Your CFO’s personal mobile number, home address, and spouse’s name are almost certainly available for purchase right now. The buyer does not need a dark web contact. A people-search site with a card payment page and a published privacy policy will supply most of it, and that package is where a growing share of attacks on Indian enterprises begins.
Security teams generally file executive personal data under someone else’s remit, usually HR’s or the individual’s own. The attack chain ignores that filing decision. Given a verified mobile number and a handful of biographical details, an attacker can attempt a SIM swap with the carrier. A successful swap hands them SMS-based second factors, which hands them the executive’s email, which hands them approval authority over payments, vendor bank detail changes, and access requests. Nothing in that sequence requires touching your network.
The raw material is easier to assemble than most IT leaders expect. Breach-tracking data from VPNpro.com catalogues how routinely large personal datasets end up sitting in misconfigured databases, from airline passenger records through to national-scale population data covering millions of people. What the VPNpro research makes clear is that these records do not get recalled. Once a dataset enters the aggregation ecosystem, an opt-out at one broker does nothing about the copies already held by others, and the profile gets rebuilt from the next available source.
The chain, field by field
No single data point in a broker profile is dangerous on its own. The correlation between fields is what allows an attacker to answer a verification question convincingly.
z
| Data point | Common source | Attack use |
| Personal mobile number | Data broker listing, breach dump, scraped profile | SIM swap request, WhatsApp-based executive impersonation |
| Home address | People-search site, property records | Telecom identity verification, physical pretexting |
| Date of birth | Breach dump, social media | Bank and telecom KYC challenge questions |
| Family member names | Social media, broker aggregation | Emotional pretexting during a vishing call |
| Personal email address | Credential dump | Password reset chaining into corporate accounts |
| Previous employers and tenure | Professional networks, broker profiles | Spear-phishing that references real career history |
| Alternate phone numbers | Broker profiles | Fallback channel when the primary number is locked |
An attacker holding all seven can build a phone call that survives a sceptical listener. The cost of doing so in India has fallen to almost nothing. IT Voice’s coverage of AI-powered cybercrime reports that voice clones and deepfakes can be produced for as little as ₹8, and that close to 72% of Indian organisations were targeted by AI-assisted attacks in the past year, with deepfake impersonation in business email among the most common forms.
Why the exposure runs deeper in the Indian market
Several structural conditions make this worse here than in comparable markets. Mobile numbers function as identity across UPI, banking, and most enterprise MFA deployments, which raises the payoff on a SIM swap well beyond what it would be elsewhere. Director information is a matter of public record through MCA filings, so names, DINs, and registered addresses are available to an attacker without any breach at all. And while the DPDP Act creates real obligations for entities handling personal data, much of the people-search and broker ecosystem sits outside Indian jurisdiction, where enforcement reach is limited.
Seqrite’s research, covered on IT Voice, describes the resulting pattern precisely. Impersonation attacks built on cloned executive profiles and lookalike domains unfold entirely outside the perimeter, on infrastructure the target organisation does not own, which is exactly where firewalls, EDR, and XDR have no visibility. By the time the incident is recognisable internally, the fraud has usually already worked.
A reduction programme worth running
Nobody can delete an executive from the internet, and any vendor promising that is selling something. What is achievable is reducing the surface and breaking the chain at the two or three points where breaking it actually matters.
- Run an exposure assessment against the top twenty people by approval authority rather than by job title. The person who can release a payment matters more than the person with the impressive designation.
- Move those accounts off SMS-based MFA and onto hardware keys or app-based authenticators. This removes the SIM swap payoff regardless of what any broker holds.
- Apply a port-out lock or equivalent protection with the carrier for every number tied to a corporate account.
- Build an out-of-band verification protocol for payment approvals and vendor bank changes, one that does not rely on anyone recognising a voice on a call.
- Repeat the assessment on a schedule, because broker profiles rebuild themselves from public sources within weeks of any removal.
None of this carries a large budget line. The obstacle is ownership. In most Indian enterprises, executive data exposure sits between IT, HR, and the executive assistant’s inbox, which means it belongs to nobody in particular. Assigning it to somebody is the part of this programme that has to happen before any of the rest becomes possible.
