American consumers are becoming more aware of the dangers inherent in allowing their personal data to be collected and manipulated, unmanaged by Data Brokers and People Search Sites online. Most have an ambiguous sense of the peril, and vague notions about the critical importance of data privacy. Yet, few possess a clear understanding of how their data is collected and how it is misused with potentially grave consequences. For its part, American business and other organizations already understand the reputational and financial risks associated with substandard data privacy practices. Similarly, many are equally unclear about how to protect their operations and customers’ data from being used in criminal pursuits.
What many individuals and organizations fail to realize, is the outsized role played by the data brokerage industry (which includes People Search Sites like PeopleSearch and many others) in helping to propagate cyber crime. The threat posed by this nominally legitimate and flourishing industry is not well publicized. Most are not cognizant of the significant risk the Data Brokerage and People Search Sites industry poses. Regulatory structures are beginning to emerge. Yet the existing regulatory landscape is scant, patchwork (at best), and wholly inadequate to properly address the scope of the challenge.
This document will expose the size, scope and practices of the data brokerage industry. It will lay bare the clear and present danger data brokerages pose to everyone. It will also deliver solutions organizations and individuals alike must take to mitigate the risk and avoid the damaging consequences.
Composition, Size & Scope of Today’s Data Brokerage and People Search Site Industry
The simple laws of supply and demand illustrate the burgeoning success of data broker firms. That this industry is growing at a phenomenal rate is testament to the fact that their product is in high demand. Industry watchers suggest there are presently more than four thousand Data Brokerage and People Search Site companies in operation worldwide. Delaware-based custom research firm, Transparency Market Research Inc. estimates that in the United States alone, the data broker marketplace will reach a value of $462 billion by 2031. It is growing at a robust compound annual growth rate of 6.8% between 2022 and 2031!
To understand why this industry is experiencing such rapid growth, one must know more about the dynamics driving demand for these services and products. What does a data broker sell to whom, and why?
What does a data broker sell?
The Data Brokerage industry delivers unstructured, structured and even customized structured data to many industries.
To whom do the data brokers sell?
Many industries are consumers of data, but those most reliant on the data sold by brokers include Banking/Financial Services, Insurance, Retail/eCommerce, Healthcare, IT/Telecom, Media and Government.
It is important to note that data brokers will sell to anyone, not just legitimate organizations. This means bad actors, cyber criminals, terrorist organizations and others, can also purchase these products.
Why do legitimate industries need to purchase data and how do they use it?
There are myriad ways every industry can harness the power of data. How legitimate companies use data is pretty well publicized in business circles. Business media is replete with stories about how companies employ Business Intelligence (BI) and Analytics – looking for patterns and trends in their operational data which, when identified, can be used to make more profitable business decisions.
For example, BI technologies can parse vast volumes of consumer purchases to identify more profitable markets and to highlight shipping routes more prone to traffic and delays. This helps the organization modify its targeted sales and marketing spend as well as its logistics planning. The BI harnesses the data to pinpoint the best markets and then to save time, fuel and money on shipping costs. Not an especially nefarious use of the purchased data.
Another example involves retailers. Retailers buy and crunch data to power predictive analytics. This helps them better manage procurement planning and maintain inventory levels optimized to accommodate seasonal purchasing peaks.
Financial services companies use data analytics to identify lower risk zip codes for advertising or even approval of loans, mortgages and other financial products. The possibilities are limitless.
The legitimate applications for data procured via Data Broker companies are manifold. However, since the industry makes no distinctions regarding to whom they will sell the vast volumes of data they possess, the potential for misuse and abuse of their products is exceedingly high.
One need look no further than the explosion of cyber crimes leveraging brokered data from these companies for evidence of this fact. Incidences of all types of Social Engineering attacks – spear phishing, pretextings, smishing, scareware, ransomware, credential theft and others – are increasing at alarming rates.
Brit Insurance (cyber insurance coverage is also a rapidly growing industry) estimates cyber-attacks leveraging social engineering techniques increased in 2021 by 270%. That number continues to rise. It is beyond dispute, there is a real problem for individuals, businesses and other organizations alike. And that it is driven by easily accessed personal data.
Add to the risk associated with the open availability of data for purchase from Data Brokers and People Search Sites, is the information security vulnerability of these organizations themselves. How well do any of these companies – with new entrants to the field emerging every year – protect the security of the data they possess?
One privacy and security expert recently reviewed a list of 492 data brokers in the US including some of the top players in the industry. He found 30 cases in which brokers’ databases had been breached and data was stolen by hackers. While the roughly 6% breach rate among the group in this informal study may seem inconsequential, the vast data sets of personally identifiable information (PII) lost when breaches occur can impact hundreds of millions of individuals!
