The Invisible Industry
There is a multi-billion dollar industry built around collecting, analyzing, and selling your personal information, and most people have never heard of the companies involved. Data brokers operate largely out of public view, aggregating data from hundreds of sources to build detailed profiles on virtually every adult in the United States and beyond.
These profiles are then sold to marketers, insurance companies, employers, landlords, law enforcement, and sometimes to criminals who use them to fuel identity theft and social engineering attacks.
What Data Brokers Collect
The depth of information data brokers maintain is staggering:
- Identity data: Full name, date of birth, Social Security number, current and past addresses, phone numbers, email addresses
- Financial data: Estimated income, credit score ranges, mortgage details, bankruptcy records, property ownership
- Behavioral data: Purchase history, online browsing habits, app usage, loyalty program activity
- Social data: Marital status, political affiliation, religious affiliation, household composition, social media activity
- Health-related data: Prescription purchases, health conditions inferred from purchases, insurance claims
- Location data: GPS history from mobile apps, frequently visited locations, travel patterns
A single data broker may hold thousands of data points on an individual person.
Where They Get Your Data
Data brokers pull from an enormous range of sources:
- Public records: Voter registration, property records, court filings, birth and marriage certificates, business registrations
- Commercial sources: Loyalty card programs, warranty registrations, sweepstakes entries, retail transaction records
- Online activity: Website cookies, browser fingerprints, social media profiles, app permissions that share location and contacts
- Other data brokers: Brokers buy from and sell to each other, creating a web of shared data that is nearly impossible to fully trace
- Data breaches: Some less scrupulous aggregators incorporate data from breaches, blending leaked information with legitimately sourced records
The Major Data Brokers
While hundreds of data brokers exist, several dominate the industry:
- Acxiom maintains data on approximately 2.5 billion consumers worldwide
- Experian, Equifax, and TransUnion are best known as credit bureaus but also operate extensive data brokerage divisions
- Oracle Data Cloud aggregates billions of consumer data points for advertising targeting
- LexisNexis compiles detailed profiles used by law enforcement, insurance companies, and employers
- People-search sites like Spokeo, BeenVerified, WhitePages, and Intelius make personal information searchable by anyone willing to pay a small fee
Why This Matters for Security
Data brokers create a direct pipeline for attackers. The personal details sold by these companies are exactly what criminals need to:
- Answer security questions on your accounts (mother's maiden name, first car, high school)
- Craft convincing phishing emails personalized with details about your life
- Execute SIM swap attacks using your personal information to impersonate you to your carrier
- Commit identity theft by combining purchased data with credentials from data breaches
- Socially engineer customer support agents at your bank or service providers
How to Limit Your Exposure
Completely removing yourself from data broker databases is nearly impossible, but you can significantly reduce your footprint:
Opt out manually. Most data brokers are legally required to honor opt-out requests. Visit each broker's website and submit removal requests. Priority targets include Spokeo, BeenVerified, WhitePages, Intelius, Acxiom, and Oracle.
Use a data removal service. Services like DeleteMe, Kanary, or Privacy Duck automate the process of submitting opt-out requests across dozens of brokers and re-check periodically since brokers often re-add your data.
Limit data sharing going forward:
- Read privacy policies before signing up for services
- Avoid loyalty programs that track purchases
- Use a secondary email for commercial signups
- Deny unnecessary app permissions, especially location and contacts
- Opt out of data sharing in account settings for services you use
Freeze your credit. Contact Equifax, Experian, and TransUnion to place a credit freeze, preventing new accounts from being opened in your name.
Monitor for breaches. When your data appears in a breach, it accelerates the cycle of collection and resale.
The Regulatory Landscape
Privacy regulations are slowly catching up. The GDPR in Europe gives individuals the right to demand data deletion. California's CCPA and CPRA provide similar rights for California residents. Several other states have passed or are considering comparable legislation. However, enforcement remains inconsistent, and the United States still lacks a comprehensive federal privacy law.
Check LeakedSource to see what personal data of yours is already circulating from breaches, because data brokers and cybercriminals often draw from the same pool of exposed information.