Executive Summary

This case study documents OSINT investigation techniques applied to a professional data aggregation service that published personal information without prior consent. The investigation demonstrates methodologies for corporate structure research, technical infrastructure analysis, and effective privacy rights enforcement under GDPR. The target company responded within 24 hours and completed data deletion, confirming functional compliance procedures.

Duration: 2025-12-21 to 2025-12-24 Outcome: Successful data removal Response Time: <24 hours Jurisdiction: EU (Poland-based entity)

Initial Discovery

Discovery Method: Search engine alert for personal name

Data Accuracy Assessment

The published profile contained mixed-accuracy information:

  • Phone number: Incorrect
  • Email address: Possibly correct (character count matched known format)
  • Social media platforms: Included platforms never used by subject
  • Date of birth: Not publicly displayed
  • Work experience: Detailed FAQ-style presentation

Data Source Hypothesis: LinkedIn scraping, timing correlated with account security incident.

Assessment: Data quality issues suggest automated aggregation with limited verification processes.

Corporate Intelligence Gathering

Executive Leadership Structure

Through analysis of legally mandated public disclosures, the corporate structure was identified:

  • Managing Director: [Redacted - Polish national]
  • Chief Executive Officer: [Redacted - Ukrainian national, 100% shareholder]

Company Size: 23 employees (per public records)

Note: Executive details are redacted to focus on methodology rather than individuals. The investigation successfully identified leadership through standard business registry research techniques.

Corporate Registration

Legal Entity: [Company Name] LLC Jurisdiction: Poland Registration Number: KRS[Redacted] EUID: PLKRS.[Redacted] Registered Address: Warsaw, Poland 2023 Revenue: ~964,000 PLN Data Source: European business registry databases

Operational Observation

Company executives and employees do not appear in their own searchable database, despite the platform offering comprehensive professional searches. This demonstrates awareness of privacy protection mechanisms and their selective application.

Domain & Technical Infrastructure Analysis

WHOIS Investigation

Domain: [target-domain].com Registry ID: [Redacted]_DOMAIN_COM-VRSN Registration Date: 2013-08-20 Expiration Date: 2031-08-20 Last Updated: 2025-11-25

Registrar Information:

  • Registrar: Key-Systems GmbH
  • IANA ID: 269
  • Abuse Contact: abusereport@key-systems.net
  • Abuse Phone: +49.68949396850

Privacy Protection Configuration

Privacy Service: whoisproxy.com (active)

All registrant contacts (administrative, technical, billing) are routed through privacy proxy:

  • Proxy Location: Alexandria, VA, United States
  • Proxy Phone: International format (country code outside EU)

DNS Infrastructure

Primary Nameservers (Company-Controlled):

  • ns1.[target-domain].com
  • ns2.[target-domain].com
  • ns3.[target-domain].com
  • ns4.[target-domain].com

Secondary Nameservers (Third-Party):

  • ns1.srvdo.net
  • ns2.srvdo.net

Domain Security:

  • Transfer Status: clientTransferProhibited (secured against unauthorized transfers)
  • DNSSEC: Not implemented

Infrastructure Assessment: Hybrid hosting configuration utilizing both proprietary and third-party DNS infrastructure. Domain transfer protections are active, standard for commercial operations.

Privacy Rights Enforcement Process

GDPR Article 17 - Right to Erasure

Required Information for Opt-Out:

  • Full name (mandatory)
  • Email address (mandatory)
  • ZIP code (mandatory)

Submission Method:

  1. Web form submission via official email address
  2. Direct email to company support address

Response & Resolution

Initial Contact: Email to support@[target-domain].com Response Time: <24 hours Action Taken: Complete data removal from database Confirmation: Email confirmation of deletion received Outcome: Full GDPR compliance demonstrated

Assessment: Company maintains functional privacy compliance procedures with responsive customer service. Despite automated data collection practices, deletion requests are processed promptly and effectively.