Ripped From the Headlines!
On February 3, 2023 BleepingComputer.com’s Lawrence Abrams reported that the personal data of 20.22 million customers of popular People Search Sites TruthFinder and Instant Checkmate was leaked following a breach wherein an entire database of customer data was stolen. The exposed TruthFinder and Instant Checkmate customer information includes email addresses, hashed passwords, first and last names, and phone numbers.
PeopleConnect warns customers to be vigilant as they expect targeted phishing attacks are likely to ensue as a result of this breach
Figure 1 – Screen capture of threat report courtesy of BleepingComputer.com
The simple fact is, Data Brokers and People Search Sites are operating without oversight. They are ambivalent about the risk their business poses to individuals and their employers. There is no reason to assume these organizations are any less vulnerable to data breaches than any other large industry. However, they are certainly among the most valuable targets for cyber criminals because they are vast repositories of exactly the kind of data bad actors covet to perpetuate Social Engineering, Doxxing, and other kinds of cyber attacks.
As more American consumers, businesses and organizations awaken to the imminent danger and looming privacy crisis, the question arises: how did we get here? How did this industry quietly gather massive sets of data that represent a ticking time bomb for personal privacy and the financial consequences of cyber crime?
Learn How Data Brokers Acquire Their Product (Your PII)
“If you’re not paying for the product, then YOU are the product!” That salient quote was popularized in the 1990s during the dotcom boom and again more recently by the popular Netflix documentary, The Social Dilemma”. Some suggest its origin actually dates back to 1973 and a short film about television advertising titled, “Television Delivers People”. Wherever the phrase came from, it perfectly summarizes the mechanism by which Data Brokers and People Search Sites obtain their inventory. Here’s how it works.
Since the dawn of the internet, consumers have been attracted by the experience of receiving value without rendering payment. The internet made the notion of “free stuff” a reality. Why buy a newspaper for fifty cents when you can get your news from Yahoo! or MSN for free? Why purchase a roadmap at the bookstore when you can get turn by turn directions free from Mapquest.com or Google Maps? Why spend a thousand dollars on an encyclopedia when you can ask a search engine to answer any conceivable question under the sun?
This dynamic propelled the near complete domination of the internet as entire industries were rapidly transformed by it. Digital file sharing services essentially decimated the entertainment industry by making popular music, film and other media cheap or even free. The ubiquity of the technology practically invited piracy of copyrighted materials. VHS video rental empires like Blockbuster Video and others collapsed, unable to compete with the ease and availability of digital media easily shared on the web – illegally at first before the entertainment industry learned how to monetize the product for the Digital Age.
Although the recording and movie rental industries ultimately adapted. Despite embracing digital media and delivering it via subscription-based streaming services, they still experienced some rather painful creative destruction in the process of their adaptation. It bears noting, that after enduring costly and radical overhaul, these industries too embraced the secret of this new model.
Today, they all offer some “free” form of service to customers. Often advertising-based until a consumer agrees to purchase a subscription for ad-free access to the content. But whether the consumer opts for the “free” version or the paid subscription, they are required to share their personal information. And their activities are carefully recorded and tracked.
Consumers have been remarkably willing to hold up their side of the implicit bargain, perhaps not fully grasping the implications of privacy. As the internet grew into the predominant marketplace for all manner of commerce, every industry formerly operating in the brick and mortar world transitioned into the digital space. Entire generations have grown up with this as their reality.
People of Generation X and older recall a time when one had to visit a physical business to do such things as purchase an airline ticket, make a bank deposit, open a credit line, purchase pet food, see a physician, buy a pizza, watch a film, even purchase a car or a home! Today, there is very little one cannot procure from the comfort of their own home or anywhere else using the powerful computer they carry in their pocket!
In the Internet Age, to engage any modern business via the internet, all one has to do is to “set up a free account” by entering in their personal information. Though only seemingly innocent information like name, address, email, and phone number is required to create an account, every single action one takes – browsing patterns, purchase histories, reviews written – is captured and associated with one’s profile. What foods you eat, the medicines you use, the car you drive, the credit card terms for which you qualify, the groceries you purchase, the news outlets you watch – literally every single action you perform using the internet is recorded. And everyone has agreed to it explicitly in those dense and inscrutable “user agreements” most quickly accept without reading in the process of buying that new winter coat at a favorite retailer’s site or reserving the bowling alley for a 3rd grader’s birthday party.
