Identity Theft Losses Soar to $21 Billion Due to Data Broker Breaches

An investigation led by New Hampshire Democrat Hassan and the Joint Economic Committee (JEC) has revealed significant issues with data brokers, including Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights, regarding their handling of opt-out tools for consumers. This inquiry followed a report by The Markup and CalMatters, published by WIRED, which discovered that some data brokers were using "no index" instructions to hide opt-out pages from search engines, making it difficult for consumers to protect their personal information.

The investigation highlighted that scammers exploit sensitive data held by these companies, such as dates of birth, addresses, and Social Security numbers, to commit personalized fraud. In response to Hassan's outreach, four of the companies made changes to improve access to opt-out options by removing "no index" codes and enhancing the visibility of privacy tools. However, Findem did not respond to the inquiries and has not removed the "no index" code, raising concerns about its commitment to data privacy.

The report indicates that Findem failed to process 80% of privacy requests due to "insufficient data," according to its mandatory disclosures from 2024. Other companies like IQVIA, 6sense, and Comscore did not immediately comment, while Telesign's press inquiry process was critiqued for requiring consent to marketing communications.

The investigation found that many California-registered data brokers were employing "dark patterns" to obscure opt-out and deletion pages. Comscore, for instance, discovered a "no index" code on its "Data Subject Rights" page, which it has since removed. Telesign attributed its opt-out form's invisibility to a third-party SEO tool and has now enabled indexing. 6sense acknowledged the presence of "no index" code on its "Privacy Policy" page, which it has removed, and is unique in using third-party audits to verify the visibility and processing of opt-out requests.

IQVIA revamped its opt-out page, moving it to a new platform without "no index" code, and pointed to Google's AI Overview as a tool for locating opt-out information, though this method's reliability was questioned by JEC staff.

The report also attempts to quantify the financial impact of data broker breaches, estimating over $20.9 billion in consumer losses. It focuses on four major breaches in the past decade, including Equifax in 2017 and National Public Data in 2023, affecting millions of US residents. The JEC estimates that over 30% of breach victims experience identity theft, with financial losses impacting 58-69% of these individuals. The median loss is around $200, but settlements like the Equifax case show potential for much higher compensation.

Hassan emphasized the need for data brokers to facilitate consumer protection against scams, noting that public pressure has led to improvements in privacy tools. She highlighted the investigation's role in prompting companies to enhance opt-out options, thereby helping consumers safeguard their information.