Exposure Begins with the Contact List

A contact list reveals who matters, who connects the institution and who an attacker should impersonate first.

The answer

A contact list looks less sensitive than a contract, account statement or medical record. It can be more operationally useful to an adversary. Names, roles, assistants, private numbers, advisers and recurring groups reveal the institution’s trust graph.

A contact list looks less sensitive than a contract, account statement or medical record. It can be more operationally useful to an adversary.

Names, roles, assistants, private numbers, advisers and recurring groups reveal the institution’s trust graph. The list identifies who can create urgency, who handles money, who bridges family and business, and who is likely to obey whom.

Relationships are the attack plan

An attacker does not need every private fact. They need the correct sequence: impersonate the adviser, contact the new assistant, cite the travelling principal and route the request through the person who normally solves problems.

Contact data also reveals isolation. A single person appearing across finance, travel, health and technology is a high-value target.

Value object — The Relationship Exposure Map

- Person and institutional role.

- Sensitive relationships visible from membership and frequency.

- Channels and directories containing the relationship.

- Adversarial use: impersonation, timing, coercion or recovery fraud.

- Minimum audience that genuinely needs the entry.

- Removal and correction owner.

Control exports and synchronisation

Contact data spreads through phone backups, vehicle systems, email clients, messaging apps, event tools and provider databases. Removing an entry from the central directory does not recall those copies.

Separate professional, private and emergency directories where consequence demands it. Restrict exports. Review applications that request full address-book access for a narrow feature.

Do not authenticate from the graph

Knowing the principal’s lawyer, child or recent visitor proves access to relationship intelligence, not identity. Verification must use registered channels and factors unavailable from the directory.

The institution’s contact graph is a map of how trust moves. Protect it like an operating diagram, because that is what it is.

Where this breaks

Most directory reviews count entries and miss the relationship intelligence created by grouping, frequency and role. A clean list can still reveal exactly which person connects private life, assets and recovery.

The operating move

Reduce the graph available to any one application. Separate emergency, professional and personal directories, and give service providers task-specific contacts rather than the whole address book.

Review full-address-book permissions.

Remove obsolete assistants and advisers.

Hide roles that create no public value.

Test whether public facts can reconstruct authority.

The test

Give an independent reviewer the permitted contact data and ask them to design an impersonation. The quality of that attempt measures the exposure.

Sources

  1. Swiss FDPIC: Data securitySwiss FDPIC: Data security

    Primary authority

  2. Swiss NCSC: Social engineeringSwiss NCSC: Social engineering

    Primary authority

  3. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry