Congressional Democrats on the Joint Economic Committee (JEC) have unveiled a staggering estimate of over $20.9 billion in consumer losses due to identity theft linked to four major breaches involving data broker firms. This figure was disclosed in a minority report, a culmination of an extensive investigation into data broker activities initiated by Senator Maggie Hassan of New Hampshire.
Senator Hassan, the JEC’s ranking member, had issued investigative requests to five prominent data brokers—Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights—back in August. This inquiry was prompted by an investigation revealing that some of these data brokers were obscuring opt-out tools from search engines, using “no index” instructions that prevent web crawlers from displaying particular pages. This finding was reported in a joint investigation by The Markup and CalMatters.
The sensitive information held by these firms, including critical identifiers such as birthdates, addresses, and Social Security numbers, has become a target for scammers, enhancing risks posed to consumers through personalized fraud attempts.
In response to the scrutiny following Hassan’s outreach, four out of the five data brokers have taken steps to enhance the visibility of their opt-out options. This includes the removal of “no index” codes, increasing the prominence of opt-out links, and providing clearer guidance for exercising privacy rights. However, Findem did not respond to either the initial inquiries or follow-up communications from the committee, raising concerns regarding its commitment to consumer privacy.
The JEC report notably highlights Findem’s lack of response as an indication of possible deficiencies in addressing opt-out requests, indicating that in 2024, the company did not process 80 percent of privacy requests due to indications of “insufficient data.” While investigators have attempted to contact various companies, responses from IQVIA, 6Sense, and Comscore were not immediately forthcoming, while Telesign’s inquiries were routed through a marketing form, complicating direct communication.
The Markup and CalMatters investigation further revealed that numerous California-registered data brokers employed similar tactics, such as the “no index” code, and other deceptive practices that obscure opt-out and data deletion pages. This has effectively made it more challenging for consumers to safeguard their information from malicious actors.
Comscore reported that it had reviewed its website and discovered a “no index” code on its “Data Subject Rights” page, which directs users to separate forms for opt-out requests. The company traced the code back to an earlier page version from 2003 and indicated uncertainty about its original intent but suggested it was not meant to restrict consumer access.
Telesign acknowledged an issue with its opt-out form visibility during the investigation, attributing it to a third-party SEO tool that limits visibility by default. After the report, Telesign claimed to have enabled indexing and improved visibility by adding links to the form.
In contrast, 6Sense contested the claim that its main “Privacy Center” was hidden, although it confirmed that its “Privacy Policy” page previously included “no index” code, which they have since removed. The report indicates that 6Sense stands out as the only company to have utilized third-party audits to evaluate both the visibility of opt-out options and the processing of such requests.
This series of events emphasizes the vulnerabilities inherent in data handling by these brokers, raising critical questions about their operational transparency and commitments to consumer privacy. As businesses navigate these complexities, they must remain vigilant about data privacy practices and the implications of potential breaches, particularly in light of the tactics and techniques highlighted in the MITRE ATT&CK Matrix, such as initial access and deceptive practices aimed at obscuring consumer rights.