breach tech giants like Microsoft and Nvidia, with the group’s former leader being a 16-year-old living at his mother’s home in the English countryside1.

Business Models and Revenue Structures

Subscription-Based Pricing Models

The CaaS ecosystem employs various pricing models that mirror legitimate business practices 8, 9. The most common revenue structures include:

Monthly Subscriptions: Many cybercrime services operate on recurring monthly fees, similar to legitimate SaaS platforms 8. These subscriptions often range from tens to thousands of dollars, depending on the sophistication of the service 10.

Commission-Based Models: In ransomware-as-a-service operations, developers typically receive a 20-30% cut while affiliates retain 70-80% of ransom payments 9. This revenue-sharing model incentivizes both development and deployment of criminal tools 9.

One-Time Purchases: Some services offer single-payment options for specific tools or access credentials 8. For example, corporate login credentials can sell for several thousand dollars 11.

Hybrid Models: Many providers combine subscription fees with performance-based commissions, maximizing revenue from multiple streams 8, 9.

Market Maturation and Pricing Evolution

The cybercrime marketplace has demonstrated remarkable price evolution as competition has intensified 4. The Zeus malware, which originally cost $8,000, saw its price drop to around $500 due to competition from SpyEye 4. By 2011, when the Zeus source code was leaked, it effectively became free, demonstrating how market forces operate even in illegal sectors 4.

The Scale of the Criminal Economy

Revenue and Economic Impact

The cybercrime economy has reached staggering proportions, with research estimating total annual revenues at $1.5 trillion 3. This massive figure breaks down across various criminal activities:

• $860 billion from illicit markets
• $500 billion from trade secret theft
• $160 billion from data trading
• $1.6 billion from crimeware services
• $1 billion from ransomware operations 3

Cybersecurity Ventures projects that the total economic damage to victims will reach $10.5 trillion annually by 2025, representing a 15% annual growth rate 12. If cybercrime were measured as a country, it would rank as the world’s third-largest economy, behind only the United States and China 13, 12.

Service Diversification

The CaaS ecosystem now encompasses nearly every aspect of cybercrime 14, 15. Beyond traditional malware and phishing kits, the marketplace now offers:

Advanced Specialized Services:

• OPSEC-as-a-Service to help attackers hide infections
• Scanning-as-a-Service providing access to legitimate commercial tools like Metasploit
• DDoS-as-a-Service for distributed denial of service attacks
• Botnet-for-hire services 6, 14

Professional Support Services:

• Technical support and customer service
• Step-by-step instructions and training materials
• 24/7 helpdesk operations
• Private forums for information exchange 8, 16

Organizational Structure and Professionalization

Corporate-Style Operations

Modern cybercrime organizations have adopted sophisticated business structures that mirror legitimate enterprises 14, 15. These criminal enterprises now feature:

Hierarchical Management: Clear organizational charts with specialized roles including developers, distributors, and end-users 17. Developers create malicious software, distributors act as intermediaries assembling attack teams, and end-users execute attacks with minimal knowledge of the larger operation 17.

Human Resources Functions: Cybercrime marketplaces now feature dedicated help-wanted pages and recruiting staff 14, 15. Criminal job seekers post summaries of their skills and qualifications, while employers advertise positions with competitive salaries, performance bonuses, and even paid time off 10.

Research and Development: Criminal organizations invest heavily in innovation, constantly developing new attack methods and improving existing tools to evade detection 5, 11.

Professional Customer Experience

The professionalization of cybercrime extends to customer service and user experience 11. Criminal service providers now offer:

• Demo sites showcasing their malware capabilities
• Comprehensive user guides and documentation
• Online training and technical support
• Regular software updates and patches
• Money-back guarantees and service level agreements 16, 11

Ransomware-as-a-Service: The Premium Model

The RaaS Business Model

Ransomware-as-a-Service (RaaS) represents perhaps the most sophisticated evolution of the CaaS model 8. RaaS providers lease out compiled ransomware, source code, and complete infrastructure packages to affiliates 8. These services include:

• Customization tools for targeting specific operating systems
• Infrastructure for managing ransomware campaigns
• Control panels for monitoring attacks
• Technical support and negotiation assistance 8

Major RaaS Operations

Prominent RaaS groups like Conti, REvil (Sodinokibi), DarkSide, and LockBit have established themselves as major players in the criminal marketplace 8. LockBit 3.0, for instance, operates as a full-service RaaS platform where affiliates share a percentage of profits with operators as commission 18.

