I spent years building intelligence profiles on people for a living. Corporate investigations, financial crime cases, due diligence. The methodology is legal, repeatable, and disturbingly effective. Most of the people I investigated had no idea how much of their life was sitting in publicly accessible databases, waiting to be stitched together by anyone who knew where to look.
This is how investigators actually find people using open source data. Not in theory. In practice, with specific tools, specific costs, and a specific order of operations that builds a complete picture faster than most people would believe possible.
The first five minutes cost nothing
Every investigation starts with the same three searches. Electoral roll, Companies House, and 192.com. These are free or near-free, and they provide the foundation for everything that follows.
The open electoral register is the first stop. Around 19 million UK adults remain on it, and their home addresses are commercially available to anyone willing to pay 20 pounds plus 1.50 pounds per 1,000 entries. I would search the target’s name, confirm their current address, pull previous addresses, and identify household members. That last part matters more than people realise. Household members give you secondary identifiers, family connections, and potential social engineering angles.
Companies House is next for anyone who has ever held a directorship. Full name, service address (often a home address on older filings), month and year of birth, and a list of every company they have been associated with. The exposure most directors never think about is how much historical data remains on the public register even after SR01 suppression.
Then 192.com. 700 million residential and business records. Phone numbers, neighbour data, property ownership, CCJs, insolvency records. A single search returns a frighteningly complete picture of someone’s residential history. Removing yourself from 192.com is one of the first actions I recommend to every client, but most people do not realise their data is there until I show them.
Five minutes in. Three free databases. I already have a current address, previous addresses, household members, company associations, and possibly a phone number.
How the OSINT enrichment chain builds a complete profile
The three-source foundation is where every investigator starts. What separates a competent investigation from a basic lookup is the enrichment chain that follows.
After the initial searches, I would move to breach databases. District 4 and Dehashed are the two I used most frequently. A day pass on Dehashed costs 5.50 pounds. For that, you can search any email address and return every breach it has appeared in, along with associated passwords, usernames, phone numbers, IP addresses, and sometimes physical addresses. District 4 is more powerful still, with free-tier access through Maltego. I have written in detail about what breach data actually reveals, and it goes far beyond leaked passwords.
The real value of breach records is the connections between accounts. One email address gives me a username. That username on whatsmyname.app reveals accounts across 500+ platforms. Those accounts contain location data, photos, family connections, daily routines. The chain builds fast, and the individual has no visibility into the process.
Social media comes next, and the approach is not what most people expect. I am not scrolling through someone’s Instagram feed. I am running their identifiers through OSINT Industries, cross-referencing phone numbers and email addresses against platform registrations, and pulling metadata from public posts. Strava alone has exposed home addresses through activity start and end points. Facebook check-ins reveal weekly patterns. LinkedIn confirms employment and professional connections. Each platform adds a different dimension to the profile.
Search engines are the catch-all. Boolean searches across Google, Bing, and Yandex surface cached pages, forum posts, news mentions, and archived content that the individual may have forgotten exists entirely. Yandex is particularly useful because it indexes content that Google has already delisted under right-to-be-forgotten requests.
Facial recognition is the final layer for high-profile targets. PimEyes indexes roughly 3 billion faces from the open web. Upload a photo and it returns every matching image with the source URL. I have covered how facial recognition sites index your face without consent separately. The opt-out process exists, but images reappear after new web scrapes.
The invisible pipeline most privacy advice ignores
Here is where I disagree with most privacy content on the internet. The electoral roll, 192.com, social media. Those are the visible sources. Easy to understand, easy to write advice about, and relatively straightforward to address. They are also not where the most damaging data lives.
The real danger sits with Experian, Equifax, TransUnion, and the commercial data brokers they feed. LexisNexis and GBG hold verified current address data on most financially active UK adults. They sell access to anyone who passes their onboarding process, which includes thousands of skip tracers, debt collectors, and private investigators across the UK.
A PI on Bark.com pays 100 to 200 pounds for a trace. They query GBG or LexisNexis and return a current home address. Nine times out of ten, the address is accurate and current. I have personally seen this pipeline in action from both sides. I have also secured a suppression from LexisNexis, and it took eight or nine emails with a specific risk-based argument to get it done. No template letter. No automated service. A sustained, informed push.
