Data Broker Breaches Fuel $21 Billion in Identity Theft

A recent congressional report reveals a staggering financial toll from identity theft, directly linking over $21 billion in consumer losses to breaches involving major data broker firms. This finding underscores a critical vulnerability in how personal information is managed and protected in the digital marketplace. The estimate comes from a minority report by Democrats on the Joint Economic Committee, following an investigation spearheaded by Senator Maggie Hassan into the opaque practices of data collection companies.

The inquiry was prompted by investigative journalism that exposed how some brokers were deliberately making it difficult for individuals to control their data. These firms were found to be using technical instructions, known as “no index” codes, to hide their privacy opt-out pages from search engines like Google. This practice effectively buried the tools consumers need to request the removal of their sensitive information, which can include dates of birth, home addresses, and Social Security numbers. Scammers frequently exploit this exact type of personal data to craft highly convincing, personalized fraud schemes targeting unsuspecting victims.

Following outreach from Senator Hassan, several of the contacted companies took corrective action. Firms including Comscore, IQVIA Digital, and Telesign moved to improve access to their opt-out mechanisms. Steps included removing the obstructive code, adding more visible website links, and publishing clearer guidance on how individuals can exercise their privacy rights. These changes represent a positive, though belated, response to regulatory pressure.

However, one company, Findem, stands out for its lack of cooperation. The report notes that Findem did not respond to the senator’s inquiries or to follow-up attempts by committee staff. Furthermore, the company has reportedly not removed the “no index” code from its relevant web page. This failure to respond to lawmakers raises serious concerns about its commitment to data privacy and its responsiveness to consumer opt-out requests. The report cites Findem’s own disclosures, which indicate the company failed to process a startling 80 percent of privacy requests it received, often citing “insufficient data” as the reason.

The original investigation identified dozens of data brokers registered in California employing similar dark patterns to obscure user controls. By hiding these essential pages, companies made it significantly harder for people to shield their information from malicious actors. While some firms attributed the issues to outdated web design or third-party tools, the cumulative effect is a landscape where consumer protection is an afterthought.

For instance, Comscore traced a “no index” tag on its rights page back to 2003, suggesting its presence was an unintentional relic rather than a deliberate obfuscation. Telesign explained that a default setting in a search engine optimization tool prevented its form from appearing in search results, a setting it has since changed. Yet, committee staff critique that even with links added, consumers are often forced to navigate lengthy, complex privacy notices, some exceeding 9,000 words, to find them.

Among the companies examined, 6sense reported taking a more proactive approach by employing third-party audits to verify both the visibility of its opt-out options and its effectiveness in processing the requests it receives. This practice highlights a potential path forward for greater accountability in an industry that profits from personal data but has often resisted transparent oversight. The substantial financial losses detailed in the report provide a stark metric for the human cost of these privacy failures.

(Source: Wired)