Digital Hygiene  ·  Executive Security
· 7 min read

7 Digital Hygiene Blind Spots Every Executive Has

EXIF coordinates in photographs. Dormant email accounts. A LinkedIn endorsement that confirms your undisclosed board seat. The gaps are consistent across profiles — and consistently exploited. Here are the seven we find most frequently.

Why hygiene gaps persist

Most executives who engage us have invested meaningfully in physical security — access control, vetted household staff, professional drivers. The digital posture lags consistently. This is not negligence; it is a knowledge gap. Physical risks are intuitive. Digital exposure is invisible until it is assembled and shown to you.

The seven gaps below appear in over 80 percent of assessments we conduct on European executives. None require sophisticated attack capability to exploit. All are remediable.

01

EXIF Metadata in Published Photographs

Every photograph taken on a smartphone embeds metadata — including GPS coordinates — in the file itself. When that file is uploaded to a website, sent by email or shared on a platform that preserves metadata, the coordinates are retrievable by anyone who downloads the file. A photograph of a meeting room, a home study or a holiday confirms precise location. Most executives have published dozens of such photographs without awareness.

Risk: physical location disclosure
02

Dormant Email Accounts and Legacy Credentials

An executive who has changed employers three times over fifteen years typically has three to five dormant email accounts — university addresses, former corporate addresses, early personal addresses. These accounts were created when password standards were lower. They appear in breach databases. They may share passwords with current accounts. And they are still owned by the executive, who has not logged in for years, meaning account recovery mechanisms are outdated and potentially exploitable.

Risk: credential compromise, account takeover
03

LinkedIn Endorsements Confirming Undisclosed Roles

An executive may carefully omit a board seat from their public profile for strategic or personal reasons. But if a fellow board member has endorsed them for "Board Governance" — or if the organisation itself lists them in a staff directory — the connection is publicly confirmed regardless of what the executive has chosen to disclose. Endorsements and connections on LinkedIn are bidirectional: the other party's visibility settings govern what is public, not yours.

Risk: undisclosed relationship exposure
04

Alumni Directories and Conference Participation Lists

University alumni portals, executive education programme directories and conference speaker or attendee lists are rarely considered as exposure vectors. They are among the most consistent. An alumni directory published in 2011 listing a home city, a graduation year and an employer provides identity anchoring that accelerates every other lookup. Many of these directories are still indexed and accessible.

Risk: identity anchoring, pattern of life
05

Domain Registrations in Personal Name

WHOIS data — the registration records for domain names — has been partially protected by GDPR for EU registrants, but pre-GDPR registrations remain in historical WHOIS databases and in commercial intelligence tools. An executive who registered a personal domain, a family business domain or a side project domain before 2018 may have done so with their home address as the registrant contact. That record persists in archives regardless of subsequent updates.

Risk: home address disclosure
06

Vehicle Registration Lookup Exposure

In several EU member states, partial vehicle registration data is searchable via public or semi-public tools. Combined with a home address already obtained via other means, vehicle information confirms presence, lifestyle and — when cross-referenced with traffic camera data available in some jurisdictions — regular routes. The risk is not primarily the vehicle registration itself but what it adds to an existing profile.

Risk: pattern of life, physical surveillance facilitation
07

Forgotten Public Posts from a Decade Ago

Early social media activity — tweets, forum posts, blog comments — from the period 2005 to 2015 is frequently more candid than anything a mature executive would publish today. It may reference family members by name, confirm addresses or travel patterns, express political or personal views, or contain photographs with the issues already described. The Wayback Machine and Google cache preserve this content even where the original platform has been deleted or the account closed.

Risk: reputational exposure, relationship mapping

None of these seven gaps require an adversary to commit a crime. All are accessible through legal, open-source methods. The consistent finding in our assessments is not that executives are careless — it is that the exposure accumulated over years without any systematic audit. A single review closes most of it permanently.

The remediation priority order

Not every gap is equal. The highest-priority remediation actions are those that close physical access risks first: EXIF metadata removal from all publicly accessible photographs, KvK privacy shield application if applicable, and a full credential audit including breach database checks and dormant account closure.

Legacy content removal — forum posts, old blog entries, archived directories — is lower priority but should be addressed as part of a structured exposure reduction programme. Many of these can be resolved with a combination of direct removal requests to webmasters and Google delisting requests for URLs that are no longer live.

Next step

Find your blind spots before someone else does.

Our exposure assessment identifies every gap across all seven categories — and delivers a prioritised, actionable remediation plan within five working days.

Request intake
← Back to all briefings