Are US Data Brokers Able to Protect the Personal Information They Deal In?

Key findings:

• At least 207.6M American records were compromised through the 10 data breaches discussed here, representing nearly half (46.7%) of all records exposed and making the United States the most affected country.
• The US also has the greatest breach density, with 627 exposed records per 1000 people. Canada, in second place, and the Netherlands, in third place, have half as many, with 301 and 295 leaked records per 1000 people, respectively.
• There have been at least 10 data broker breaches to date that resulted in at least 1 million user records being leaked, exposing a total of 444.5M records.
• 2020 saw the most data brokers breached, with a whopping 9 events.
• California has by far the most registered data brokers, with a total of 113, and the most breached data brokers, with a total of 5 (4.4% of its registered brokers).
• Arkansas and South Carolina have the highest percentage of breached data brokers, with each having two registered data brokers and one breach.

There have been a total of 40 events of data brokers suffering data breaches, starting with the Acxiom breach in 2002.

Data brokers are companies that specialize in the collection, processing, and sale or distribution of personal information. They rely mainly on public records to source this data (learn how to remove yourself from public records here), but may also acquire personal information from other data brokers and even data breaches.

These companies build profiles on everyday Americans that can include full contact and demographic details, court and criminal records, financial information, and even Social Security numbers. The profiles they create often branch out to reach family members, known associates, and business contacts.

With hundreds of data brokers (including people search sites) known to operate in the US alone¹, the average American adult may have dozens of profiles on them without their knowledge, let alone consent. How good are these companies at protecting the data they deal in?

Data broker data breaches by state

The number of data brokers operating in the US might be shockingly high to someone trying to have their personal information removed, but it’s too small to draw too many statistical conclusions. Still, there are some interesting insights to be gleaned from looking at a state-by-state breakdown.

California has by far the most registered data brokers, with a total of 113. New York comes in second with 82, while Florida takes third with only 41. It’s likely that, more so than its large population, it’s the fact that California’s Privacy Protection Act² requires data brokers to register in the state if they want to operate there.

Perhaps unsurprisingly, California also had the most breached brokers, with a total of five (4.4% of its registered brokers). New York came in second with three breached data brokers (3.7%), while Washington and New Jersey came in third with two breached data brokers each (11.8% and 10.5% of their total registered brokers, respectively).

Arkansas and South Carolina had the highest proportions of registered data brokers being breached (50% for each), although, with only two brokers registered in each state, these figures may not be representative. Idaho came in third, with one of its three registered data brokers suffering a breach.

These data exclude Experian and Equifax completely since these data brokers have multiple subsidiaries spread across different states, and their breaches could not be attributed to a specific location.

Data breaches over time—are things getting better or worse?

Not all active data brokers appear in the register, though. We found 10 such unregistered data brokers that had also suffered data breaches: Epsilon Data Management, Kroll, CoreLogic, Ancestry.com, Exactis.com, Poshmark, LimeLeads, Oxydata, Checkpeople, and NGP Van. Adding these to the pool of registered data brokers, we have a total of 40 breach events.

Acxiom was the first data broker to be breached, all the way back in 2002. In fact, the company suffered two separate breaches that year. The decade 2000–2010 saw one more breach, that of LexisNexis, in 2005.

There was a period of five years, between 2006 and 2010, when no data brokers were reported to have suffered a breach. Although nearly every year since 2011 (with 2014 and 2022 being the exceptions) data broker breaches were recorded at least once per year.

Things really picked up in 2017, with six companies reported to have been breached that year. Every year since then (not including 2022, for which data may still be coming in) has seen at least three companies being breached, with 2020 seeing a whopping nine breaches. 

The year 2020 marked a sharp uptick in cybercrime overall. The first year of the COVID-19 pandemic saw the number of cybercrime victims spike from 467K in 2019 to 792K in 2020, a 69% jump. This represents the greatest year-on-year increase since 2001.³

This spike dissipated by 2021, when “only” three data broker data breaches were reported. No data breaches have been reported for 2022, but it may be too early to say, as data breaches are often discovered and/or reported some time after the fact.

Data breaches are not like lightning: they can very much strike in the same place twice, if not multiple times. (In fact, it’s the same with lightning.) For example, T-Mobile experienced a total of five data breaches, suffering one a year, each year between 2018 and 2021, and two in 2020. Acxiom, LexisNexis, and Dun & Bradstreet have also reported more than one data breach each.

It’d be reasonable to assume that data brokers are like honey pots to hackers, given the wealth of personal information they collect. Although around 40% (17) of the breaches were due to unauthorized access to the companies’ systems, nearly one in five (7) were due to the companies’ failure to secure the data, meaning it was publicly exposed for anyone to access.