Technical Methodology

OSINT Techniques Employed

Corporate Registry Research

  • Searched Polish business registration databases (KRS system)
  • Cross-referenced European business information platforms
  • Identified ownership structure and financial disclosures

WHOIS Analysis

  • Multi-level domain registration investigation
  • Registrar identification and abuse contact documentation
  • Privacy protection service mapping

DNS Enumeration

  • Nameserver identification and relationship mapping
  • Infrastructure provider analysis
  • Redundancy configuration assessment

Public Records Analysis

  • Financial disclosure review
  • Ownership structure verification
  • Business registration timeline establishment

Data Validation

  • Cross-referencing information across multiple sources
  • Accuracy assessment of published profile data
  • Source attribution analysis

Tools & Resources Utilized

  • WHOIS lookup services (whois.verisign-grs.com, whois.rrpproxy.net)
  • Polish business registry (KRS system)
  • European business databases
  • DNS interrogation tools (dig, nslookup)
  • Search engine operators for targeted information gathering

Investigation Workflow

1. Initial Discovery → Profile identified via search alert
2. Data Assessment → Accuracy evaluation of published information
3. Source Attribution → Identification of likely data sources
4. Corporate Research → Business registry and ownership analysis
5. Technical Analysis → Domain and infrastructure mapping
6. Contact Identification → Support channels and abuse contacts
7. GDPR Request → Formal deletion request submission
8. Verification → Confirmation of data removal

Key Findings & Observations

Privacy Practices Analysis

The investigation revealed sophisticated understanding of privacy protection mechanisms:

  • Selective Application: Company personnel excluded from public database
  • Technical Measures: Domain privacy protection and transfer locks implemented
  • Operational Security: Minimal public disclosure beyond legal requirements
  • Compliance Framework: Functional GDPR deletion processes in place

Data Collection Methods

Evidence suggests:

  • Primary Source: LinkedIn profile scraping
  • Automation: Bulk data collection with limited manual verification
  • Quality Control: Inconsistent accuracy indicating minimal validation
  • Attribution Errors: False positive social media associations

GDPR Compliance Assessment

Positive Indicators:

  • Rapid response to deletion requests (<24 hours)
  • Clear opt-out mechanism provided
  • Complete data removal executed
  • Confirmation communication provided

Areas of Concern:

  • Proactive data collection without consent
  • Requiring personal information to remove personal information
  • Accuracy issues in published profiles

Contact Information for Reference

Company Support: support@[target-domain].com Registrar Abuse Contact: abusereport@key-systems.net Registrar Abuse Phone: +49.68949396850

Lessons Learned

OSINT Investigation Principles

  1. Start with Legal Records: Business registries provide authoritative foundation
  2. Cross-Reference Sources: Single sources can be incomplete or inaccurate
  3. Document Infrastructure: Technical details reveal operational patterns
  4. Identify Communication Channels: Direct contact often most effective
  5. Respect Privacy: Demonstrate capability without unnecessary exposure

Privacy Rights Enforcement

  1. Direct Communication Works: Formal requests via official channels yielded immediate results
  2. Document Everything: Maintain timeline and evidence of communications
  3. Know Your Rights: GDPR Article 17 provides clear framework for data deletion
  4. Be Professional: Courteous communication facilitates cooperation
  5. Verify Completion: Request and retain confirmation of actions taken

Responsible Disclosure

This case study demonstrates OSINT capabilities while:

  • Anonymizing individuals where possible
  • Focusing on methodology over specific targets
  • Respecting legitimate privacy protections
  • Documenting compliance with legal frameworks
  • Providing educational value for security professionals

Conclusions

This investigation successfully demonstrates:

  1. Corporate Entity Resolution: Identification of ownership and management structure through public records
  2. Technical Infrastructure Mapping: Complete DNS and domain registration analysis
  3. Cross-Jurisdiction Research: Navigation of European business and domain registries
  4. Privacy Rights Enforcement: Effective GDPR Article 17 request resulting in data removal

Key Takeaway: The most effective approach combined technical investigation with straightforward legal process. Formal opt-out requests via official company contact information yielded faster and more reliable results than technical workarounds.

Final Status: Investigation concluded, objectives achieved, data successfully removed, GDPR compliance confirmed.

Appendix: GDPR Article 17 Reference

Right to Erasure ('Right to be Forgotten'):

Data subjects have the right to obtain erasure of personal data when:

  • Personal data are no longer necessary for the purposes collected
  • Data subject withdraws consent
  • Data subject objects to processing
  • Personal data have been unlawfully processed
  • Personal data must be erased for compliance with legal obligation

This case demonstrates successful exercise of these rights within the EU regulatory framework.

This case study is published for educational purposes to demonstrate OSINT investigation methodology and privacy rights enforcement practices. All information was gathered from publicly available sources or through legitimate data subject access requests. Individual names and specific identifying details have been redacted to focus on methodology rather than persons. The investigation was conducted ethically and within legal boundaries.