When you hear the words “data broker,” it probably doesn’t sound like something that could empty your bank account or wreck your credit for years. But a new congressional report released at the end of February 2026 puts a brutally clear price tag on exactly that: more than $20.9 billion in identity-theft losses tied directly to just four major breaches at companies that traffic in our personal information.
The numbers come from Democrats on the Joint Economic Committee, led by Sen. Maggie Hassan of New Hampshire. Their minority report doesn’t pull punches. It connects the dots between shadowy opt-out practices that make it nearly impossible for ordinary people to scrub their data and the massive hacks that keep feeding criminals fresh batches of names, addresses, Social Security numbers, and more. The result? A quiet industry that’s quietly costing Americans tens of billions while most of us have never even heard of half the companies involved.
The Investigation That Started It All
Back in August 2025, a joint investigation by WIRED, The Markup, and CalMatters revealed something quietly infuriating. Dozens of data brokers—companies legally required to register in states like California—were deliberately hiding their opt-out pages from Google and other search engines. They slapped “noindex” tags on the very forms that are supposed to let you say “stop selling my data.”
Think about that for a second. You can’t delete what you can’t find. And these companies knew it. The reporters found technical tricks and confusing interfaces—classic “dark patterns”—that kept the deletion links buried or invisible. Sen. Hassan read the story and did what lawmakers sometimes actually do: she sent letters to five of the worst offenders: Comscore, Findem, IQVIA Digital, Telesign, and 6sense Insights.
Four of them eventually cleaned up their act. Comscore admitted an ancient “noindex” tag from a 2003 page had lingered for decades. Telesign blamed a third-party SEO tool. 6sense and IQVIA made changes and even started using third-party audits. But Findem? Radio silence. Not a word back to the senator or her staff. Their own 2024 disclosures show they ignored 80 percent of privacy requests because of “insufficient data.” The report calls that out directly and says it raises “serious, broad questions” about the company’s commitment to privacy.
What Exactly Is a Data Broker?
Most people still don’t realize how many companies quietly buy, sell, and store slices of our lives. Data brokers aren’t the big tech names you see every day. They’re the invisible middlemen. They scrape public records, purchase loyalty program data, track app usage, and compile dossiers that can include everything from your estimated income and marital status to your political leanings, health concerns, and even whether you own a dog.
Some of that information is sold for targeted advertising. Some goes to employers running background checks. Some ends up in the hands of people you’d rather not have it—like scammers crafting hyper-personalized phishing attacks. The Federal Trade Commission has called the industry’s lack of transparency “fundamental.” And because there’s still no comprehensive federal privacy law, the rules vary wildly from state to state.
New Hampshire, where Sen. Hassan serves, actually requires a “clear and conspicuous link” to opt-out pages and bans dark patterns. A handful of other states have similar laws, but enforcement is spotty and the industry keeps evolving faster than regulators can keep up.
The Four Breaches That Cost $20.9 Billion
The most eye-opening part of the JEC report isn’t the opt-out drama—it’s the cold math on what happens when these massive collections of personal data get breached. The committee looked only at incidents where reliable public numbers existed for U.S. residents affected. They settled on four:
- Equifax – 2017: 147 million Americans. The credit-reporting giant left a known vulnerability unpatched. Hackers walked away with names, SSNs, birth dates, and addresses for nearly half the country. The company eventually paid $575–700 million in settlements, including up to $20,000 per person in some cases for documented losses and time spent fixing the mess.
- Exactis – 2018: Roughly 230 million consumer records (part of a 340-million-record exposure). A marketing-data firm left an unsecured Elasticsearch database wide open on the internet. No SSNs or credit cards, but hundreds of data points per person—phone numbers, addresses, interests, income brackets. Enough to supercharge spear-phishing and account takeover attempts.
- National Public Data – 2023: About 270 million Americans (nearly 8 in 10 adults). One of the largest breaches in history. Social Security numbers, full names, decades-old addresses—even information on deceased relatives. The data hit the dark web for free in 2024, and criminals have been feasting on it ever since.
- TransUnion – 2025: 4.46 million people. This one hit through a third-party vendor application used for consumer support. Names, dates of birth, SSNs, addresses. Core credit files weren’t touched, but the personal identifiers were more than enough for identity thieves.
Here’s how the committee turned those raw exposure numbers into $20.9 billion in consumer losses:
They started with research showing roughly 30 percent of people notified of a major breach end up as identity-theft victims. Then they applied a conservative downward adjustment each year after the breach (because some fraud shows up later). Next they used Bureau of Justice Statistics figures: 58–69 percent of identity-theft victims suffer a direct financial loss. Median loss per victim is about $200, but that’s just the middle—many cases are far worse, especially when you factor in class-action payouts, legal fees, lost wages, and long-term credit damage.
