When data brokers break

Martin Shelton

Principal Researcher

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Electronic Frontier Foundation (CC BY 2.0)

In the news

We often talk to newsrooms about dealing with data brokers — companies that aggregate and sell data from commercial and public records. According to recent reporting from TechCrunch, an alleged breach of a U.S. data broker impacted at least 300 million people. “The stolen data, which was advertised on a known cybercrime forum, allegedly dates back years and includes U.S. citizens’ full names, their home address history and Social Security numbers — data that is widely available for sale by data brokers.” Their reporting suggests “mixed results” verifying the authenticity of the data. Read more here.

What you can do

  • In the long term, we need comprehensive regulation over data brokers. It’s absurd that the business of selling aggregate user data is virtually unregulated in the United States, and that’s to say nothing of consumer privacy obligations internationally. I’m holding back the naughty words I’d preserve for a personal blog. Perhaps I’d use some eight-letter terms that start with the letter B, so let me just instead say it’s *B … ananas!* to do this in the first place.

    But now that we’re here, let’s talk about your options.
  • Our digital security training team often speaks to reporters about what to do about data brokers. The two main options require some sort of payment: You pay with your time, or your money:
    • For the low, low price of $0, you can manually remove yourself from a variety of data brokers by following instructions listed in journalist Yael Grauer's Big Ass Data Broker Opt-Out List. (Thank you Yael! This is a public service.) However, data brokers are known to regularly pull your data in again — sometimes every few months, sometimes every few years. It’s not trivial to opt out.
    • In about a dozen countries you can use anti-data broker services like DeleteMe, which allows you to have personal data removed from such sites. It’s not cheap though, and will run you roughly $129 each year. If you have the means to do this on your own, it may be a worthwhile investment. We encourage media organizations with the capacity to support staff with these services, particularly those working on politically sensitive reporting.
  • For U.S. citizens: if you’re concerned that your social security number has been leaked or is at risk of being used for harassment or fraud, consider freezing your credit on all of the major credit unions. What does this mean? The long and short of it: You can require credit reporting agencies like Equifax to verify additional information before they will allow anyone to use credit to make big purchases in your name (e.g., buying a car). Read more about how to freeze your credit. You can always go back into the credit freeze portals outlined above to unlock your credit when you’re ready to make a big purchase.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Get Notified. Take Action.



Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Beware fraudulent CrowdStrike emails

Last Friday, computer systems worldwide were taken down by a defective update from enterprise cybersecurity vendor CrowdStrike. In the wake of the outage, the U.S. Cybersecurity and Infrastructure Agency is warning of phishing emails, with attackers posing as CrowdStrike customer support.

What to do about AT&T breach

Around 110 million AT&T subscribers were affected by a data breach from May 1 to Oct. 31, 2022, TechCrunch reported.

Massive Authy leak, plus Proton Docs

The parent company for Authy, an application for two-factor authentication, has issued a critical security update to its Android and iOS users. According to BleepingComputer, hackers utilized leaked phone numbers from past data breaches to identify up to 33 million Authy users.