Research produced by The Clearing House (which operates U.S.-based payments networks that clear and settle more than $2 trillion each day through wire, ACH, check image, and real-time payments), polled more than 4000 consumers of financial technology (Fintech) applications like online banking apps. Their report found 77% of consumers admit they do not read the terms and conditions of the applications they use. As a result, few understand what data is even being collected, how it is stored, and how it is sold or otherwise used. 76% were not aware they agreed their personal data could be sold to external parties for marketing, research and other purposes. 78% were unaware they agreed to allow the financial company to retain and access their personal data even after the app was closed or deleted. The report even revealed that a single data aggregator presently holds more data on US bank account holders than the top two US banks combined!
So, the answer to the question, “How do Data Brokers and People Search Sites like Instant Checkmate acquire their product (the product being YOU and YOUR PII)?” is, “You willingly give it to them!” Particularly if you have no strategy for preventing your data from being captured, sold and resold!
Data Collection Has Become Far More Detailed
Data brokers and People Search Sites operate by gathering personal data on hundreds of millions of Americans. They gather data for free, “scraping” it from publicly available sources on the internet and elsewhere. They also buy large pools of data from private organizations like social media companies, financial institutions, governmental sources and pretty much anywhere on the internet where people agree to allow their data to be captured in exchange for access to products, services, applications, etc.
On average, there are 3000 data points collected for every American from thousands of websites, social platforms, online applications, businesses and other entities. That is far more than the several dozen most consumers imagine. Public sources alone – such as social media sites – capture more than just a person’s name, age, email, location, phone, etc. They also routinely capture and catalog things like education level, gender, job skills and histories, food preferences, music and arts preferences, favorite sports teams, family relationships, children, pets and other household information. Pretty much any information a user shares on social media platforms is logged and appended to their profile.
Other public databases brokers can access to further build the profiles of individuals include court records, criminal records, driver/motor vehicle databases, birth and death certificates, marriage licenses, divorce filings, voter registration, census data, credit card company information and more!
Beyond publicly available data, brokers also compile data from other sources here are some examples:
Firmographic Data culled from reviews employees leave on employment and HR sites.
Product Review Data captured from the reviews consumers may leave on commerce sites.
HR and Job Posting Data acquired from the many online job boards and employment sites.
Purchasing Histories captured through grocery store club cards and online shopping at thousands of eCommerce sites
The methods for collecting these data points has also grown more automated, ensuring every action taken on the web is not lost. Each interaction adds value to the data profile the brokerage can offer. The automated collection relies on such tracking strategies as:
Cookies – small data markers injected into the web browser every time a site is visited and used to track a user’s activity and log their whereabouts on the web
Browser Fingerprinting – uses web scripts running in the background and to identify the device, browser, location, time zone, language and more of the site visitor. Used with cross-site cookie tracking, this data allows a user to be tracked across the web even if they’re using incognito mode
IP address tracking – to track the physical location of site visitors, identify repeat visitors and log their preferences.
Web and email beacons – used in micro-re targeting campaigns, marketers use these to track products a user may click to view but then not purchase so they can feed targeted advertising relevant to products a user expressed interest in.
Individually, each of these tiny data points are just fragments. However, compiled together into a profile alongside thousands of other tiny data points, they form a rich mosaic illustrating very detailed aspects of an individual’s life, needs, desires, proclivities, struggles, financials, and more.
It is precisely this detailed composite picture that cyber criminals exploit. A legitimate retailer may use this data to serve you an unsettlingly accurate advertisement for a product you have been planning to purchase for weeks. A criminal may leverage the data to create a phishing email which so resonates with the recipient that they click through without realizing the email and links within are spoofed and designed to collect their login information or other sensitive credentials. This is precisely what criminals set out to achieve when harnessing PII to support Social Engineering attacks against large organizations.
The cost to an individual falling victim to Social Engineering scams and identity theft should not be discounted, the costs to a large business or non-profit organization are exponentially more costly. In either case, it is the availability of an individual’s PII for sale from data brokers and People Search Sites that makes these losses possible.
It is also worth noting, from the standpoint of civil liberties that the ability to purchase such detailed data on any American citizen is also having chilling effects on personal freedom in the US. Immigration authorities and other law enforcement agencies are routinely able to sidestep due process and Constitutional protections against illegal search and seizure by simply buying information that they would be unable to otherwise acquire legally without a warrant or subpoena.
In a post-Roe America where many states have criminalized abortion, other reproductive services and in some cases even miscarriage, womens’ personal data about their reproductive health – contraceptive purchases, medical procedures, even online shopping histories that may include neonatal products/services – are all potential evidence to be used against them in criminal cases stemming from the loss – planned or otherwise – of a baby.
So, now that the true scope and insidious nature of the Data Broker industry and the threat to privacy it represents has been revealed, it is natural to ask, “What can be done to combat the pernicious effects of allowing one’s PII/data to circulate, unrestricted, through the wild?
