$20.9 Billion in Identity Theft Losses Linked to Data Broker Breaches, Democrats Report

In a bombshell revelation that’s sending shockwaves through the tech and privacy communities, Congressional Democrats on the Joint Economic Committee have uncovered a staggering $20.9 billion in consumer losses directly tied to identity theft incidents connected to breaches at major data broker firms.

The explosive findings, released Friday in a minority report, stem from a months-long investigation launched by United States Senator Maggie Hassan, a New Hampshire Democrat and the JEC’s ranking member. What began as a routine inquiry into data broker practices has now exposed what critics are calling “the dark underbelly of the data economy.”

The Investigation That Uncovered a Privacy Nightmare

The probe was initially sparked by a groundbreaking investigation from The Markup and CalMatters, co-published by WIRED, which revealed that dozens of data brokers were actively hiding their opt-out tools from Google and other search engines. These companies were using “no index” instructions—code that tells web crawlers not to list certain pages—to bury the very mechanisms consumers could use to protect their personal information.

“It’s like building a fire exit and then hiding it behind a wall,” said one privacy advocate familiar with the investigation. “These companies know exactly what they’re doing.”

Senator Hassan sent investigative requests to five major data brokers in August: Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights. The results paint a disturbing picture of an industry that has prioritized profit over consumer protection.

The $20.9 Billion Question: How Did We Get Here?

The JEC’s analysis connects the dots between data broker practices and real-world financial harm. Scammers routinely exploit the sensitive data these companies hold—including dates of birth, addresses, and even Social Security numbers—to craft highly personalized fraud schemes that can devastate victims financially.

“Think about it,” said a cybersecurity expert who reviewed the report. “You’re giving criminals a one-stop shop for everything they need to steal someone’s identity. These data brokers are essentially building the toolkit that identity thieves use.”

The $20.9 billion figure represents actual consumer losses documented in cases where stolen data was traced back to breaches at these data broker firms. That’s not just theoretical risk—that’s money drained from bank accounts, fraudulent credit cards opened in victims’ names, and tax returns filed by criminals.

The Companies’ Response: Too Little, Too Late?

In the wake of Senator Hassan’s inquiry, four of the five companies took steps to improve access to opt-out options. They removed the “no index” code, added more prominent links, and posted clearer guidance on exercising privacy rights. But privacy advocates argue these changes came only after being caught red-handed.

“Voluntary compliance after getting caught isn’t a solution—it’s a PR move,” said one digital rights lawyer. “The damage has already been done.”

Findem, however, stands out as the most concerning case. The company not only failed to respond to Hassan or committee staff follow-ups, but the report states it has not removed the “no index” code from its opt-out page. Multiple attempts by WIRED to reach Findem for comment went unanswered.

Findem: The Company That Wouldn’t Talk

The report’s findings on Findem are particularly damning. The company’s “failure to respond” to lawmakers’ inquiries raises “serious, broad questions about its responsiveness to opt-out requests and commitment to data privacy,” according to the JEC minority report.

Even more troubling are the company’s own mandatory disclosures from 2024, which show Findem “did not process 80 percent of privacy requests from consumers and other parties,” citing “insufficient data.” In other words, four out of five people who tried to exercise their legal right to privacy were essentially ignored.

“That’s not a bug—that’s a feature,” said one data privacy researcher. “They’re making it as difficult as possible for people to reclaim their information.”

The Technical Tricks Keeping You in the Dark

The Markup/CalMatters investigation found that dozens of California-registered data brokers were using “no index” code and other so-called dark patterns to make opt-out and deletion pages harder to find. These dark patterns include confusing language, misleading buttons, and navigation structures designed to frustrate users.

“In doing so,” the JEC minority report states, “the companies made it more difficult for people to protect their information from scammers.”

Comscore, for instance, told the committee it discovered its “Data Subject Rights” page contained “no index” code dating back to a 2003 version. The company claims it removed the code and suggests it was “not intended to prevent consumer access,” but the JEC report notes the company couldn’t determine why it was added in the first place.

Telesign’s case reveals another layer of deception. The company confirmed its opt-out form wasn’t appearing in search results at the time of the investigation, attributing the issue to a third-party SEO tool that restricts visibility by default. While Telesign says it has now enabled indexing and added a footer link, JEC staff argue the approach still forces consumers to hunt for privacy protections.

The 9,000-Word Privacy Notice Problem

Perhaps most infuriating is the finding that even where links exist, they’re often buried on pages users wouldn’t reasonably think to check. The report highlights privacy notice pages exceeding 9,000 words—longer than some novels—where crucial opt-out links are hidden in walls of legal text.

“Who’s going to read a 9,000-word document to find a tiny link to protect their privacy?” asked one consumer advocate. “It’s designed to be overwhelming.”

6sense disputed that its main “Privacy Center” was hidden but acknowledged that its “Privacy Policy” page—which links to opt-out tools—previously carried “no index” code. The company removed the code after the Markup/CalMatters report.

6sense was the only company to report using third-party audits to assess both the visibility of opt-out options and whether requests are being successfully processed, suggesting at least some awareness of the problem.

The Bigger Picture: An Industry Built on Opacity

This investigation exposes a fundamental truth about the data broker industry: it thrives on keeping consumers in the dark. By making it difficult or impossible to opt out, these companies ensure they can continue collecting, analyzing, and selling personal information with minimal interference.

The timing is particularly relevant as states across the country implement stronger privacy laws requiring companies to honor opt-out requests. California’s Consumer Privacy Act, Virginia’s Consumer Data Protection Act, and similar laws in other states are creating new rights for consumers—rights that companies like Findem appear determined to ignore.

What Happens Next?

The JEC report stops short of calling for specific legislative action, but the implications are clear. As one congressional staffer put it, “When companies won’t even respond to congressional inquiries about their privacy practices, that’s not just a regulatory problem—that’s a crisis of accountability.”

Privacy advocates are already calling for stronger enforcement mechanisms, including substantial fines for companies that fail to process opt-out requests and criminal penalties for executives who knowingly facilitate identity theft through negligent data practices.

The $20.9 billion in documented losses represents just the tip of the iceberg. Privacy experts estimate that the total economic impact of data broker-enabled identity theft could be several times higher when accounting for cases that go unreported or undetected.

The Bottom Line

This investigation reveals an industry operating in the shadows, profiting from personal data while actively working to prevent consumers from protecting themselves. The $20.9 billion in losses isn’t just a number—it represents real people whose lives have been upended by identity theft, facilitated by companies that treat privacy as an obstacle to be circumvented rather than a right to be respected.

As Senator Hassan’s investigation continues, one thing is clear: the era of data brokers operating with impunity may be coming to an end. But for the millions of Americans whose data is already circulating in these shadowy markets, the damage has already been done.

The question now is whether Congress will act with the urgency this crisis demands—or whether more billions will be lost before meaningful protections are put in place.

Tags: data broker breaches, identity theft losses, congressional investigation, privacy rights, opt-out mechanisms, dark patterns, Findem controversy, consumer data protection, Maggie Hassan, Joint Economic Committee, cybersecurity threats, personal information exposure, data broker accountability, identity fraud, privacy legislation

Viral Phrases: “$20.9 billion identity theft bombshell,” “data brokers hiding in plain sight,” “the privacy nightmare Congress just uncovered,” “companies caught burying your right to privacy,” “Findem’s 80% failure rate exposed,” “9,000-word privacy notices designed to confuse,” “the industry built on keeping you in the dark,” “Congress demands answers from data brokers,” “your personal data as a criminal toolkit,” “the investigation that changed everything”

,