These organizations have demonstrated remarkable resilience and adaptability 18. When law enforcement disrupts one operation, others quickly emerge to fill the market gap, suggesting a mature and self-sustaining ecosystem 11.

Market Infrastructure and Payment Systems

Dark Web Marketplaces

The CaaS economy operates primarily through dark web marketplaces that provide anonymity and security for both buyers and sellers 19. These platforms have evolved sophisticated features including:

Payment Systems: Bitcoin and Monero are the primary cryptocurrencies used, with many marketplaces implementing mixing services for additional anonymity 19.

Escrow Services: Sophisticated escrow mechanisms protect both buyers and sellers, with funds held until services are delivered satisfactorily 19.

Multi-signature Security: Advanced marketplaces use multi-signature wallets requiring authorization from two of three parties (buyer, seller, marketplace) to complete transactions 19.

Auto-finalize Features: Automatic fund release mechanisms ensure vendors receive payment even if buyers don’t confirm receipt 19.

Trust and Reputation Systems

Criminal marketplaces have developed comprehensive trust and reputation systems that parallel legitimate e-commerce platforms 10. Vendors with proven track records of delivering working malware and maintaining operational security can command premium prices 10. Some ransomware groups have built such strong reputations for reliability that they leverage their “brand recognition” to charge higher fees 10.

The Future of Criminal Innovation

Continuous Evolution

The CaaS ecosystem continues to evolve rapidly, driven by the same market forces that shape legitimate business 11. As cybersecurity defenses improve, criminal services adapt by offering more sophisticated tools and techniques 14, 15. The commoditization of nearly every component of cybercrime has created opportunities for attackers of any skill level to participate in this underground economy 14, 15.

Economic Incentives

The massive financial incentives driving the CaaS ecosystem show no signs of diminishing3. With annual revenues exceeding $1.5 trillion and growth rates of 15% per year, the criminal economy has established itself as a self-sustaining and continuously expanding sector 1, 23.

Conclusion

The transformation of cybercrime from individual hacking activities to a subscription-based service economy represents one of the most significant developments in modern criminal enterprise 17. By adopting legitimate business models, implementing professional operational structures, and creating user-friendly service offerings, cybercriminals have successfully democratized access to sophisticated attack capabilities 6, 14.

This evolution has fundamentally altered the threat landscape, making advanced cyberattacks accessible to anyone with modest financial resources and basic internet access 7 16. The CaaS model’s success demonstrates how criminal organizations can adapt and thrive by mimicking the very business innovations they seek to exploit 4, 11.

As the cybercrime economy continues to mature and expand, reaching projected revenues of $10.5 trillion by 2025, it presents an unprecedented challenge to cybersecurity professionals and law enforcement agencies worldwide 12. The subscription-based nature of modern cybercrime has created a resilient, scalable, and increasingly sophisticated threat that mirrors the digital transformation occurring in legitimate business sectors 1, 15.

1. https://register.bank/insights/cybercrime-as-a-service-overview/
2. https://arcticwolf.com/resources/blog/decade-of-cybercrime/
3. https://www.linkedin.com/pulse/dark-web-economics-understanding-business-models-cybercrime-baek-wtpoc
4. https://www.securityweek.com/understanding-evolution-cybercrime-predict-its-future/
5. https://www.europol.europa.eu/iocta/2014/chap-3-1-view1.html
6. https://cpl.thalesgroup.com/blog/encryption/cybercrime-as-a-service-caas-explaned
7. https://fieldeffect.com/blog/cybercrime-as-a-service
8. https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/
9. https://www.bleepingcomputer.com/news/security/dozens-of-ransomware-gangs-partner-with-hackers-to-extort-victims/
10. https://www.linkedin.com/pulse/inside-ransomware-economy-dark-web-markets-pricing-tactics-baek-qxunc
11. https://knowledge.insead.edu/operations/professionalisation-cyber-criminals
12. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
13. https://www.criticalstart.com/cybercrime-the-worlds-3rd-largest-economy/
14. https://digitalisationworld.com/news/64595/cybercrime-reaches-new-levels-of-commercialisation
15. https://www.msp-channel.com/news/64595/cybercrime-reaches-new-levels-of-commercialisation
16. https://www.kiwitech.com/blog/malware-as-a-service-how-cybercrime-has-become-a-business-model/
17. https://cointelegraph.com/explained/crimeware-as-a-service-a-new-threat-to-crypto-users
18. https://www.cyber.gov.au/sites/default/files/2023-06/acsc-ransomware-profile-lockbit-3.0-june-2023.pdf
19. https://docs.apwg.org/ecrimeresearch/2021/ecrime2021-paper55.pdf
20. https://www.techtarget.com/whatis/feature/Cybercrime-as-a-service-explained-What-you-need-to-know
21. https://sac.media/2024/10/03/opinion-the-subscription-business-model-needs-to-stop/
22. https://www.paloaltonetworks.com/cyberpedia/cybercrime-the-underground-economy
23. https://www.businessofgovernment.org/sites/default/files/Viewpoint%20Strickland%20et%20al.pdf

