Congressional Democrats on the Joint Economic Committee say they’ve identified more than $20.9 billion in consumer losses tied to identity theft connected to four major breaches involving data broker firms. The estimate was released Friday in a minority report stemming from a months-long inquiry into data broker practices launched by United States senator Maggie Hassan.
Hassan, a New Hampshire Democrat and the JEC’s ranking member, sent investigative requests to five major data brokers—Comscore, Findem, IQVIA Digital, Telesign, and 6Sense Insights—in August after an investigation by The Markup and CalMatters, copublished by WIRED, found some data brokers were hiding opt-out tools from Google and other search engines using “no index” instructions that tell web crawlers not to list the page.
Scammers are shown to use the kind of sensitive data that companies like these hold—including identifiers like dates of birth, addresses, and even Social Security numbers—to target victims with personalized fraud.
Four of the companies took steps after Hassan’s outreach to improve access to opt-out options, including by removing the “no index” code, adding more prominent links, and posting guidance on exercising privacy rights.
Findem, however, did not respond to Hassan or to committee staff follow-up, and staff said the company has not removed the “no index” code from its page. WIRED’s calls to Findem on Thursday went unanswered.
The report says Findem’s “failure to respond” to the lawmakers’ inquiries raises “serious, broad questions about its responsiveness to opt-out requests and commitment to data privacy,” adding that its own mandatory disclosures from 2024 show the company “did not process 80 percent of privacy requests from consumers and other parties,” citing “insufficient data.”
IQVIA, 6sense, and Comscore did not immediately respond to requests for comment. Telesign routes press inquiries through an online form that requires reporters to consent to receiving marketing communications, which was not used for that reason; instead, a company email address that appeared in previously leaked breach data was tried.
The Markup/CalMatters investigation found that dozens of California-registered data brokers were using the “no index” code and other so-called dark patterns that make opt-out and deletion pages harder to find. “In doing so,” the JEC minority report says, “the companies made it more difficult for people to protect their information from scammers.”
Comscore told the committee it reviewed its website after receiving Hassan’s request and found that its “Data Subject Rights” page—which directs users to separate forms for submitting opt-out requests—contained a “no index” code. The company said it traced the code, which it removed, back to an earlier version of the page created in 2003. The report says the company could not determine why it was added, but suggested it was “not intended to prevent consumer access.”
Telesign confirmed that its opt-out form, hosted on a “Privacy Request” page, was not appearing in search results at the time of the Markup/CalMatters reporting; it attributed the issue to a third-party SEO tool that restricts visibility by default, and says it has now enabled indexing and added a footer link to the form.
JEC staff say Telesign’s approach still forces consumers to look beyond its main site and, even where links exist, they’re often buried on pages users wouldn’t reasonably think to check—including privacy notice pages exceeding 9,000 words.
6sense disputed that its main “Privacy Center” was hidden, but acknowledged that its “Privacy Policy” page—which links to opt-out tools—previously carried “no index” code, adding that it removed the code after the Markup/CalMatters report. 6sense was the only company to report using third-party audits to assess both the visibility of opt-out options and whether the requests are being successfully processed, the report says.
IQVIA told the committee that it replaced its prior “Your Privacy Choices” opt-out page a month after the reporting and moved to a new page hosted by the vendor OneTrust, adding that the new page does not include “no index” code.
The report adds that IQVIA also pointed to Google’s AI Overview feature as another way users could locate opt-out information. But JEC minority staff found that Google’s AI outputs can vary and are not guaranteed to surface specific pages.
JEC staff say Hassan selected the five companies in part because they previously had not responded to WIRED’s requests for comment.
The report also attempts to quantify the downstream harm from major data-broker-related breaches, estimating more than $20.9 billion in nominal consumer losses. JEC staff analyzed large incidents from the past decade where public reporting specified the number of US residents affected, the report says, while excluding major exposures when breakdowns were unavailable, such as the 2019 People Data Labs incident.
Ultimately, they focused on four incidents in the past decade: Equifax in 2017, Exactis in 2018, National Public Data in 2023, and TransUnion in 2025. According to the report, the number of US residents affected ranged from 4.4 million in last year’s TransUnion incident to around 270 million in the 2023 National Public Data hack.
The report estimates that just over 30 percent of victims in major data breaches are likely to experience identity theft, based on reputable financial services research. The JEC research also relies on estimates from the Bureau of Justice Statistics, which indicates that between 58 and 69 percent of identity-theft victims experience a financial loss.
The median expected loss for those victims is estimated at around $200, but consumers whose data is exposed in a breach may also seek compensation through class action lawsuits, the report warns, arguing that those cases show identity-theft losses can far exceed the median figure cited. It points to the 2017 Equifax settlement, in which the company agreed to pay $425 million and allowed some claimants to seek up to $20,000 in damages, including unauthorized charges, costs tied to freezing credit reports, and fees for attorneys or professional accountants.
“As international criminal syndicates increasingly use scams to target Americans, data brokers shouldn’t make it harder for people to protect themselves,” says Hassan.
The findings illustrate how exposed people are when sensitive personal data is compiled and traded at scale, she says, pointing to the investigation as evidence that public pressure can prompt companies to improve access to privacy tools. “It is encouraging that after we launched our investigation, many companies took steps to improve opt-out options for Americans, which in turn can help more consumers keep their information out of the wrong hands.”
The post Data Broker Breaches Fueled Nearly $21 Billion in Identity-Theft Losses appeared first on Wired.
