Data Broker Breaches Fueled Nearly $21 Billion in Identity-Theft Losses

Congressional Democrats on the Joint Economic Committee say they’ve identified more than $20.9 billion in consumer losses tied to identity theft connected to four major breaches involving data broker firms. The estimate was released Friday in a minority report stemming from a months-long inquiry into data broker practices launched by United States senator Maggie Hassan.

Hassan, a New Hampshire Democrat and the JEC’s ranking member, sent investigative requests to five major data brokers—Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights—in August after an investigation by The Markup and CalMatters, copublished by WIRED, found some data brokers were hiding opt-out tools from Google and other search engines using “no index” instructions that tell web crawlers not to list the page.

Scammers are shown to use the kind of sensitive data that companies like these hold—including identifiers like dates of birth, addresses, and even Social Security numbers—to target victims with personalized fraud.

Four of the companies took steps after Hassan’s outreach to improve access to opt-out options, including by removing the “no index” code, adding more prominent links, and posting guidance on exercising privacy rights.

Findem, however, did not respond to Hassan or to committee staff follow-up, and staff said the company has not removed the “no index” code from its page. WIRED’s calls to Findem on Thursday went unanswered.

The report says Findem’s “failure to respond” to the lawmakers’ inquiries raises “serious, broad questions about its responsiveness to opt-out requests and commitment to data privacy,” adding that its own mandatory disclosures from 2024 show the company “did not process 80 percent of privacy requests from consumers and other parties,” citing “insufficient data.”

IQVIA, 6sense, and Comscore did not immediately respond to requests for comment. Telesign routes press inquiries through an online form that requires reporters to consent to receiving marketing communications, which was not used for that reason; instead, a company email address that appeared in previously leaked breach data was tried.

The Markup/CalMatters investigation found that dozens of California-registered data brokers were using the “no index” code and other so-called dark patterns that make opt-out and deletion pages harder to find. “In doing so,” the JEC minority report says, “the companies made it more difficult for people to protect their information from scammers.”

Comscore told the committee it reviewed its website after receiving Hassan’s request and found that its “Data Subject Rights” page—which directs users to separate forms for submitting opt-out requests—contained a “no index” code. The company said it traced the code, which it removed, back to an earlier version of the page created in 2003. The report says the company could not determine why it was added, but suggested it was “not intended to prevent consumer access.”

Telesign confirmed that its opt-out form, hosted on a “Privacy Request” page, was not appearing in search results at the time of the Markup/CalMatters reporting; it attributed the issue to a third-party SEO tool that restricts visibility by default, and says it has now enabled indexing and added a footer link to the form.

JEC staff say Telesign’s approach still forces consumers to look beyond its main site and, even where links exist, they’re often buried on pages users wouldn’t reasonably think to check—including privacy notice pages exceeding 9,000 words.

6sense disputed that its main “Privacy Center” was hidden, but acknowledged that its “Privacy Policy” page—which links to opt-out tools—previously carried “no index” code, adding that it removed the code after the Markup/CalMatters report. 6sense was the only company to report using third-party audits to assess both the visibility of opt-out options and whether the requests are being successfully processed, the report says.