A closer look at some of the largest data broker breaches

No data breach is small if it includes your data, but there’s no doubt that the number of breached records is a significant metric. We defined a large data broker breach as one in which at least a million records were leaked. There were at least 10 such breaches, each happening between 2012-2021. These breaches affected a combined total of 444.5M records.

The 2019 breach of California-based People Data Labs resulted in the greatest number of records being leaked, by a large margin. The 179M leaked People Data Labs records account for 40% of these breaches. The 2018 breach of Apollo.io resulted in 56% fewer leaked records than People Data Labs, although this still means that 79.2M records (17.8% of the total) were leaked. ShareThis came in third with around 41M leaked records.

Two of these data breaches involved unsecured databases, including the Apollo.io breach that left 79.2M records. An unsecured database is one that has been left accessible to the public.

US data broker breaches in context: a country-level analysis

Many US-based data brokers collect data on non-US citizens as well. Americans make up the largest share of those affected (46.7% of all exposed records), but they’re certainly not alone. 

Top 5 countries most-affected by the biggest data broker breaches

The US has had over 2.6B records exposed through data breaches since 2004.⁴ The 10 largest data broker breaches discussed above account for around 8% of those records. Below are the five countries most affected by these breaches.

It makes sense that none of the other countries even comes close to the number of records compromised in the US—given that this study looks only at US-based data brokers—but each of the remaining top five countries had over 10M records exposed nonetheless. For example, 18.7M Indian records and nearly 17M UK records were exposed.

The People Data Labs breach was the most significant in each of these five countries. This breach exposed a little over a third (35.2%) of breached US records, around two-fifths (42.1%) of the Brazilian records, more than half of the Canadian (54.3%) and UK (56.7%) records, and over two thirds (68.5%) of the Indian records.

The US leads in terms of breach density as well, with 627 leaked US records per 1,000 people. Canada in second and the Netherlands in third had half that, with 301 and 295 leaked records per 1,000 people, respectively. (Countries with a population of less than 1M were excluded from this calculation.)

The biggest People Data Labs breach was the most significant in the Netherlands, Norway, and New Zealand as well, accounting for 69.2%, 42.5%, and 52.9% of these countries’ totals, respectively.

Methodology 

Incogni researchers analyzed 506 data brokers registered in the US to determine how many of these companies had suffered data breaches and what the impact was. We defined a data broker data breach as an event in which individuals’ personal data held by the data broker is leaked without their intent.

We collected proof of data breaches through media publications. We attributed each data broker to the state in which it’s registered in order to analyze registration and breach rates. Experian and Equifax were excluded from this part of the analysis due to these companies having multiple subsidiaries in different states, making it difficult to determine which one of these subsidiaries suffered the breaches.

We also examined US-based companies that are not listed in the data broker registry, but were confirmed to be data brokers and to have suffered data breaches. We included these companies in the year-over-year analysis. In cases where the year of the breach was not known, we attributed the breach to the year in which it was discovered or reported.

Lastly, we examined data broker breaches that resulted in the compromise of at least 1M user records to see which countries were most affected. To gather information on breached records, our partners collected user data from breached databases that appeared online. Only data sets that included email addresses were included. This allowed us to sort through more than 27,000 leaked databases and create approximately 5 billion data combinations. Our researchers then narrowed these combinations down to those relating to registered, US-based data brokers, allowing them to perform a country-level statistical analysis.

Note on data: 62.4M (14%) breached records could not be attributed to a country of origin. This number was included in the total number of exposed records.

Note on analysis: countries with populations below 1M people were excluded from the breach density calculation as they are often outliers in global distribution per population metrics. Excluding countries and territories with populations smaller than 1M people does not significantly impact global statistics as they account for less than 1% of the global population.

Full research material can be found here.

References 

1. “Data brokers,” Privacy Rights Clearinghouse, accessed February 10, 2023, https://privacyrights.org/data-brokers.
2. “California Consumer Privacy Act (CCPA),” State of California Department of Justice, Office of the Attorney General, last modified January 20, 2023, https://oag.ca.gov/privacy/ccpa.
3. “Cybercrime statistics,” Research, Surfshark, accessed February 10, 2023, https://surfshark.com/research/data-breach-impact/statistics.
4. “Global data breach stats,” Research, Surfshark, accessed February 10, 2023, https://surfshark.com/research/data-breach-monitoring.

Sources

1. “Data Broker Registry,” State of California Department of Justice, Office of the Attorney General, accessed February 10, 2023, https://oag.ca.gov/data-brokers/.
2. “Countries in the world by population (2023),” Worldometers, accessed February 10, 2023, https://www.worldometers.info/world-population/population-by-country/.