A shocking snapshot of just four major recent data broker breaches shows that Americans were exposed to scams and identity theft costing them nearly $21 billion from those incidents alone—and a new report from Congress says that’s only the tip of the iceberg. Lawmakers are calling for urgent action, warning that without stronger protections, Americans will remain vulnerable to increasingly sophisticated scams.
The report was released by U.S. Senator Maggie Hassan, ranking member of the Joint Economic Committee.To arrive at the estimate, the committee evaluated how many people exposed in each breach were likely to experience identity theft, scaled that number down, used federal data to determine how many victims lost money, and then multiplied those losses by the average lost rate of $200 per person.
The $20.9 billion estimate is likely considerably less than the actual amount as it doesn’t include smaller breaches, indirect costs like higher insurance premiums, or the billions spent by banks and retailers to cover fraudulent transactions.
“Notably, consumers with data exposed in a breach may try to recover losses through a class action lawsuit against the companies that experienced the breach. These cases make clear that the total financial losses that victims of identity theft experience are likely far greater than the median of $200 lost to identity theft.”
Why Data Broker Practices Are Becoming a Customer Trust and Customer Service Risk
Data brokers collect and sell personal information pulled from commercial activity, government records, and public sources, often outside of a direct customer relationship. From a customer experience perspective, that distance creates a problem. Customers don’t always know who has their data, but they do know which brands they call when something goes wrong.
When breaches involving brokers lead to fraud, customers frequently turn to banks, retailers, healthcare providers, and digital services for help, even if those organizations weren’t the source of the exposure. That shifts the operational burden to customer service teams, who are left managing long calls, heightened emotions and loss of trust over time.
The committee concluded:
“[A] dditional action is needed to protect Americans from scams connected to data brokers.”
The Four Breaches That Cost $20.9 Billion
The Congressional committee focused only on breaches with reliable public data for U.S. residents and identified four major incidents:
- Equifax – 2017: 147 million Americans affected. Hackers exploited a known vulnerability, gaining names, Social Security numbers, birth dates, and addresses for nearly half the country. Equifax eventually paid $575–700 million in settlements, including up to $20,000 per person in documented losses and time spent fixing the fallout.
- Exactis – 2018: About 230 million consumer records exposed (part of a larger 340-million-record leak). A marketing-data firm left an unsecured database online, revealing hundreds of data points per person—phone numbers, addresses, interests, and income brackets. No SSNs or credit cards were involved, but the information was enough to fuel targeted scams and account takeovers.
- National Public Data – 2023: Roughly 270 million Americans, or nearly 8 in 10 adults, were affected in one of the largest breaches in U.S. history. Data included Social Security numbers, full names, decades-old addresses, and even details on deceased relatives. The information appeared on the dark web in 2024, creating a feast for cybercriminals.
- TransUnion – 2025: 4.46 million people impacted through a third-party vendor application. Hackers accessed names, dates of birth, SSNs, and addresses. Core credit files were untouched, but personal identifiers alone were enough for identity theft.
To estimate the financial impact, the committee relied on research showing that roughly 30% of breach notifications lead to identity-theft victims. They applied a conservative yearly adjustment (since some fraud appears later) and used Bureau of Justice Statistics data, which finds that 58–69% of identity-theft victims experience direct financial loss. Although the median loss per victim is about $200, some cases are far higher, especially when factoring in class-action payouts, legal fees, lost wages, and long-term credit damage.
Data Broker Breaches Fuel Scams, Fraud, and Customer Distrust
According to the report, security breaches at data brokers don’t just create one-time fraud events. They supply scammers with the information needed for more convincing and persistent attacks, including account takeovers and targeted phishing that feels personal to the victim.
For CX organizations, that means fraud prevention and recovery increasingly intersect with customer experience design. Long verification steps, frozen accounts and repeated identity checks may reduce risk, but they can also frustrate customers who are already dealing with financial loss.
Consent Management Gaps Add Risk Across the Customer Journey
The Senate committee’s findings also land as scrutiny increases around how brands handle consent to collect and share customer data across channels. Consent captured at one touchpoint often fails to follow customers across systems.
From a customer’s point of view, that fragmentation shows up as unexpected data use, unclear disclosures, or difficulty opting out, all of which compound the trust damage when a breach occurs.
The report revisits follow-up action Hassan took last August after allegations that some data brokers were obscuring opt-out mechanisms.
The report stated:
“At a minimum, opt-out options should be easy to locate and use.”
Four companies, Comscore, IQVIA Digital, Telesign, and 6sense Insights, responded and improved access to their opt-out tools. Findem did not respond to the inquiry.
Other companies named in the report include:
- Comscore
- IQVIA Digital
- Telesign
- 6sense Insights
These firms collect and sell personal information for marketing, analytics or identity verification. That data can include browsing behavior, device details, location history and in some cases highly sensitive identifiers.
What Stronger Data Oversight Means
Hassan argued that improved transparency and oversight could help slow the growth of scam losses tied to brokered data.
“As the volume of information that data brokers collect on individuals continues to grow—and as U.S. losses to scams escalate—data brokers, the Administration, and Congress can all play a key role in addressing scam risks stemming from data broker practices,” the report stated.
Even when data collection happens behind the scenes, the customer experience consequences are highly visible in the customer journey, reshaping how customers engage, complain, and decide whether to stay loyal.
