Congressional Report Estimates $20.9 Billion in Consumer Losses from Data Broker Breaches and Identity Theft.

Congressional Democrats on the Joint Economic Committee (JEC) have identified more than $20.9 billion in estimated consumer losses directly tied to identity theft stemming from four significant data breaches involving prominent data broker firms. This substantial estimate was unveiled on Friday in a minority report, the culmination of a months-long inquiry into the opaque practices of data brokers, spearheaded by United States Senator Maggie Hassan.

Senator Hassan, a Democrat representing New Hampshire and the ranking member of the JEC, initiated the investigative requests in August. Her inquiry targeted five major data brokers: Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights. The impetus for this congressional scrutiny came after a revealing investigation co-published by WIRED with The Markup and CalMatters. This journalistic exposé brought to light that some data brokers were deliberately obscuring access to their opt-out tools from search engines like Google, employing "no index" instructions that prevent web crawlers from listing these crucial privacy pages.

Data brokers, at their core, are companies that collect, aggregate, and sell personal information, often without direct interaction with the individuals whose data they possess. The types of sensitive data these firms typically hold—including critical identifiers such as dates of birth, home addresses, and even Social Security numbers—are precisely the kind of information that scammers and malicious actors exploit. With access to such detailed personal profiles, fraudsters can craft highly personalized and convincing schemes, significantly increasing their chances of successfully targeting victims for identity theft and financial fraud. The JEC report underscores that by making it harder for individuals to remove their data, these companies inadvertently contribute to an environment where such personalized fraud thrives.

Following Senator Hassan’s outreach, four of the five targeted companies took proactive steps to enhance access to their opt-out mechanisms. These improvements included removing the "no index" code from their privacy pages, integrating more prominent links to their opt-out options on their websites, and providing clearer guidance to consumers on how to exercise their privacy rights. This demonstrated that public and legislative pressure can indeed compel companies to adopt more responsible data handling practices.

However, one company, Findem, notably failed to comply. Findem did not respond to Senator Hassan’s initial inquiry or to subsequent follow-ups from committee staff. Moreover, staff confirmed that Findem has not removed the "no index" code from its privacy page, maintaining the same obstructive practices that initially triggered the investigation. Attempts by WIRED to contact Findem on Thursday also went unanswered, further highlighting the company’s lack of responsiveness.

The JEC minority report sharply criticizes Findem’s "failure to respond" to congressional inquiries, stating that it raises "serious, broad questions about its responsiveness to opt-out requests and commitment to data privacy." The report further revealed that Findem’s own mandatory disclosures from 2024 indicated a startling deficiency: the company "did not process 80 percent of privacy requests from consumers and other parties," citing "insufficient data" as the reason. This statistic paints a troubling picture of a company seemingly unwilling or unable to fulfill fundamental privacy obligations.

In the wake of the report’s release, IQVIA, 6sense, and Comscore did not immediately respond to requests for comment regarding the findings. Telesign routes press inquiries through an online form that controversially requires reporters to consent to receive marketing communications, a condition that was not met by investigators. Instead, an alternative company email address, previously identified in leaked breach data, was utilized for contact.

The initial investigation by The Markup and CalMatters had revealed that dozens of data brokers registered in California were employing the "no index" code and other manipulative design techniques, often referred to as "dark patterns," specifically to make their opt-out and data deletion pages difficult to locate. The JEC minority report explicitly states that "in doing so, the companies made it more difficult for people to protect their information from scammers," directly linking these practices to increased consumer vulnerability.

Delving into the specifics of individual company responses, Comscore informed the committee that it conducted a review of its website after receiving Senator Hassan’s request. This review uncovered that its "Data Subject Rights" page, which guides users to separate forms for submitting opt-out requests, contained a "no index" code. The company stated it traced the code back to an earlier version of the page created in 2003 and subsequently removed it. While Comscore claimed it could not ascertain why the code was initially added, it suggested it was "not intended to prevent consumer access."

