A Congressional report released on February 27, 2026, found that data broker breaches have cost American consumers more than $20 billion in losses over the past decade—approximately $21 billion when accounting for identity theft stemming directly from stolen personal information. The Senate Joint Economic Committee (JEC), led by Senator Maggie Hassan (D-NH), arrived at this figure by analyzing four major data broker breaches and estimating the median cost of identity theft at $200 per person, multiplied across millions of victims. The Equifax breach alone exposed 147 million people; subsequent breaches have affected even larger populations, creating cascading waves of identity theft that continue to harm consumers years after their data was stolen.
This investigation was triggered by groundbreaking investigative journalism from CalMatters and The Markup, which exposed how data brokers collect and sell vast troves of personal information—Social Security numbers, addresses, banking details, phone numbers—with minimal oversight. When these repositories are breached, the stolen data becomes a toolkit for scammers to commit identity theft, open fraudulent accounts, and drain bank balances. The JEC’s report doesn’t just document the financial devastation; it reveals systemic failures in how the data broker industry operates and what Congress is recommending to prevent future catastrophes. This article examines the Congressional report’s findings, breaks down the four major breaches analyzed, explains how stolen data fuels identity theft, and outlines what consumers and policymakers need to know to protect themselves from this growing threat.
Table of Contents
- What Are Data Brokers and Why Are Their Breaches So Costly?
- The Senate Joint Economic Committee’s February 2026 Investigation and Findings
- Four Massive Breaches That Shaped the Congressional Findings
- How Scammers Transform Stolen Data Into Identity Theft Crimes
- Concerning Practices Within the Data Broker Industry
- What Consumers Can Do to Protect Themselves
- Congressional Recommendations and the Path Forward
- Conclusion
What Are Data Brokers and Why Are Their Breaches So Costly?
data brokers are companies that collect personal information from public records, purchase it from retailers and financial institutions, and aggregate it into detailed profiles that they then sell to other businesses. These profiles include names, addresses, Social Security numbers, phone numbers, financial information, and sometimes even browsing habits or purchase history. Data brokers operate largely in the shadows—most Americans have never heard of them, yet their data has likely been bought and sold dozens of times. Companies like Equifax, Exactis, and TransUnion are household names only because of breaches; the industry as a whole includes hundreds of lesser-known players that quietly collect and monetize personal information every day.
The reason data broker breaches are so catastrophically expensive is the combination of scale and sensitivity. When a retailer’s database is breached, hackers may gain access to credit card numbers—but modern payment systems have fraud protection. When a data broker’s system is compromised, attackers obtain the foundational identity information needed to commit *comprehensive* identity theft: SSNs, addresses, and financial details all in one place. A scammer with this information can open new credit accounts, file false tax returns, and drain savings accounts. The JEC calculated that the average identity theft victim loses $200, but many lose far more—some experience six-figure fraud that takes years to resolve.
The Senate Joint Economic Committee’s February 2026 Investigation and Findings
Senator Maggie Hassan and the JEC examined four of the largest data broker breaches over the past decade and found a deeply troubling pattern: lax security practices, inadequate monitoring, and minimal consequences for companies that mishandle sensitive data. The calculation of $21 billion in losses came from multiplying the number of people impacted by major breaches by the median loss per identity theft victim. The Equifax 2017 breach alone—affecting 147 million people—contributed billions to this total. The 2023 National Public Data breach exposed 270 million people, and the more recent 2025 TransUnion breach, while smaller at 4 million people, shows that despite years of warnings, major data holders continue to suffer serious security failures.
However, it’s important to note that the $21 billion figure represents *estimated* losses based on statistical models, not a comprehensive accounting of every theft. Not every exposed person will become a victim of identity theft—some criminals may not attempt to use the data, or may find the information incomplete. Additionally, the actual loss to individuals could be higher when accounting for time spent resolving fraud, emotional distress, and credit damage that lasts for years. The report also notes that many identity thefts go unreported or undetected, meaning the true financial toll may exceed even this substantial estimate. The JEC’s investigation found that data brokers often knew about security vulnerabilities but delayed fixing them—a concerning practice that Congress is now directly addressing through its recommendations.
Four Massive Breaches That Shaped the Congressional Findings
The JEC’s report analyzed four breaches that collectively exposed nearly 700 million individuals. The 2017 Equifax breach, which compromised social security numbers and financial details for 147 million Americans, shocked the nation and exposed how a single company could hold so much personal information with inadequate security. Six years later, the 2018 Exactis breach exposed 230 million people—in some cases, the entire U.S. adult population. In 2023, the National Public Data breach hit 270 million people, making it one of the largest breaches in history.
Most recently, in 2025, TransUnion suffered a breach affecting 4 million people. What stands out is the timeline: despite the massive public outcry following Equifax in 2017, similar breaches continued to occur—and in greater numbers. The Exactis breach happened just one year later. The 2023 National Public breach occurred five years after Equifax. These weren’t accidents from small companies lacking resources; they were breaches at major data brokers with billions in revenue and explicit responsibility to protect sensitive information. The Congressional report emphasizes that the industry’s persistent security failures suggest the current regulatory framework is insufficient—companies face fines that are often smaller than their profits, creating little incentive to invest in robust security measures.