Multiply it all out across the four breaches and you hit more than $20.9 billion in today’s dollars. The report stresses this is almost certainly an undercount. It doesn’t include smaller breaches, indirect costs like higher insurance premiums, or the billions spent by banks and retailers to cover fraudulent transactions.
The Human Stories Behind the Numbers
Statistics are one thing. Real people are another.
Take the Minnesota woman who spoke to investigators after the Equifax breach. Scammers opened credit cards in her name, forged a fake Social Security card, and even tricked the credit bureau into lifting her fraud alert. She spent months—hundreds of hours—on the phone, freezing reports, disputing charges, and trying to get a mortgage approved while her credit looked like a war zone. She described the stress as so severe it contributed to fertility problems. “They didn’t just steal my credit card information,” she said. “They stole my chance to be a mother.”
Or consider retirees targeted in the run-up to the 2025 elections. Scammers used data-broker-sourced names, addresses, and voter information to send fake polling texts and donation requests that looked eerily personal. Some lost thousands before realizing what was happening.
These aren’t rare anecdotes. When criminals have your full profile—SSN, old addresses, phone numbers, relatives’ names—they don’t need to guess. They can build trust fast, and the damage compounds quickly.
Why Hiding Opt-Out Pages Matters So Much
The report keeps coming back to one core point: when companies make it hard to get off their lists, they’re effectively keeping people in the crosshairs longer. Once your data is out there from a breach, the only real defense is to stop it from being resold or re-bundled by other brokers.
But good luck finding the form. Some opt-out pages were buried at the bottom of 9,000-word privacy policies. Others required you to create an account first, or jump through verification hoops that themselves risked exposing more data. And if the page doesn’t show up in Google? Most people will never know it exists.
Sen. Hassan put it plainly: “As international criminal syndicates increasingly use scams to target Americans, data brokers shouldn’t make it harder for people to protect themselves.” The encouraging part? Four out of five companies acted once Congress started asking questions. Public pressure still works—sometimes.
Identity Theft Scams Are Getting Smarter
Identity theft isn’t just about drained bank accounts anymore. It fuels romance scams, government-impersonation calls, tax-refund fraud, and increasingly sophisticated deepfake schemes. Criminal groups buy bulk data sets on the dark web, then layer on publicly available information to create convincing profiles.
The data-broker industry has grown into a multi-billion-dollar shadow economy with surprisingly little oversight. The Consumer Financial Protection Bureau tried to tighten rules under the Fair Credit Reporting Act, but that effort was rolled back in 2025. The FTC has brought some enforcement actions, but without a comprehensive federal privacy law, the patchwork of state rules leaves huge gaps.
Meanwhile, the breaches keep coming. Every new exposure creates fresh inventory for the next round of scams. It’s a vicious cycle, and ordinary Americans are the ones footing the bill—through direct losses, higher fees, and the endless hassle of cleaning up someone else’s mess.
What Can Actually Be Done?
The JEC report doesn’t propose brand-new legislation, but it lays out a clear roadmap for what better looks like:
- Clear, prominent, easily findable opt-out mechanisms—no more hiding behind “noindex” tags or 9,000-word walls of text.
- Independent audits of both visibility and fulfillment rates for deletion requests.
- Stronger security standards for any company holding sensitive personal data at scale.
- Better notification requirements when breaches occur so people aren’t left guessing.
- Real penalties for companies that ignore legitimate privacy requests.
At the individual level, there are still steps worth taking right now. Freeze your credit with all three major bureaus. Enable two-factor authentication everywhere. Use unique, strong passwords. Monitor your accounts obsessively. And yes—try to opt out of the major data brokers you can find (there are lists maintained by privacy groups). It’s not perfect, but it’s better than doing nothing.
Massive Data Exposure
The $20.9 billion figure is a wake-up call, not the final tally. It only covers four breaches. It doesn’t count the smaller ones, the ongoing fraud, or the psychological toll on millions of families who now have to treat every phone call with suspicion.
Sen. Hassan’s team showed that shining a light can force change—four companies improved their practices within months. But Findem’s stonewalling proves some players still think they can operate in the shadows. Until Congress passes meaningful federal rules, the game will keep favoring the brokers and the criminals who prey on their leaks.
The next time you see a headline about another massive data exposure, remember: this isn’t just bad luck or “sophisticated hackers.” It’s the predictable result of an industry that collects our most sensitive details with minimal accountability and sometimes goes out of its way to make sure we can’t get them back.
Twenty-one billion dollars later, maybe it’s finally time to change that.
Want to read the full Joint Economic Committee report? Download it here (PDF).
This isn’t just a privacy story anymore. It’s a consumer-protection crisis measured in real dollars and real lives. And the bill is still growing.
