Data brokers cost Americans $21B: 33 firms sell to adversaries
Your phone pinged a cell tower 14 times before lunch. Five of those pings were sold. Two of them landed in a database that researchers say is legally accessible to actors in China, Russia, North Korea, and Iran.
That is the takeaway from a congressional Joint Economic Committee report released after a CalMatters and Markup investigation into the data brokerage industry. Lawmakers concluded that breaches at four data brokers, Equifax, Exactis, National Public Data, and TransUnion, exposed more than 651 million Americans and triggered roughly $21 billion in identity-theft losses. Most victims still do not know their information was for sale.
The math behind a $21 billion wound
Congressional staff used a median identity-theft loss of $200 per affected person, then multiplied it across the share of breach victims who later report fraud. Equifax (2017) hit 147 million Americans. Exactis (2018) hit 230 million. National Public Data (2023) hit 270 million. TransUnion (2025) added another 4 million. The average US adult appears in at least three of these leaks.
What makes this different from a normal breach narrative is the source. None of these companies were hacked because they ran consumer apps. They were hacked because they were the warehouses, firms whose business model is buying, repackaging, and reselling profiles assembled from your bank, your insurer, your loyalty cards, and your phone.
The 33 firms most people have never heard of
While Congress was tallying damage, the Electronic Privacy Information Center analyzed California's data broker registry and found something quieter and arguably worse. Thirty-three California-registered brokers reported on official state filings that they sold or shared data with non-US actors in countries Washington classifies as foreign adversaries: China, Russia, North Korea, and Iran. Five of those 33 also disclosed that they collect precise geolocation data.
That second number is the one that matters. Precise geolocation is not "city level." It is the GPS coordinate your phone produced when you walked into a fertility clinic, a defense contractor parking lot, a synagogue, or a domestic-violence shelter.
Pricing has long been an industry secret, but documented contracts are revealing. Illinois once purchased two years of precise location traces for over five million people for around $50,000, roughly half a cent per person for 24 months of movement. At that scale, a single phone's daily pattern changes hands for a fraction of a cent per ping.
Why "anonymous" is the wrong word
Brokers insist location data is "de-identified." Researchers keep proving otherwise. If a device sleeps every night at one address and spends weekdays at another, two data points are usually enough to name the human attached to the phone. Lawfare analysts showed that a foreign intelligence service could legally buy commercial feeds, geofence a nuclear weapons site, and follow every device that crossed the perimeter back home.
This is not theoretical. The Federal Trade Commission has already sent compliance letters to 13 companies under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), the 2024 law banning sensitive US data sales to adversary-controlled entities. The registry suggests the practice continued into 2025.
This connects to the broader pattern of stolen-credential breaches that fuel resale markets, and to the browser fingerprinting economy that feeds brokers their inputs.
What you can actually do this week
The opt-out problem is the hidden engine. Markup reporters found brokers were burying legally required opt-out pages with "no-index" code so they would not appear in Google. The committee's recommendation was blunt: "At a minimum, opt-out options should be easy to locate and use."
Three steps:
- File a deletion request with the California data broker registry, even if you do not live in California. Many brokers comply nationally to avoid splitting pipelines.
- Disable the advertising ID on your phone (iOS: Settings, Privacy and Security, Tracking; Android: Settings, Privacy, Ads, Delete advertising ID). This is the key that stitches your location pings across apps.
- Audit one app per week for "precise location" permissions and downgrade to "approximate." A similar discipline limits exposure to government-built spyware leaks, where the entry point is almost always over-permissioned apps.
The question Congress did not answer
The $21 billion figure measures direct identity theft. It does not price the cost of a foreign service knowing which US officials walked into which clinic, factory, or apartment last Tuesday. The market exists, the registry confirms it, and the people in it never agreed to be there.
Your phone is going to ping a tower again in 90 seconds. The question is no longer whether someone records it. It is who, in which country, can buy that record by Friday, and for how little.
Related Reading:
Sources and References
- Electronic Privacy Information Center (EPIC) — 33 California-registered data brokers reported on official state filings that they sold or shared US consumer data with non-US actors in China, Russia, North Korea, or Iran, and 5 of those 33 also disclosed collecting precise geolocation data.
- CalMatters / US Joint Economic Committee — Joint Economic Committee found four data broker breaches (Equifax 2017, Exactis 2018, National Public Data 2023, TransUnion 2025) exposed 651 million Americans and caused approximately $21 billion in identity-theft losses, using a $200 median loss per affected person.
- The Markup — Data brokers were caught hiding legally required opt-out pages from search engines using no-index code, prompting Congress to recommend that opt-out options should be easy to locate and use.
- Lawfare — A foreign intelligence service can legally buy commercial geolocation feeds and geofence sensitive sites, including nuclear weapons storage, then track every device that crossed the perimeter back to its home address.
Read about our editorial standards →