A.R. Perez, Netlok, June 12, 2025

Despite facing significant cybersecurity threats, many family offices continue to operate with inadequate defenses, creating a dangerous disconnect between risk exposure and preparedness. Understanding the underlying causes of this vulnerability reveals systemic challenges that go beyond simple oversight.

The Scale of the Problem

The cybersecurity preparedness gap among family offices is striking. While 43% of family offices globally have experienced a cyberattack over the last 12-24 months, nearly one-third (31%) lack a comprehensive cybersecurity strategy, leaving them woefully unprepared 16. In North America, the situation is even more concerning, with 57% of family offices reporting cyber incidents during recent periods 9. Despite these alarming statistics, only 31% of family offices say their cyber risk management processes are well-developed 1.

Root Causes of Unpreparedness

Underestimation and Misperception of Threats

Many family offices fundamentally underestimate their attractiveness as targets and the sophistication of modern cyber threats 19. A significant factor contributing to this vulnerability is the belief that “privacy equals security” – the misguided notion that operating “under the radar” provides adequate protection 19. This mindset leads to a dangerous miscalculation where family offices assume they’re too small or obscure to warrant sophisticated attacks 20.

Research reveals that 47% of family offices acknowledge that underestimating the threat level obstructs the implementation of risk management measures 3. Additionally, smaller and newer family offices are particularly vulnerable, with only 15% accurately assessing the likelihood of cyberattacks compared to 25% at larger family offices 3.

Complacency and Reactive Approaches

A pervasive culture of complacency significantly hampers cybersecurity preparedness among family offices 13. Studies show that 41% of family offices cite complacency as an obstacle to implementing risk management measures 3. This reactive mindset is further evidenced by the fact that 33% of family offices have adopted a “reactionary rather than preventative approach” to cybersecurity, an increase from around 25% in previous studies 21.

As one US-based single family office CEO noted, “Many people do not react to cyber threats until they have been attacked” 2. This wait-and-see approach leaves offices vulnerable to increasingly sophisticated attacks that target the “low-hanging fruit” 2.

Resource and Budget Constraints

Unlike large enterprises, family offices often lack the financial resources for comprehensive cybersecurity infrastructure 21. Only 33% of family offices report having a dedicated cybersecurity budget, forcing many to rely on inadequate solutions 5. The typical family office operates with a small staff ranging from 2 to 25+ members, making it challenging to allocate personnel specifically for cybersecurity functions 7.

The resource limitation extends beyond budgets to human capital. Just 8% of family offices have in-house cybersecurity personnel, and 67% have not hired third-party defense providers 1. This staffing gap means that cybersecurity often becomes an afterthought rather than a strategic priority.

Organizational Structure Challenges

Family offices face unique structural challenges that impede effective cybersecurity implementation. Many operate more like small businesses when it comes to cybersecurity infrastructure while managing wealth comparable to mid-sized enterprises 2023. This creates a dangerous mismatch between resources and risk exposure.

The fragmented nature of family office operations compounds these challenges. Many use disparate systems that don’t communicate effectively, creating security vulnerabilities and making comprehensive protection difficult to implement 29. Without proper integration, family offices struggle to maintain consistent security protocols across all their technological touchpoints.

Third-Party Vendor Risks

Family offices increasingly rely on external vendors and service providers, creating additional vulnerabilities they may not fully understand or manage effectively 2830. There has been “a huge uptick in third-party vendors having cybersecurity incidents and then reporting them back to the data owner,” creating cascading security risks 28.

Family offices without proper processes to vet third-party vendors significantly increase their risk exposure through insecure connections and compromised vendor relationships 30. This is particularly problematic given that many family offices outsource critical functions without implementing adequate vendor security oversight.

Lack of Awareness and Training

A critical gap exists in cybersecurity awareness and training across family office organizations. Fewer than 25% of family offices have implemented basic protections such as phishing simulation tests, security awareness training, external penetration testing, or defined incident response plans 5.

The challenge is compounded by the diverse technology adoption patterns within wealthy families, ranging from tech-savvy younger members to “tech-averse octogenarians” 13. This spectrum of cyber hygiene habits makes it difficult to implement consistent security protocols across all family members and staff.

