Digital Safety
The Industry That Knows Everything About You and Answers to Almost No One
QUICK SUMMARY
Data brokers have spent decades building the infrastructure of modern fraud. Washington has spent that same time looking the other way.
Data brokers have spent decades building the infrastructure of modern fraud. Washington has spent that same time looking the other way.
Digital Safety Series | Post 2A of 5: Digital Safety for the Modern Professional
Post 1 of this series made the case that digital safety is a life skill — something individuals can build, practice, and improve. That argument is still true. This post complicates it in a necessary way. Because it turns out that some of the most significant threats to your digital safety have nothing to do with your behavior. They are baked into an industry that has been collecting, packaging, and selling your personal information for decades, largely without your knowledge, and almost entirely without federal accountability.
Understanding that industry does not make individual action less important. It makes it more urgent, and it changes what action needs to look like.
There is a company called National Public Data that you have almost certainly never heard of. It held your Social Security number. Your date of birth. Your current and previous addresses. Possibly your relatives’ information too, scraped from public records and commercial databases and stitched together into a profile it sold to anyone willing to pay.
In December 2023, it was hacked. The breach was not publicly disclosed until August 2024, nearly eight months later. When the story finally surfaced, National Public Data filed for bankruptcy two months after that. The data, by then, had been circulating on criminal forums for the better part of a year.
Most of the 270 million people whose information was exposed had no idea the company existed. They had no account with it, no relationship with it, and no mechanism to remove their data before the breach. They were, in the bluntest sense, collateral in an industry they had never consented to join.
A $20 Billion Problem With No Federal Law to Match It
In February 2026, Senator Maggie Hassan released the results of a year-long investigation into the data broker industry. The committee had set out to answer two questions: were these companies hiding their opt-out mechanisms from consumers, and what had their security failures actually cost Americans?
The answer to the second question was staggering.
Identity theft stemming from just four major data broker breaches cost U.S. consumers an estimated $20.9 billion. (JEC Senate Minority Report, February 2026)
Four breaches. Four companies, all registered data brokers: Equifax in 2017, which exposed 147 million Americans; Exactis in 2018, which hit 230 million; National Public Data in 2023, which reached an estimated 270 million; and TransUnion in 2025, which affected 4.4 million. In each case, the people whose data was exposed had no prior relationship with the company holding it. Their information had been collected without their knowledge and held without their consent under no comprehensive federal law requiring otherwise.
There is no federal data broker privacy statute. There has never been one. About 20 states have passed some version of data privacy legislation. The patchwork does not come close to matching the scale of the industry it is meant to govern.
The FBI’s 2024 Internet Crime Report, released the following spring, recorded $16.6 billion in cybercrime losses reported to the agency — a 33 percent increase over 2023 and the highest total the bureau has ever recorded. Business Email Compromise alone accounted for $2.77 billion of that. These are reported figures. The actual losses are higher.
What They Collect, and What That Enables
The Federal Trade Commission defines data brokers as companies that collect and sell personal information to third parties without direct relationships with the people whose data they hold. The sourcing is everything that touches a digital system: public records, commercial transactions, website behavior, voter rolls, fitness apps, loyalty programs, social media.
Roughly 4,000 of these companies operate in the United States, according to Privacy Rights Clearinghouse. The information they sell includes Social Security numbers, income estimates, inferred health concerns, political leanings, and precise location patterns from mobile devices. Most of what they do is legal. That is precisely the problem.
The connection to fraud is not theoretical.
In 2021, the Department of Justice announced that several data brokers had agreed to pay nearly $200 million to resolve charges that they had knowingly sold consumer data to scammers targeting elderly Americans. Testimony submitted to the House Committee on Energy and Commerce put it directly: bad actors do not need to hack American databases when so much information can be legally purchased from data brokers that appear to do very little customer vetting.
When brokers are breached rather than complicit, the pipeline runs the same direction. The data circulates, gets purchased, gets cross-referenced, and resurfaces months or years later in targeted fraud campaigns.
What It Looks Like When It Lands on a Person
After the Equifax breach, a Minnesota woman discovered that criminals had opened fraudulent accounts in her name, forged a Social Security card using her stolen number, and convinced a credit bureau to lift a freeze she had placed on her own account. It took years to untangle.
Another woman, whose Social Security number was exposed in a separate data broker breach, described the aftermath to investigators: fraudulent bank accounts, bad checks written in her name, her credit report corrupted with false addresses and a designation as a known associate of the criminals using her identity. She could not qualify for a mortgage. She attributed stress-related fertility complications to the years of fighting to reclaim her financial life. She told investigators the breach had cost her not just her credit but her chance to become a mother.
These are not outliers. A 2016 Javelin Research study found that roughly a third of people notified of a data breach experienced fraud that same year. When a single breach exposes 270 million Americans, a third means 90 million people.
“This is the uncomfortable truth: we have built an economy where data is both an asset and an attack surface.”
“Data brokers should not make it harder for people to protect themselves.” — Senator Maggie Hassan, JEC, February 2026
Coming in Post 2B
The breach problem is only part of the picture. The other part is what the industry does when it is not being hacked: how it obscures the mechanisms meant to give Americans some control over their own data, and why decades of voluntary compliance and patchwork state law have failed to change the fundamentals.
Post 2B takes up the governance failure, the opt-out illusion, and what practitioners and security leaders can actually do about both. The short answer: more than you might think, and less than the problem requires.
About This Series: Digital Safety for the Modern Professional is a five-part content series from The Cyber Guild, a community dedicated to cybersecurity leadership, cross-sector collaboration, and building an inclusive workforce prepared for the challenges ahead. Follow SaferShift for more insights on Digital Safety from Tiziana Barrow.
Key Sources: JEC Senate Minority Report, February 27, 2026. FBI IC3 2024 Internet Crime Report, April 2025. FTC Data Brokers Report, May 2014. CFPB Protecting Americans from Harmful Data Broker Practices, December 2024. Privacy Rights Clearinghouse, 2024.
Are you ready to take the next step in your cybersecurity journey?
The Cyber Guild connects leaders, practitioners, and emerging talent through events, mentorship, and community.
👉 Explore upcoming events
👉 Subscribe to our mailing list
👉 Learn more about RISE Mentorship