How to Effectively Protect PII From Being Sold by Brokers
Privacy doesn’t mean “having nothing to hide” as many people suggest when they’re asked whether they take steps to protect their privacy online. Privacy is about having agency and ownership over what information is gathered and shared about you, and how that data is used. It may seem like it is far too late to remove one’s PII from the vast plains of the global internet.
However, in spite of the spotty adoption and questionable enforcement of privacy laws like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) of 2018, these nascent regulatory frameworks also provide a blueprint individuals and organizations can use as the basis of self-managed privacy policies.
|One’s Rights Under GDPR||One’s Rights Under CCPA|
|Right to be Informed||Know What Personal Data is Being Collected|
|Right of Access||Know Whether PII is being Sold/Disclosed and to Whom|
|Right to Rectification||Say ‘No’ to the Sale of PII|
|Right to Erasure/to be Forgotten||Access Their Personal Data|
|Right to Restrict Processing||Request the Deletion of PII Collected|
|Right to Data Portability||Not to be Discriminated Against for Exercising these Rights|
|Right to Object|
Without the ability to rely on CCPA enforcement outside (or even within) the state of California, each individual may still “do it themselves” when it comes to protecting their privacy. There are other Consumer Protection laws at the federal level which require organizations to reveal what data is being collected and to whom they may be selling or disclosing the collected data.
Similarly, regulations exist that compel organizations to delete such data upon request, to allow consumers to “opt out” of the collection in the first place, and to disallow the sale of their personal information. However, the data broker industry does not make it particularly easy for consumers to do so. They often use confusing or misleading practices designed to make the process unwieldy. They count on fatigue to set in before the consumer completes the task. Further, with so many companies in the $200+ billion industry in operation, it is a daunting task for any individual to address.
It takes time, persistence, and strong organizational methodologies to successfully mitigate/minimize the amount of PII one allows to persist on the internet. Thankfully, it is the same kinds of technology driving the challenge, that also delivers the solution! Web-based applications and online services like Privacy Bee are at the forefront of an emerging industry segment – Online Privacy Protection Solutions – which is stepping into the fray to help individuals and organizations alike emphasize privacy and protect against the worst abuses of the currently unfettered data broker industry.
Privacy Bee assumes the burden of managing the processes involved in removing one’s personal data from unauthorized or unwanted sites – including data brokers, People Search Sites and other online locations where data may have been collected (or may be in the future). Privacy Bee provides a broad platform to address all the many facets of online privacy management for both consumers and businesses. With a subscription to Privacy Bee, users gain access to the following components which, working together in unison, help drastically reduce and individual’s exposure to data theft or an entire businesses’ risk of data breach and cyber crime.
Privacy Threat Monitoring and External Privacy Data Audit
For consumer customers, the Privacy Bee solution performs continuous monitoring to scan the net for any public exposures of the customer’s personal data and informs of any exposures so that mitigation steps can be quickly undertaken. For the Business customer, Privacy Bee’s External Privacy Data audit provides in depth reporting on external exposures and their cost on a company’s productivity. Turning those stats into figures, the financial risk assessment provides a conservative estimate of the estimated cost these external exposures have. The platform provides full employee privacy audits, covering how many employees have been exposed, what type of exposures they’ve had, and the source of the exposure. The tool sets detect recent critical vulnerabilities and target where to start cleaning up employee data.
Data Broker Removal
Privacy Bee manages the requests, correspondence and ongoing steps needed to erase customer data from the more than 350 data broker and People Search Sites in the US. This labor-intensive process is handled by the Privacy Bee solution, so users are not burdened with the administrative burden. Privacy Bee boasts the industry’s highest removal success rating.
Marketing List Removal
This service is critical to businesses seeking to minimize unwanted distractions to their workforce derived from spam and targeted marketing. This is also useful in mitigating HR poaching.
Privacy Preference Management
For the consumer, the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited. Then enabling the user to allow trusted sites to collect their data while barring untrusted sites from doing so. For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company. The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.
Vendor Risk Management
Protecting the internal workforce can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy. If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella. Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections. Read all about Privacy Bee’s Vendor Risk Management strategies in this white paper.
Privacy Trust Badges
With awareness regarding the importance of privacy on the rise, consumers are growing more discerning about which organizations they choose to patronize. Voting with their wallets, consumers will continue to place priority on those businesses and other organizations demonstrating commitment to protecting their online data. With Privacy Bee for Business, organizations can proudly advertise their commitment with the Privacy Trust Badge program which publicizes the utilization of these state of the art privacy protection tools.
There are many more facets of the Privacy Bee solution which in totality provide a robust solution for the addressing the threat of Data Brokers and People Search Sites for large businesses and other organizations. This solution works 24x7x365 to ensure risk is minimized.