Most privacy guides are borderline useless because they stop at the visible layer. That is my honest opinion after mapping hundreds of digital footprints. They tell you to opt out of the open electoral register and remove yourself from 192.com. Those are necessary steps. But if LexisNexis and GBG still hold your current address, anyone with 200 pounds and a Bark.com listing can find you tomorrow. The hidden data broker layer that includes LiveRamp, CACI, and the REaD Group profiles approximately 45 million UK consumers, and no automated removal service covers a single one of them.
What your profile looks like from the other side
Having mapped hundreds of digital footprints across different risk profiles, I can tell you the exposure patterns are predictable.
Online influencers and content creators face the most acute risk from motivated individuals with a personal fixation. Someone with basic OSINT skills can typically find a public figure’s home address within hours using only the sources I have described above. Content creators tend to have extensive breach exposure because they register for every new platform, and their social media location data creates patterns that are simple to analyse. The combination of electoral roll data, property listings, and geotagged content creates a direct path to a physical address.
High net worth individuals present differently. Their wealth is visible through Land Registry records (3 pounds per title register, publicly accessible), company structures, charity trusteeships, and lifestyle data. The exposure compounds through family members in ways most security advisors underestimate. A spouse on the open electoral register, children with public social media, a family office with Companies House filings. I have worked cases where the target had excellent personal operational security but their family’s digital footprint was completely open. Reducing your digital footprint starts with understanding which of these profiles applies to you, because the priority actions differ significantly by risk type.
C-suite executives are exposed through yet another set of sources. Companies House director filings are the obvious one. But B2B data brokers like Apollo, Cognism, and ZoomInfo hold work email, direct phone number, and job title data on millions of UK professionals. LinkedIn provides the professional network graph. Combined with breach data and electoral roll records, an executive’s full profile can be assembled in under an hour.
The cost of finding someone in 2026
People consistently underestimate how cheap this is. Here is what an investigator actually spends.
Electoral roll access is 20 pounds for a bulk dataset, or free through 192.com’s basic search. Companies House is completely free. A Dehashed day pass costs 5.50 pounds. PimEyes starts from around 30 pounds per month. A full Maltego licence with the Person of Interest package runs to 5,000 euros per year with 20,000 credits. A trace through a Bark.com PI costs 100 to 200 pounds and queries LexisNexis or GBG directly.
For a one-off investigation using only the cheap tools, the total cost sits under 50 pounds. For someone with professional tooling already in place, the marginal cost of an additional target is close to zero. The barrier to entry for this work is knowledge, not money. That is why understanding the methodology matters more than most people think.
What actually closes these pathways
The data removal process most people attempt covers perhaps 20% of their actual exposure. Opting out of the open electoral register stops future data sales but does not recall data already purchased by brokers. Removing yourself from 192.com does not clear Google’s cached results. Going ex-directory does not unlist you from TrueCaller or Hiya. Each individual action is necessary. Each one is insufficient on its own.
What works is a systematic approach that starts with mapping your full digital footprint before removing anything. You need to know every source that holds your data, understand the relationships between those sources, and sequence your removal requests so that root sources are addressed before downstream aggregators. The pyramid structure of UK data exposure means attacking the roots (CRAs, electoral register, OSIS telephone directory, Companies House) cascades removal through dozens of derivative sites. Work in the wrong order and you are fighting the 90-day re-scrape cycle indefinitely.
Your legal rights under UK GDPR give you the tools to enforce removal. Article 17 covers erasure, Article 21 provides an absolute right to object to direct marketing, and Farley v Paymaster (2025) confirmed that no threshold of seriousness is required for compensation claims. The law is on your side. The challenge is knowing where to direct it.
For anyone whose exposure creates genuine risk, whether that is a stalking concern, a financial crime threat, or a corporate security vulnerability, this is not a weekend project. The methodology I have described in this piece is exactly what gets used against you. Understanding it is the first step toward defending against it.
If you want to understand exactly where your data sits and who can access it, a professional digital footprint assessment maps every source an investigator would check and shows you what needs to close first. Get in touch and I will walk you through what that looks like.
