Data Brokers Fuel Scams: Senate Report On Billions Of Consumer Losses

3 hours ago 29

Senator Maggie Hassan (D-NH) the ranking member of the Senate’s Joint Economic Committee recently issued a startling report on how the actions and inactions of major data brokers has dramatically contributed to scams and identity theft causing an estimated $20.9 billion in losses to American consumers.

While many people may not be familiar with data brokers as an industry, data brokers are very familiar with you. Data brokers collect and sell personal information of consumers, including Social Security numbers, to third parties for a variety of legitimate purposes such as marketing, employment screening, loan applications and identity verification. They gather the personal information from a variety of sources including government and public sources, but also gather data from online search habits including social media and while this information can be useful to banks considering a loan application or an employer considering a job application, it also can be extremely useful to scammers and identity thieves who can use this information to scam their victims and steal their identities through the creation of personalized spear phishing emails, text messages and phone calls that appear legitimate and appeal to the interests of vulnerable targeted victims.

DATA BREACHES

In some instances, this concentrated personal information of millions of Americans has been taken by cybercriminals through data breaches. In 2017 Equifax suffered a data breach affecting 147 million Americans. In 2018 Exactis suffered a data breach affecting 230 million Americans. In 2023 National Public suffered a data breach affecting 270 million Americans and more recently, in 2025 TransUnion suffered a data breach affecting 4.4 million Americans.

The Joint Economic Committee Minority report estimated that identity theft as a result of these four data breaches caused losses to American consumers of $20.9 billion.

As with many data breaches, often these data breaches were due to poor security practices of the companies. In the case of Equifax, the hackers accomplished their data breach by exploiting a vulnerability in Apache Struts, a web application used by Equifax for which a security patch had been issued by the makers of Apache Struts on March 7, 2017, but Equifax failed to install in a timely fashion resulting in the data breach. Equifax settled a class action related to the data breach later in 2017 agreeing to pay $425 million to affected consumers.

DATA BROKERS SELLING PERSONAL INFORMATION TO SCAMMERS

In other instances, scammers don’t even have to go to the effort of hacking a data broker but instead can merely purchase the personal information. In 2021 Epsilon Data Management paid $150 million to settle Department of Justice charges that it sold personal information to scammers who used the data to send deceptive sweepstakes and astrology solicitations for bogus non-existent prizes and services.

Acting Assistant Attorney General Brian Boynton of the Department of Justice’s Civil Division said at the time “By allowing clients engaged in fraudulent schemes to buy data on millions of consumers most susceptible to their schemes, Epsilon employees facilitated those schemes with staggering effect,”

In testimony before the House Committee on Energy and Commerce in 2023, Justin Sherman, Senior Fellow and Research Lead of the Data Brokerage Protect at Duke University’s Sanford School of Public Policy said criminals do not need to “hack many U.S. databases when so much data can be legally purchased from U.S. data brokers, which appear to do very little customer vetting.”

STATE AND FEDERAL OVERSIGHT OF DATA BROKERS

According to Senator Hassan’s Committee Minority report, “In 2019 the Government accountability Office reported that the FTC enforcement actions – including those brought under narrowly-tailored laws – reflect the absence of a ‘comprehensive federal privacy statute with specific internet privacy standards for the private sector’ and stated that much of the data industry is outside consistent federal oversight.”

The Consumer Financial Protection Bureau tried to regulate data brokers with a new rule that would have limited the ability of data brokers to sell sensitive personal information of Americans; however the Trump Administration rescinded this rule in May of 2025.

Fortunately, about half of the states have comprehensive data privacy laws that generally require data brokers to provide people with the right to access, delete or opt-out of the sale of their data. New Hampshire’s law requires that data brokers provide a clear and conspicuous link to their opt-out options to enable individuals to protect themselves by having their personal information removed from data brokers’ databases.

OPT OUT OPTIONS

In 2014, the Federal Trade Commission (FTC) said that opt-out options are “largely invisible and incomplete” thereby making them difficult for consumers to use. In August of 2025 WIRED reported that many data brokers used a “no index” code that directed search engines to exclude webpages from search results that provided opt-out options for consumers to request that data brokers delete or not sell their data.

Senator Hassan sent requests to five companies, Comscore, Findem, IQVIA Digital, Telesign and 6Sense Insights, identified in the WIRED report urging the companies to improve accessibility of their opt-out options. All of these companies with the notable exception of Findem removed “no-index” code and took other actions to make their opt-out options more visible. According to the Committee report, “Findem did not respond to the Ranking Member’s initial request or repeated written follow-up from Committee staff, raising concerns about its responsiveness to opt-out requests and commitment to data privacy.

The problem of data held by data brokers being used by scammers is not going away and further industry and legislative actions are necessary to protect consumers.

Read Entire Article