The Human Factor

Cybersecurity experts emphasize that most cyberattacks don’t happen through technology failures but because of people and process weaknesses 16. Family offices are particularly vulnerable to social engineering attacks because cybercriminals can often gather extensive information about wealthy families through social media and public records 18.

The younger generation’s increased online visibility has inadvertently exposed families that previously maintained tight privacy controls 18. As one expert noted, “The younger members of the family are outing families that have kept a really tight lid on their wealth for a long period of time” 18.

The Cost of Inaction

The consequences of inadequate cybersecurity preparedness extend far beyond immediate financial losses. Among family offices that have experienced cyberattacks, a significant one-third have suffered some form of loss or damage, with operational damage and financial loss being the most common consequences 9.

The average cost of a data breach globally approaches $4 million, with individual family offices at risk of losing up to $500,000 in ransom payments alone 10. Beyond direct financial impacts, successful attacks can severely damage reputation, erode trust, and lead to regulatory inquiries and litigation 14.

Moving Forward

The persistent unpreparedness of family offices despite high cyberattack risks reflects a complex interplay of psychological, organizational, and resource-related factors. Addressing these challenges requires a fundamental shift from reactive to proactive cybersecurity approaches, supported by dedicated budgets, specialized expertise, and comprehensive risk management frameworks.

As cybersecurity threats continue to evolve and become more sophisticated, family offices can no longer afford to operate under the assumption that their size or privacy provides adequate protection 16. The time for reactive measures has passed; proactive cybersecurity investment has become an operational necessity rather than an optional consideration.

1. https://www.institutionalinvestor.com/article/2eh3jnemw9qf5mzu5gs8w/corner-office/family-offices-are-unprepared-for-cyber-threats
2. https://ioandc.com/family-offices-unprepared-for-rising-cyberattacks/
3. https://sps.columbia.edu/sites/default/files/2020-10/Boston%20Private%20Surveying%20the%20Risks%20and%20Threats%20to%20Family%20Offices.pdf
4. https://www.globalguardian.com/global-digest/family-office-safety-risks
5. https://tekconcierge.com/deloitte-report-reveals-cybersecurity-gaps-in-family-offices-is-your-office-at-risk/
6. https://www.kelvinfu.com/fortresses-of-wealth-protecting-family-offices-in-the-age-of-cyberattacks/
7. https://andsimple.co/insights/family-office-cybersecurity/
8. https://www.wealthbriefing.com/html/article.php/family-offices-under-siege:-effective-cybersecurity-strategies
9. https://www.deloitte.com/nl/en/services/deloitte-private/about/family-office-cybersecurity-report.html
10. https://andsimple.co/insights/cybersecurity-for-family-offices/
11. https://www.pwc.com/gx/en/services/family-business/family-office/cyber-security.html
12. https://www.cohnreznick.com/insights/family-office-cybersecurity-3-ways-protect-against-threats
13. https://www.northerntrust.com/united-states/institute/articles/mitigating-cyber-risks-in-family-offices-for-long-term-security
14. https://www.morganlewis.com/pubs/2024/08/the-framework-of-a-strong-family-office-cybersecurity-strategy
15. https://www.familyoffice.com/insights/cybersecurity-poses-real-consequences-family-offices
16. https://www.familyoffice.com/insights/family-offices-must-assess-weak-links-cyber-protection
17. https://rsmus.com/insights/services/family-office/latest-rsm-research-shows-growing-cybersecurity-risk-for-family-offices.html
18. https://thefopro.com/family-office-cybersecurity/
19. https://www.svb.com/contentassets/cd008ac478bd479980c42888365020c4/demystifying_risk_management_for_family_offices.pdf
20. https://www.familywealthreport.com/article.php/Many-Family-Offices-Think-They-Won’t-Suffer-Cyber-Attacks-%E2%80%93-Time-To-Wake-Up?id=204059
21. https://thefopro.com/a-new-survey-of-family-offices-finds-significant-growth-over-the-past-five-years-and-expectations-that-that-growth-will-continue/
22. https://www.cyberdefensemagazine.com/maximizing-cybersecurity-impact-within-budget-constraints/
23. https://www.agillink.com/insights/Blog/top-5-cybersecurity-practices-for-family-offices0.html
24. https://www.craincurrency.com/family-office-management/war-talent-why-its-so-hard-family-offices-hire-right-people
25. https://www.pwc.com/hu/hu/assets/pdf/pwc_effective_cyber_protection_for_family_offices_update.pdf
26. https://rsmus.com/insights/services/family-office/how-technology-supports-people-in-family-offices.html
27. https://omegasystemscorp.com/industries/financial-services/family-offices/
28. https://www.craincurrency.com/family-office-management/cybersecurity-poses-real-world-consequences-family-offices
29. https://rsmus.com/insights/services/family-office/family-office-outsourcing.html
30. https://www.privatebank.citibank.com/doc/family-office/Managing_cyber_security_and_fraud_risks.pdf
31. https://www.familywealthreport.com/article.php/From-Risk-To-Resilience:-Strategies-For-Cybersecurity-In-Family-Offices
32. https://www.linkedin.com/posts/warrenfinkel_many-family-offices-think-they-wont-suffer-activity-7313888390674878465-7ZTK
33. https://www.bloomberg.com/news/videos/2025-03-28/cybersecurity-single-biggest-risk-to-family-offices-video
34. https://clutch.co/it-services/cybersecurity/pricing
35. https://www.risk-strategies.com/blog/family-office-cybersecurity-how-to-defend-against-cyberattacks

