Documented patterns of executive personal-data exposure
A working catalog of the threat patterns we see in the wild. Updated quarterly. For security and risk teams using this as a reference document during program design, the executive summary is at the top of each entry.
Featured threat patterns
TP-001 — Healthcare CEO targeted-violence chain
Summary: Public denial decisions get cross-referenced with name-based people-search aggregators producing home address, family members, and routine commute pattern. The kill chain in the December 2024 UnitedHealthcare event followed this exact pattern.
Mitigation: Continuous data-broker monitoring + removal for named executives. Family-member coverage. Travel-pattern auditing pre-trip.
TP-002 — Activist-investor harassment campaigns
Summary: 13D filings produce names. Names are weaponized against activists or targets via coordinated forum activity. Family members are often targeted to pressure the executive.
Mitigation: Real-time monitoring of forums known for organizing campaigns. Pre-emptive family-member coverage when 13D / DEF 14A filings are anticipated.
TP-003 — Athlete parasocial threat compounding
Summary: Public-figure exposure compounded across breach corpuses + social platforms produces a complete personal profile within hours of a triggering event (missed play, controversial statement, off-field incident).
Mitigation: Continuous personal-data exposure monitoring. Same-day takedown coordination during acute exposure windows. Family-member coverage.
TP-004 — BigLaw partner case-driven exposure
Summary: Partner names appear on docket filings; plaintiff or defense communities cross-reference filings against people-search aggregators producing home + family data. Threats cluster around closing arguments and verdicts.
Mitigation: Case-window-specific monitoring. Coverage extends through 60 days post-verdict where threat patterns persist.
TP-005 — Tech-IPO founder exposure compounding
Summary: S-1 filings, roadshow press, podcast appearances, and conference circuits all expose personal data at scale during a 6-12 month window. Most founders enter post-IPO with significantly more public exposure than they had pre-filing.
Mitigation: Pre-filing baseline scan, quarterly monitoring through quiet period and post-listing.
TP-006 — PBM formulary-decision exposure
Summary: PBM executives making contested formulary decisions face the same threat shape as health-plan CEOs but with less public attention. Threat patterns build over months rather than days.
Mitigation: Continuous monitoring of named formulary-committee members. Anonymous or alias-only public-facing channels for committee work where possible.
TP-007 — Hub-services patient-program exposure
Summary: Specialty-pharma hub-service operators (Lash Group, ConnectiveRx, etc.) hold large PII surfaces. Executives running these programs are increasingly named in coverage of denied-access controversies and become harassment targets through that channel.
Mitigation: Standard executive-defense engagement. Add monitoring of patient-advocacy forums where program-specific complaints aggregate.
Want the full library? Send a request from your business email and we’ll send the full PDF with current quarterly update. Library currently catalogs 32 documented threat patterns across healthcare, finance, legal, tech, sports, and entertainment.