Telesign confirmed that its opt-out form, hosted on a dedicated "Privacy Request" page, was indeed not appearing in search results at the time The Markup/CalMatters reporting was published. The company attributed this issue to a third-party SEO tool that, by default, restricts visibility. Telesign stated it has since enabled indexing for the page and added a footer link to the form, ostensibly improving discoverability. However, JEC staff remain critical of Telesign’s approach, arguing that it still compels consumers to search beyond its main site for privacy controls. Even where links exist, they are often buried within extensive documents, such as privacy notice pages exceeding 9,000 words, which users would not reasonably expect to consult for opt-out options.

6sense, another targeted broker, disputed the claim that its main "Privacy Center" was hidden. Nevertheless, the company acknowledged that its "Privacy Policy" page—which contains links to its opt-out tools—had previously carried a "no index" code. 6sense stated it removed this code following the publication of The Markup/CalMatters report. The JEC report highlighted that 6sense was the only company among the five to report using independent third-party audits to assess both the visibility of its opt-out options and the successful processing of privacy requests, suggesting a higher level of commitment to accountability.

IQVIA informed the committee that approximately one month after the investigative reporting surfaced, it replaced its previous "Your Privacy Choices" opt-out page. The company migrated to a new page hosted by a vendor, OneTrust, and confirmed that this new page does not incorporate the "no index" code. Interestingly, IQVIA also suggested that Google’s AI Overview feature could serve as an alternative method for users to locate opt-out information. However, JEC minority staff examined this claim and found that Google’s AI outputs can be inconsistent and are not guaranteed to reliably surface specific privacy pages, casting doubt on its efficacy as a reliable access point.

JEC staff clarified that Senator Hassan’s selection of the five particular companies for investigation was partly influenced by their prior unresponsiveness to WIRED’s requests for comment, indicating a pattern of evasiveness that warranted closer examination.

Beyond the issues of access to privacy tools, the report also made a significant effort to quantify the downstream harm resulting from major data-broker-related breaches, leading to the staggering estimate of over $20.9 billion in nominal consumer losses. JEC staff meticulously analyzed large-scale incidents from the past decade where public reporting explicitly detailed the number of affected US residents. The analysis deliberately excluded major data exposures where such breakdowns were unavailable, such as the 2019 People Data Labs incident, to ensure accuracy in the estimation.

Ultimately, the report focused on four specific incidents from the last decade that met their criteria: the Equifax breach in 2017, Exactis in 2018, National Public Data in 2023, and TransUnion in 2025. The scale of these breaches varied significantly, with the number of affected US residents ranging from 4.4 million in last year’s TransUnion incident to an estimated 270 million in the massive 2023 National Public Data hack.

To arrive at the $20.9 billion figure, the JEC research employed a multi-layered methodology. It estimated that just over 30 percent of victims in major data breaches are likely to experience identity theft, a figure derived from reputable financial services research. Furthermore, the JEC research drew upon estimates from the Bureau of Justice Statistics, which indicate that between 58 and 69 percent of identity-theft victims ultimately experience a financial loss. While the median expected financial loss for these victims is estimated at approximately $200, the report cautions that consumers whose data is exposed in a breach may also pursue compensation through class action lawsuits. Such cases, the report argues, often reveal that identity-theft losses can far exceed the cited median figure. As a prime example, the report points to the 2017 Equifax settlement, where the company agreed to pay $425 million and allowed some claimants to seek up to $20,000 in damages for various losses, including unauthorized charges, costs associated with freezing credit reports, and fees for attorneys or professional accountants.

Senator Hassan emphasized the critical nature of these findings, stating, "As international criminal syndicates increasingly use scams to target Americans, data brokers shouldn’t make it harder for people to protect themselves." Her comments underscore the escalating threat posed by sophisticated fraud operations and the responsibility of data companies to act as protectors, not enablers, of consumer vulnerability.

Hassan concluded that the findings vividly illustrate the profound exposure individuals face when sensitive personal data is collected, compiled, and traded at scale within the data broker industry. She also highlighted the investigation as compelling evidence that sustained public pressure and congressional oversight can indeed prompt companies to improve access to essential privacy tools. "It is encouraging that after we launched our investigation, many companies took steps to improve opt-out options for Americans, which in turn can help more consumers keep their information out of the wrong hands," Hassan remarked, signaling both a victory for consumer advocacy and a continued need for vigilance in the evolving landscape of digital privacy.