A. Perez, Netlok, 6/9/2025

Supreme Court Allows DOGE Access to Social Security Database: Privacy Implications for the Future

The Supreme Court Ruling

On June 6, 2025, the U.S. Supreme Court ruled 6-3 to allow the Department of Government Efficiency (DOGE) unfettered access to Social Security Administration (SSA) databases containing sensitive personal information on millions of Americans 1, 2, 3. The Court granted the Trump administration’s emergency request to lift a lower court injunction that had previously restricted DOGE’s access to these systems due to privacy concerns 4, 5.

In an unsigned three-paragraph order, the majority concluded that “under the present circumstances, SSA may proceed to afford members of the SSA DOGE Team access to the agency records in question in order for those members to do their work”6, 7. The decision overturned a ruling by U.S. District Judge Ellen Hollander in Maryland, who had found that DOGE’s broad access likely violated federal privacy law 8.

This SCOTUS decision concerns Netlok and other cybersecurity companies because we are required to protect Personal Private Information (PPI). However, if DOGE’s collection and storage of PPI is hacked into by nation-states and bad actors, PPI becomes public information, which begs the question, “Is Privacy Dead?”

What Data is at Risk

The Social Security Administration’s databases contain some of the most sensitive personal information held by the federal government 9, 13. This includes:

• Core identity information: Social Security numbers, birth dates, addresses, and marital status 13
• Financial records: Lifetime earnings, bank account information, and tax data13, 22
• Medical information: Health records, mental health treatment histories, and disability documentation 24
• Family details: Information about children, spouse relationships, and family court records 2, 7
• Immigration data: Work authorization and immigration status records 22

As privacy expert Kathleen Romig, a former SSA employee, noted, the agency possesses personal data about most Americans that spans “from cradle to grave”13.

Legal Challenges and Privacy Act Violations

The Privacy Act of 1974

The legal battle centers on the Privacy Act of 1974, a Watergate-era law designed to protect Americans’ personal information from federal government misuse 12, 17. This landmark legislation establishes strict limitations on how federal agencies can collect, use, and disclose personal information, requiring consent for most data sharing and imposing penalties for unauthorized access 17, 18.

Legal experts argue that DOGE’s access represents “an egregious violation of the Act” and potentially “the worst violation of the Privacy Act since its enactment in 1974” 18, 19. More than a dozen lawsuits have been filed invoking the Privacy Act to challenge DOGE’s data access across multiple federal agencies 20, 23.

Court Dissents and Concerns

Justice Ketanji Brown Jackson, joined by Justice Sonia Sotomayor, issued a blistering dissent warning that the decision “creates grave privacy risks for millions of Americans” 24. Jackson criticized the majority for allowing DOGE “unfettered access to this personal, non-anonymized information right now — before the courts have time to assess whether DOGE’s access is lawful” 47.

The dissenting justices emphasized that the government had failed to demonstrate any necessity for bypassing existing privacy protections 24.

Privacy Implications Going Forward

Weakening of Federal Privacy Protections

Privacy advocates warn that this ruling sets a dangerous precedent by prioritizing administrative efficiency over individual privacy rights 29. As American Oversight Executive Director Chioma Chukwu stated, “The Court’s shielding of those in power while stripping protections from the American people sets a dangerous precedent and is exactly backwards in a functioning democracy” 2.

The decision effectively undermines the foundational principle that has governed SSA for nearly 90 years: an expectation of privacy concerning its records 24. Legal experts worry this could “turn privacy law into an empty promise” 9.

