The New Kill Chain Starts with a Click

What the Minnesota Attack Reveals About Digital Exposure

The recent targeted killings and attempted assassinations of Minnesota lawmakers weren't just a local tragedy—they were a national warning. Investigators discovered that the attacker utilized data broker services to track down his targets, compiling a personal kill list using only credit cards and publicly available information.

This wasn't a sophisticated cyber breach or insider plot. It was a premeditated act of violence enabled by legal access to personal data—an attack assembled entirely in the open.

Political violence expert at the University of Chicago Dr. Robert Pape, recently wrote in a New York Times guest essay, "We may be on the brink of an extremely violent era in American politics."¹ —For those in the protection, intelligence, and privacy space, that statement doesn't feel speculative. It feels overdue.

The Weaponization of Public Data

Data brokers—also called people-search services—have become normalized in modern life. Need to reconnect with a relative? Want to screen a potential tenant? The language makes them sound like convenience tools for responsible consumers.

But that's not how they're always used.

In the Minnesota case, authorities found a handwritten list of 11 such services in the attacker's car. One was marked with a star. He had done his homework. The kill list was organized, sourced, and acted upon using only data that any other consumer could have accessed.

This is the modern OSINT threat: a lawful service used to enable unlawful action. And it's happening across the board—from political actors to fixated individuals to disgruntled insiders. Data aggregation has outpaced data governance with lethal consequences.

The new kill chain doesn’t start with a weapon—it starts with a search bar.

As investigative journalist Byron Tau writes in his book Means of Control, "In China, the state wants you to know you're being watched. In America, the success lies in the secrecy."² The real surveillance threat is not just government overreach—it's the silent, private-sector tracking systems that operate in the background, unrestricted and largely unnoticed.

"Legitimate" Threats from Legitimate Services

The data broker industry operates in a regulatory vacuum. Most companies are governed by outdated consumer protection laws, with opt-out systems designed to frustrate rather than protect. A user may need to submit identity verification documents, manually request removals, and repeat the process every quarter—to keep their personal data from being resold.

Meanwhile, anyone with a motive and a credit card can access your address, voting history, property records, and even the names of your spouse and children.

And the threats are becoming less ideological and more opportunistic. Pape's research points to a dangerous normalization: "Today's political violence is occurring across the political spectrum — and there is a corresponding rise in public support for it on both the right and the left." ¹

Executives, public officials, general counsel, judges—none of them are being targeted for who they are personally. They're being targeted for what they represent. And the path to reach them is made frictionless by an unregulated data economy.

The Electronic Privacy Information Center (EPIC) recently published a report titled Data Broker Harms to Public Officials, warning that "violence against public officials and their families is on the rise."³ The exposure of home addresses and family affiliations isn't just an abstract privacy concern—it's a vector for violence.

As Politico reported in its coverage of the Minnesota attack, "Boelter used online people-search services to find the home addresses of his intended targets."⁴ This wasn't a flaw in national security infrastructure. It was a consequence of unrestricted access to commercial data.

The Converged Risk Landscape Is Already Here

Security leaders deal with converged risk every day—the collapsing of cyber, physical, and reputational threats into a single operational picture. What used to be viewed as distinct domains are now inseparable from one another.

In this case, the attacker didn't need malware, or a firearm purchased through illicit means. He used public records, rental cars, and a law enforcement disguise. The threat didn't start at the front door - It started online.

This is the reality of modern targeting. Your address, your family members, your routines—these are all accessible to those who know where to look and how to connect the dots. Whether it's a violent actor with political motivations or someone radicalized online, the process begins with digital reconnaissance.

Digital exposure is no longer an abstract risk—it's an accelerant.

What Leaders Must Do Now

Privacy is not just a bullet point conversation—it's a security imperative.

Here are three actions leaders and security teams must take immediately:

• Audit digital exposure

  Know what's publicly visible about you and your organization's key leaders. Data broker listings, social media remnants, and personal identifiers must be accounted for and evaluated as part of threat posture.

• Engage in persistent removal

  Opting out once is not enough. Brokers respider and re-list. Protection requires a rolling removal strategy supported by tools and experts who specialize in adversarial search and data suppression.

• Integrate digital risk into protective intelligence

  Threat actors don't separate the digital from the physical. Your security posture shouldn't, either. Intelligence teams must fuse online footprint analysis into route planning, residential security, and event assessments.

This Isn't About Fear. It's About Friction.

No protective strategy is perfect. But the goal isn't perfection—it's friction.

If we make it harder to identify, locate, and track high-risk individuals, we add resistance to the threat actor's plan. And in protection, resistance buys time. Time for detection, time for intervention, and time to prevent tragedy.

The private sector, like the public one, can no longer afford the luxury of viewing privacy as someone else's problem. Security professionals must own this domain, and leaders must resource it accordingly.

Final Thought

The Minnesota attack wasn't new, in kind. It was new in clarity.

It revealed how openly accessible information can be stitched into a plan for violence. It reinforced what we've been warning for years—that digital visibility is physical vulnerability.

Boards should be asking questions. Security leaders should be briefing on exposure, and executives should assume that they are already discoverable until proven otherwise.

Unfortunately, this won't be the last incident like it. But it can be the one that shifts us from reactive regret to proactive response.

Footnotes

1.Robert A. Pape, "Political Violence Is Rising. This Is What We Can Do to Stop It," New York Times, June 16, 2025.

2.Byron Tau, Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State, Crown, 2024.

3.EPIC (Electronic Privacy Information Center), Data Broker Harms to Public Officials, 2025.

4."Alleged shooter found Minnesota lawmakers' addresses online, court docs say," Politico, June 16, 2025.