The day Mary McMahan first noticed something wrong, she assumed it was an isolated billing error. A line of credit had been opened in the name of her company, Fan Experiences, at a home improvement store in Florida. The amount was unusual. The store was not one she had done business with. Her first call was to the credit department.
That call was the beginning of four years of operational devastation that cost her hundreds of thousands of dollars in fraudulent credit and nearly as much again in legal fees to claw back the identity of her own business.
McMahan runs an event management company out of Winter Park, Florida. She had done nothing operationally wrong. She had filed her business correctly, paid her taxes, maintained clean records. The vulnerability was not inside her operations. It was inside the infrastructure she was legally required to use in order to operate a legitimate business in the first place.
When a business owner files an LLC or corporation in the United States, that filing becomes a public record. Every state's Secretary of State office publishes those records in searchable, machine-readable databases. The information on those filings typically includes the business name, the registered agent address, and in many cases the personal residential address of the owner or officer who signed the documents. Phone numbers, email addresses, and additional contact data are often included depending on the jurisdiction and form type.
What that filing actually creates is a dossier. One that is legal to access, legal to copy, legal to aggregate, and legal to sell.
In 2020, Hold Security, a Milwaukee-based cyber intelligence firm, documented an organized fraud ring operating across Georgia and Florida that had built its entire methodology around those public records. The group's workflow, as reconstructed by investigators who monitored their internal communications, was precise. They identified business officers and owners from Secretary of State websites. They cross-referenced that data with Social Security and Tax ID numbers sourced from dark web markets. Then they built fraudulent identities around those real business profiles.
Scott Russell learned how complete that reconstruction could be when the manager of a virtual office space called him out of nowhere. Someone had rented an office in his name. Someone had used his name, his company's identity, and a fraudulent driver's license to sign a lease. The application listed his home address.
Russell owns Environmental Safety Consultants Inc., a 37-year-old environmental engineering firm in Bradenton, Florida. He had done nothing to hand his home address to criminals. He had simply filed business documents the way the state requires. Those documents were publicly accessible. Someone read them, extracted his information, combined it with additional data from commercial sources, and used the resulting profile to open ten credit accounts at office supply retailers in his name. The total value of goods ordered and delivered to the rented office space was approximately $75,000.
The structural failure in Russell's case was not a lapse in security awareness. It was that the very act of establishing a legitimate legal business entity required him to publish information that became raw material for a financial crime. The state created the exposure. Russell simply complied with the law.
McMahan's situation illustrates how that raw material compounds over time. Her business identity was exploited in two separate campaigns, separated by roughly two years. In the first, fraudsters opened credit lines at multiple retail stores using her company's profile. In the second, they went further. They obtained a driver's license in her name through the Florida Department of Motor Vehicles, modified her company's Dun & Bradstreet business credit account, added fraudulent officers to her company's listing, and altered her business presence on Yelp and Google to match the false identity they were constructing.
The architecture of the attack depended on one thing holding together across all of those separate actions. The original source data, the information McMahan and Russell had published into public records when they incorporated their businesses, remained consistent and accurate enough to serve as a credible foundation for fraud across years. It did. Because neither of them had any mechanism to remove it, modify it, or control who accessed it after the initial filing.
A small business owner who files an LLC in the United States does not choose to publish a public dossier. The state requires it. There is no opt-out. The default position for every legitimately operating business is full exposure from the moment the filing is accepted. Name, address, and officer identity are public by statute.
From that public filing, data brokers harvest the information and package it for commercial sale. The Secretary of State record feeds into aggregated business databases. Those databases feed into credit bureau profiles, business search platforms, and identity verification systems. By the time a small business owner has been operating for twelve months, the initial filing information has propagated into dozens of commercial databases, each a potential access point for the methodology that destroyed McMahan's credit and hijacked Russell's identity.
The Hold Security surveillance and the Krebs on Security investigation that surfaced this case in 2020 confirmed that none of the individual steps in the fraud methodology required a data breach. No system was hacked. No account was compromised. The attackers used public records, dark web supplements for tax and Social Security numbers, and commercially available business databases. The entire attack surface was built from infrastructure that exists to facilitate normal commerce.
Dun & Bradstreet tracked a 258 percent increase in business identity theft in 2020, a number that reflects how systematically organized these operations are, not the behavior of an isolated criminal group acting opportunistically.
What McMahan's case demonstrates most clearly is that remediation is not a single action. It is not an address substitution or a registered agent change after the fact. The original filing creates records that propagate through downstream databases on their own schedule. A business owner who attempts to remove their exposure from that system after the initial filing is working against a structure that was not designed to accommodate removal. Layers of commercial redistribution create copies that survive individual opt-out attempts. The information continues to circulate regardless of what the operator does at the source.
The sequencing problem is real. Addressing exposure at one layer while leaving adjacent layers intact does not reduce it. It relocates it temporarily. Understanding which layers interact, which ones take priority in the propagation chain, and what order of operations produces actual structural isolation versus a cosmetic workaround, that is the architecture problem. It is not one that maps to a standard checklist or a single remediation step.
Source: Krebs on Security, "Business ID Theft Soars Amid COVID Closures," July 8, 2020 (krebsonsecurity.com). Hold Security research cited within that investigation.
Are you handing them a roadmap straight to your personal assets? RuleDraft delivers the definitive resolution to force absolute structural isolation onto your setup right now.
#SmallBusiness #DataPrivacy