Expansion of Government Data Access

The ruling may embolden similar data-sharing initiatives across the federal government 27. DOGE has already sought access to sensitive databases at the Treasury Department, Education Department, and Office of Personnel Management 10, 14. The Supreme Court’s backing of DOGE’s Social Security access could facilitate broader government data consolidation efforts 11, 15.

Increased Risk of Data Breaches and Misuse

Security experts have raised alarm about the risks associated with DOGE’s data access practices 25, 28. Recent investigations have revealed over 150 government database servers exposed to the internet, creating unprecedented vulnerabilities to cyberattacks 25, 28. The combination of expanded data access and weakened security protocols creates “grave privacy risks” for millions of Americans 4.

Future Legislative Response

The ruling is likely to accelerate legislative efforts to strengthen data protection laws 27. Congress is already considering bills like the Social Security Data Protection Act, which would impose strict audit requirements on agencies handling sensitive information 27. State-level privacy legislation may also be strengthened in response to federal privacy rollbacks 27.

Expert Analysis and Ongoing Concerns

Privacy law experts have described DOGE’s data practices as representing a fundamental shift away from established privacy protections 18, 20. Professor Danielle Citron noted that the Privacy Act was created specifically to address concerns about government agencies accessing sensitive databases without proper safeguards 12.

The American Civil Liberties Union has demanded transparency about DOGE’s data practices, filing Freedom of Information Act requests to uncover the full extent of the agency’s access to Americans’ personal information 11. The organization warned that DOGE has already started “removing some protections around personal data” 11.

Democracy Forward, representing the plaintiffs in the Social Security case, stated that the ruling would “jeopardize the data of millions of Americans” and vowed to continue using “every legal avenue available to prevent unelected officials from misusing the public’s most sensitive information” 24.

Conclusion

The Supreme Court’s decision to allow DOGE access to Social Security databases marks a significant erosion of privacy protections that have safeguarded Americans’ personal information for decades 2, 18. While the administration argues this access is necessary to combat fraud and modernize government systems 6, 10, privacy advocates warn of unprecedented risks to data security and individual privacy rights 2, 19.

The ruling’s long-term implications extend beyond Social Security data, potentially opening the door for expanded government surveillance and data collection without adequate oversight15, 27. As legal challenges continue in lower courts, the ultimate impact on American privacy rights will depend on how aggressively the government pursues data access and whether Congress acts to strengthen privacy protections 20, 23.

1. https://www.washingtonpost.com/politics/2025/06/06/supreme-court-doge-social-security-privacy-data/
2. https://americanoversight.org/supreme-court-grants-doge-access-to-americans-social-security-data-undermining-privacy-protections/
3. https://apnews.com/article/doge-social-security-trump-elon-musk-99f3f281154fe0f91e6a6e612bf8e9ba
4. https://www.democracydocket.com/news-alerts/supreme-court-allows-doge-to-access-social-security-data/
5. https://www.cbsnews.com/news/supreme-court-doge-social-security-administration-information/
6. https://www.latimes.com/politics/story/2025-06-06/doge-employees-can-search-social-security-records-supreme-court-says
7. https://www.scotusblog.com/2025/06/supreme-court-sides-with-trump-in-two-doge-suits/
8. https://www.supremecourt.gov/opinions/24pdf/24a1063_6j37.pdf
9. https://www.livenowfox.com/news/supreme-court-doge-social-security-data
10. https://www.politico.com/news/2025/06/06/supreme-court-doge-social-security-records-ruling-00393064
11. https://www.aclu.org/press-releases/aclu-demands-social-security-administration-turn-over-docs-on-doges-access-to-americans-data
12. https://www.npr.org/2025/03/12/nx-s1-5323779/a-little-known-law-is-in-the-spotlight-what-to-know-about-the-privacy-act-of-1974
13. https://www.cnn.com/2025/06/06/business/doge-greenlight-access-your-social-security-data
14. https://www.npr.org/2025/03/11/nx-s1-5305054/doge-elon-musk-security-data-information-privacy
15. https://civilrights.org/2025/03/20/doge-government-data-privacy/
16. https://goodlander.house.gov/services/doge-privacy-act-requests
17. https://uclawreview.org/2025/05/13/data-democracy-and-doge-the-privacy-act-of-1974-and-the-legal-battle-over-doges-access-to-personal-information/
18. https://www.lawfaremedia.org/article/doge-betrays-foundational-commitments-of-the-privacy-act-of-1974
19. https://www.eff.org/deeplinks/2025/04/our-privacy-act-lawsuit-against-doge-and-opm-why-judge-let-it-move-forward
20. https://www.politico.com/news/2025/03/06/doge-musk-court-privacy-sensitive-data-00211749
21. https://2b-advice.com/en/2025/02/20/doge-access-to-data-dispute-over-data-protection-in-the-usa/
22. https://democracyforward.org/work/ssa-data-doge-case/
23. https://www.npr.org/2025/03/13/1238261955/over-a-dozen-lawsuits-to-stop-doge-data-access-are-betting-on-a-1974-law
24. https://www.reuters.com/world/us/us-supreme-court-allows-musks-doge-broad-access-social-security-data-2025-06-06/
25. https://hoploninfosec.com/over-150-government-database-breach/
26. https://www.thompsoncoburn.com/insights/california-chamber-seeks-state-supreme-court-review-of-privacy-act-enforcement-102jc6t/
27. https://www.ainvest.com/news/data-privacy-crosshairs-doge-supreme-court-win-fuels-cybersecurity-investment-opportunities-2506/
28. https://cyberintel.substack.com/p/unprecedented-exposure-of-federal
29. https://www.politico.com/news/2025/06/06/supreme-court-doge-records-ruling-00393265
30. https://fedscoop.com/supreme-court-allows-doge-to-access-social-security-records/
31. https://www.americanprogress.org/article/the-privacy-act-of-1974-was-designed-to-protect-us-from-elon-musk-and-doge/
32. https://www.newsweek.com/how-doge-will-impact-social-security-now-that-elon-musk-has-left-2082894

