Congress Finds 4 Data Breaches Cost Public $20 Billion, Fueling Calls for Action to 'Protect Americans From Scams'
"As international criminal syndicates increasingly use scams to target Americans, data brokers shouldn’t make it harder for people to protect themselves," said the Joint Economic Committee's ranking member.
Just four major data broker breaches in recent years have cost US consumers over $20 billion, according to a Thursday report from a key leader in Congress that argues "additional action is needed to protect Americans from scams."
Sen. Maggie Hassan (D-NH), ranking member of the congressional Joint Economic Committee (JEC), launched a sweeping investigation into financial scams last July. As part of it, she's examined data brokers, which collect and sell individuals' personal information. These companies often operate with limited transparency, her report explains, making it "more difficult for individuals to secure their information online and, ultimately, protect themselves from the growing threat of scams."
"Data brokers, for example, can enable scams by making consumers' personal information available to bad actors, who can then use details like Social Security numbers, home addresses, or banking information to develop customized and convincing scams," the report explains. "In some cases, data brokers have allegedly sold this information directly to scammers; in others, cyber hacks of data brokers have exposed individuals' data to uncontrolled circulation online."
Last August, after Wired reported that some data brokers took steps to hide their opt-out pages, Hassan issued investigative requests to Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights. The report states that all of the companies but Findem responded with "actions to make their opt-out options more accessible to consumers and other parties," which "included removing 'no index' code that had blocked opt-out pages from search engine results, adding opt-out links in more prominent locations, and publishing blog content explaining how people can exercise their privacy rights."
"Notably," the report continues, "Findem did not respond to the ranking member's requests or written outreach from committee staff and has not removed the 'no index' code from its opt-out page—raising serious concerns about its responsiveness to opt-out requests and commitment to data privacy."
While recognizing the other companies for their positive responses, Hassan's report also stresses that more must be done. For instance, she requested information about efforts "to audit or assess the visibility of opt-out options or the success rates of opt-out requests," and "only 6sense stated that it contracts with third-party auditors to conduct both of these assessments."
Highlighting the need for further action, Hassan's staff estimated that identity theft stemming from four large data broker breaches—Equifax in 2017, impacting 147 million US residents; Exactis in 2018, impacting 230 million; National Public in 2023, impacting 270 million; and TransUnion in 2025, impacting 4.4 million—cost American consumers $20.9 billion.
"As international criminal syndicates increasingly use scams to target Americans, data brokers shouldn't make it harder for people to protect themselves," Hassan said in a statement. "This report shows the scope of the threat that people face from data broker breaches and underscores the importance of protecting Americans' private data."
She added that "it is encouraging that after we launched our investigation, many companies took steps to improve opt-out options for Americans, which in turn can help more consumers keep their information out of the wrong hands."
As a related webpage from the Electronic Privacy Information Center details: "There is no federal law in the United States that adequately regulates the data broker industry. As a result, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. EPIC supports state and federal legislative efforts that set limits on data brokers’ collection, use, retention, and disclosure of personal data."
In recent years, members of Congress have introduced various legislative proposals aimed at reining in data brokers—including in the Security and Freedom Enhancement (SAFE) Act, introduced on Monday. The bipartisan bill would, among other things, close the so-called "data broker loophole" that, as Sens. Dick Durbin (D-Ill.) and Mike Lee (R-Utah) put it, "intelligence and law enforcement agencies use to buy their way around the Fourth Amendment" to the US Constitution.
There are some limits that have passed, including in Protecting Americans’ Data from Foreign Adversaries Act of 2024. Earlier this month, the Federal Trade Commission sent letters reminding 13 companies of their obligations to comply with the PADFAA, which "prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data of a United States individual to any foreign adversary country or any entity that is controlled by a foreign adversary."
However, as Lartease Tiffith, an expert at American and George Mason universities, laid out in an article for Just Security last November, while Congress enacted the PADFAA "with the right goal," the law, as written, "could penalize legitimate US companies for routine global operations while failing to deliver the targeted national security tool Congress intended."