How Scammers Transform Stolen Data Into Identity Theft Crimes
When a data broker is breached, the stolen information goes to criminal marketplaces where fraudsters buy the data for pennies per record. Armed with a person’s name, SSN, address, and financial information, a criminal has everything needed to impersonate that person. They can apply for credit cards, take out loans, file false tax returns claiming the victim’s refund, or directly drain existing bank accounts. The identity theft process is often invisible until months later, when a victim receives a bill for a credit account they never opened or discovers their tax refund was intercepted.
The financial impact varies widely. A victim might lose $500 to a fraudulent credit card account, or they might lose $50,000 in a home equity line of credit taken out in their name. Beyond the direct financial loss, victims spend an average of 200+ hours resolving identity theft—disputing charges, contacting credit agencies, filing police reports, and fighting with creditors to remove fraudulent accounts from their credit history. Some victims’ credit is damaged for years, preventing them from buying homes or securing favorable loan rates. The JEC’s report emphasizes that while the $200 median loss is a useful aggregate figure, it obscures the severe impact experienced by many individual victims.
Concerning Practices Within the Data Broker Industry
The Congressional investigation revealed troubling patterns in how data brokers operate. Companies often employ inadequate encryption, fail to implement basic security controls, and delay patching known vulnerabilities. Some brokers have been found to knowingly sell data to unauthorized buyers or to individuals with histories of fraud. The lack of transparency is particularly concerning—data brokers do not inform people when they’ve collected their data, let alone when that data has been breached. In the Equifax case, the company delayed notifying consumers for weeks after discovering the breach, allowing criminals to use stolen information unchecked.
One significant warning: even after a breach is publicly disclosed, data remains available on criminal marketplaces for years. When the Equifax breach occurred in 2017, data was still being used for identity theft in 2024 and 2025. Criminals do not use breached data immediately; they may hold onto it, waiting for security around the victim to lower before attempting fraud. This means that people affected by the 2017 Equifax breach should continue monitoring their credit indefinitely. The Congressional report also found that some data brokers operate without proper licensing or oversight, creating a shadow economy where personal information is bought and sold with almost no regulatory friction.
What Consumers Can Do to Protect Themselves
While no consumer can completely avoid data broker breaches, several concrete steps can reduce the risk of identity theft. First, place a credit freeze with all three credit bureaus (Equifax, Experian, and TransUnion). A credit freeze prevents anyone—including you—from opening new credit accounts without your explicit permission, which blocks scammers from using your SSN to take out loans. The freeze is free and can be lifted when you need to apply for credit.
Second, monitor your credit reports regularly using free services like annualcreditreport.com (the official government-authorized service), and consider credit monitoring services that alert you to suspicious activity. Third, sign up for opt-out registries and data broker removal services—while this doesn’t prevent breaches, reducing the amount of data brokers hold about you minimizes exposure. One practical example: A person who was affected by the 2017 Equifax breach and froze their credit in 2018 would have prevented most identity theft attempts. However, a person who noticed the breach years later and only then froze their credit may have already been victimized. The lesson is that protection is most effective when implemented immediately, before criminals have had time to monetize your stolen data.
Congressional Recommendations and the Path Forward
The JEC’s report makes clear, actionable recommendations to address the data broker crisis. Congress recommends that data brokers provide consumers with transparent, easy opt-out options so people can request their data be deleted from brokers’ databases. Currently, many data brokers make opting out difficult or nearly impossible. The report also calls for more rigorous oversight of the data broker industry, including mandatory security standards, faster breach notification requirements, and meaningful penalties for companies that fail to protect personal information.
Additionally, the recommendation includes improved coordination between federal and state regulators to ensure data brokers cannot simply relocate to avoid oversight. The fact that this report came directly from Congress following investigative journalism suggests momentum for legislative action. Previous data breaches—Equifax in 2017, for example—prompted calls for reform but ultimately resulted in modest changes. The scale of the $21 billion damage estimate and the explicit Congressional framing of data brokers’ practices as “concerning” suggest that policymakers are finally recognizing this as a systemic problem requiring regulatory solutions. Consumers can expect ongoing congressional attention on this issue and potentially new legislation in 2026 and 2027 aimed at giving individuals more control over their data.
Conclusion
The Senate Joint Economic Committee’s February 2026 report represents a watershed moment in recognizing data brokers as a systemic threat to American consumers. With $21 billion in losses attributed to breaches over the past decade, and major vulnerabilities continuing to emerge in 2025, the financial and personal toll is undeniable. The JEC found that data brokers collect and sell personal information with minimal oversight, and when breaches occur, the stolen information becomes a direct tool for identity theft. The investigation was sparked by journalistic exposés that revealed how broken this industry operates, and Congress is now positioning itself to demand change.
For consumers, the immediate priority is to protect yourself against breaches that have already happened—freeze your credit, monitor your credit reports, and consider opting out of data broker databases. For policymakers, the message is clear: the current regulatory framework has failed. The recommendations for mandatory opt-out options, stronger security standards, faster breach notifications, and meaningful penalties represent a necessary reset for an industry that has prioritized profit over privacy. The $21 billion figure is not just a statistic; it represents millions of Americans whose identities were stolen and whose lives were disrupted by a preventable failure of oversight.