Data brokers — companies that gather, refine, and sell vast amounts of personal information — are once again under the spotlight after a series of high-profile breaches revealed just how vulnerable their massive datasets can be. These incidents are raising new questions about industry practices, consumer consent, and the need for tighter regulation.
Repeated Incidents Show a Clear Pattern
In recent years, several major data brokers have suffered damaging security failures. In 2017, Experian’s South African operations left the information of nearly 24 million people exposed. The following year, U.S.-based marketing firm Exactis accidentally published a database containing 340 million detailed consumer records.
More recently, in 2022, the people-search services TruthFinder and Instant Checkmate acknowledged that more than 20 million user accounts had been compromised after a breach at a third-party service provider.
Experts say these repeated incidents are no coincidence. By design, data brokers collect enormous amounts of highly detailed personal information, making their databases extremely attractive targets — and potentially devastating when mishandled.
The IMDataCenter Exposure
A recent case involving Florida-based IMDataCenter illustrates the risks. An unsecured database belonging to the company was found online with 10,820 files, totaling 38 GB of information.
The majority of these files were .csv spreadsheets containing anywhere from thousands to hundreds of thousands of records each. The exposed data included names, physical addresses, email addresses, phone numbers, and lifestyle or property ownership details. File names suggested the information was tied to client orders labeled “reports” and “results,” apparently used for lead generation in industries such as insurance, solar energy, elections, extended warranties, hospitals, and healthcare providers.
After being alerted through a responsible disclosure, IMDataCenter restricted access to the database. However, it remains unclear how long the information was exposed or whether anyone else accessed it before it was secured.
Why Broker Breaches Carry Extra Risk
Unlike breaches at retail chains or online services, which often involve only a few categories of data, data broker leaks tend to reveal complete consumer profiles. These can include demographic details, contact information, property records, and even insights into political affiliations or spending habits.
This level of detail enables criminals to:
- Commit identity theft and open fraudulent accounts
- Launch highly convincing phishing or social engineering attacks
- Tailor scams to an individual’s personal circumstances and interests
Because broker data is aggregated from numerous sources, once it is exposed, there is virtually no way to reclaim it — and the same information can circulate indefinitely on criminal marketplaces.
Growing Pressure for Reform
Privacy advocates say the repeated breaches are a sign that self-regulation in the data brokerage industry is not working. In the U.S., there is no single federal law dictating how these companies collect, store, or sell consumer information.
“The amount of data these firms hold is staggering, and most people have no idea they’re even in those databases,” said a cybersecurity researcher. “When that data gets out, the risks to individuals are significant and long-lasting.”
With incidents like the IMDataCenter exposure continuing to emerge, lawmakers and consumer protection groups are likely to renew calls for greater transparency, stronger safeguards, and stricter oversight. Until then, critics warn, the combination of vast data collection and lax security will remain a major threat to privacy.