In the daily operations of a business, it’s normal for employees to need to access multiple accounts or collaborate across accounts to get their work done. In some cases, though, it may be impractical to have multiple accounts for the same service. When this happens, it’s common for employees to share passwords.

Password sharing in a business setting can be dangerous, exposing sensitive company information to outsiders who may use it for ill intent. There are a few ways you can mitigate this danger, but first, it’s best to understand why password sharing happens and what exactly those dangers are.

Why do people share passwords?

According to research conducted by popular survey company Survey Monkey, an estimated 32 million employees in the United States share passwords. But why? Per the respondents to this survey, most people who share their passwords (about one-third of participants), at least in a work setting, do so to collaborate with their teammates. Other reasons found in the survey included following company procedures and reducing costs. 

This makes sense; a company may not have the resources to pay for separate subscriptions to certain services for all of their employees or may not use the service enough to justify the extra cost. Having some employees share a single paid account might be more practical in these scenarios. Additionally, having everyone work from the same account can make collaboration easier by allowing employees to save their work to the same location and access others’ work as needed without the intermediary steps of sharing documentation through messaging or emails.

As common as it is, though, password sharing can still be dangerous.

The dangers of sharing passwords

The first and most obvious risk of sharing passwords is that of the person with whom the password is shared being a bad actor. Phishing schemes are incredibly common, accounting for 3.4 billion spam emails sent every day and being the most common cause of data breaches. These scams rely on a person voluntarily sharing their password with a party pretending to be some kind of authority. 

Even if the person with whom you are sharing your password is not a bad actor themselves, however, password sharing can still lead to accessing sensitive information through unsecured networks. It is incredibly difficult to regulate server access if employees share information and access it via external networks such as remote office setups or public computers.

Additionally, if any changes are made to the sensitive data via an external network, tracking who made the changes and why is much more difficult. This may mean that your internal data is susceptible to abuse by jaded former employees or dishonest employees looking to profit from your work in some way. This may mean anything from unauthorized social media posts that may greatly damage the company image to the misuse of customer information to potential serious loss of revenue. 

How to share passwords safely

All of this being said, there will still be scenarios in which you may need to share an account across multiple employees or access points. Here are some tips from Forbes on how to share passwords safely.

• Use a password manager to generate and store unique passwords for each account. This is especially useful if you work in-person only and are accessing multiple accounts from the same device. 
• Use data-encrypted cloud storage to send a secure file with account information. This allows you to control who has permissions to see or use the file.
• Online project management tools use data encryption to secure your information, allow for easy sharing of information between team members through a monitored internal system, and offer file-sharing features for additional convenience.
• Never share a password via email, text message, or physical writing where it might easily be seen. 
• Never click on links in emails from senders you do not recognize and cannot verify, especially if those links claim to lead to service landing pages or demand account information. Always log into accounts directly via the service landing page to check security concerns. 

It’s also a good idea to implement multi-factor authentication into all of your accounts. MFA adds layers of security to accounts and limits access to those with the appropriate information and identifying factors. Consider adding a more advanced MFA solution such as Photolok to your data. Photolok, a new technology from Netlok, allows users to upload and label photos to be used as identifiers; they simply select their photo from a grid to access their account. There is also an option to create a Duress photo, which will allow access for the user in the event of a forced authentication but will also alert the appropriate authorities so that the breach can be addressed quickly and safely. 

Why MFA Is Important to Keeping Your Business Safe

If you are a business looking to implement MFA, consider using a more advanced authentication method such as Photolok IdP. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users select images and label them for security use. When accessing a network, application, and/or API, users simply choose their account photos in several photo panels, and they are given access. Users can also label a photo as Duress, which acts as a silent alarm.  The Duress option allows the user access but notifies IT administrators that the user’s account is compromised and they need to execute the company’s security procedure quickly to protect the company and the user’s safety.

Read More: Phishing Attacks Surge By 173% In Q3, 2023

Read More: The Need for a Paradigm Change to Mitigate Password Vulnerability From Artificial Intelligence

Read More: Fortify Security: Investing in Advanced Authentication Solutions

With the Biden Administration announcing new guidelines for AI safety – including requiring innovators to share critical information with the federal government – it is clear that cybersecurity stakeholders must also defend against the serious threat AI poses to online security, privacy, and data protection.

Fortunately, Photolok IdP is available today and has been tested and found to protect against AI attacks. Photolok, a passwordless IdP, employs photos in place of passwords and uses OAuth for authentication and Open ID Connect for integration. To understand Photolok and how it protects against AI attacks, it is important to understand how AI/ML tools and techniques have made it easier for hackers to get around current password security methods.

AI/ML tools are enabling hackers to scrape the internet for personal data and find passwords.  When combined with social engineering, AI technics can decipher passwords far more quickly than earlier systems. The reality is that AI password crackers can breach most passwords in seconds and more difficult ones in minutes. For example, hackers can attempt millions of possible passwords each minute using AI-driven brute-force attacks that enable hackers to take advantage of password complexity flaws. While longer passwords and phrases make it more challenging, as computational capabilities of AL and ML continue to evolve, those solutions will experience a significant reduction in efficacy.

AI technologies are also negating the cybersecurity value of two-factor authentication. For example, the common use of CAPTCHAs, known as Completely Automated Public Turing test to tell Computers and Humans Apart, are becoming obsolete. AI bots have become so adept at mimicking the human brain and vision that CAPTCHAs are no longer a barrier.

Making CAPTCHAs more complex is not the answer. Cengiz Acartürk, a cognition and computer scientist at Jagiellonian University in Kraków, Poland, says that there’s a problem with designing better CAPTCHAs because they have a built-in ceiling. “If it’s too difficult, people give up,” Acartürk says. Whether CAPTCHA puzzles are worth adding to a website may ultimately depend on whether the next step is so important to a user’s experience that a tough puzzle won’t turn away visitors while providing an appropriate level of security. AI bots are better than humans at solving CAPTCHA puzzles (qz.com)

Another way AI undermines passwords is via the use of keylogging. The use of AI can enable keyloggers to keep track of your keystrokes in order to retrieve your passwords. According to a University of Surrey study, artificial intelligence can be trained to recognize the key that is being pressed more than 90% of the time simply by listening to it.  Using an Apple MAC Pro, the group recorded the sound of 25 distinct finger and pressure combinations being used to press each key on the laptop. The noises were captured during a conversation on a smartphone and during a Zoom meeting. A machine learning system was then trained to recognize the sound of each key using some of the data that had been provided to it. The algorithm was able to accurately identify which keys were being pressed 95% of the time for the call recording and 93% of the time for the Zoom recording when it was evaluated using the remaining data. What secrets can AI pick up on by eavesdropping on your typing? (govtech.com)

To combat these attack vectors, Photolok randomizes photos to mediate AI/ML attacks so that AL/ML tools cannot identify and/or learn any patterns, which prevents AI/ML breaches. Photolok uses steganographic photos (random codes hidden in the photo) to hide the attack points from nefarious hackers, while randomly placing the user’s photo on each photo panels to prevent keylogging and other security attack methods. Photolok also blocks horizontal penetrations and defends against external threats, such as ransomware, phishing, shoulder surfing, and man-in-the-middle assaults.

• Photolok Home
• How It Works
• About Us
• Blog
• Contact Support
• Contact Sales & Marketing

Member – Insider GovTech

FOLLOW US ON SOCIAL MEDIA

Linkedin-in Youtube Facebook-f

©2015-2025 Netlok. All rights reserved.

Privacy Policy

Terms of Service