U.S. Government Tries to Stop Data Brokers That Help Dox People Through Credit Data

On Tuesday the Consumer Financial Protection Bureau (CFPB) published a long anticipated proposed rule change around how data brokers handle peoples’ sensitive information, including their name and address, which would introduce increased limits on when brokers can distribute such data. Researchers have shown how foreign adversaries are able to easily purchase such information, and 404 Media previously revealed that this particular data supply chain is linked to multiple acts of violence inside the cybercriminal underground that has spilled over to victims in the general public too.

The proposed rule in part aims to tackle the distribution of credit header data. This is the personal information at the top of a credit report which doesn’t discuss the person’s actual lines of credit. But currently credit header data is distributed so widely, to so many different companies, that it ends up in the hands of people who use it maliciously.

The impact of the proposed rule change if it was to go into force won’t be clear until it actually happens, which potentially would not be until at least next year. And that might be up in the air: Elon Musk who is playing a key role in the transition to the forthcoming Trump administration and venture capitalist Marc Andreessen have both criticized the agency. But the proposed rule change still shows a significant effort by a U.S. government agency to wrangle the data broker industry.

“The problem grows more urgent each and every day,” CFPB director Rohib Chopra said on a call with reporters before the announcement.

In short, the rule would reclassify companies that sell certain sensitive personal information as “consumer reporting agencies” under a law called the Fair Credit Reporting Act (FCRA). This is the decades old law that says consumer reporting agencies can only transfer credit data for a set of what the law calls legitimate purposes. These include issuing credit, insurance, and employer background checks. Meanwhile some data brokers access and sell such data for an array of other purposes, such as marketing. With the new rule, those limits would now apply to more data brokers, potentially limiting the flow of such data to malicious parties. 

As I reported when 404 Media launched on how criminals gain access to this data, it often starts when consumers provide personal data to financial institutions, perhaps to obtain a credit card. The credit bureaus, Experian, TransUnion, and Equifax, then may distribute this data to other companies for a variety of use cases. Criminals then tap into this supply chain themselves, either by breaking into accounts at these companies or impersonating people who have access. The result includes bots on Telegram that use that data to instantly dox essentially anyone in America for as little as $15. 404 Media has seen multiple outputs of these bots then being used as part of robberies, swattings, and other forms of harassment against journalists, other cybercriminals, and members of the public. Earlier this year a hacker posted a massive amount of information stolen from a data broker called National Public Data, which contained information on hundreds of millions of Americans.

With the rule change, data brokers would be treated more like credit bureaus and background check companies which have tighter restrictions, according to the CFPB’s accompanying press release. And it could protect the data through more of that supply chain. “When consumer reporting agencies collect information like names, addresses, or ages for credit reports, any subsequent sale of that information would be covered by the FCRA’s protections,” the press release reads. “These changes would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or dox individuals seeking privacy protection, including domestic violence survivors,” it adds. An official on the call summarized the change as ensuring the sale of such data is for only those purposes that are considered above board.

“Under the proposed rule, communications from consumer reporting agencies of certain personal identifiers that they collected to prepare a consumer report—such as name, addresses, date of birth, Social Security numbers, and phone numbers—generally would be consumer reports. This would mean that consumer reporting agencies could only sell such information—so-called ‘credit header’ data—if the user had a permissible purpose under the FCRA,” a factsheet the CFPB shared with reporters before the announcement reads.

The CFPB also said it sees some companies skirt existing protections by claiming they are not subject to the FCRA while then selling much of that same information. Justin Sherman, a Duke professor who studies data brokers, and who co-authored the study on how foreign adversaries could buy U.S. data, told 404 Media in an email that “The data broker industry is a disaster for our privacy and our national security—collecting and selling virtually every Americans’ data without their consent and creating tremendous risk to everyone from children to military service members to elderly people suffering from Alzheimer’s. The CFPB’s rulemaking is common sense: too many companies walk like a consumer reporting agency, and quack like a consumer reporting agency, yet magically claim on their website they’re not FCRA-covered and conveniently provide people none of the rights and protections they’re entitled to.”

“The FCRA set up very clear rules, supported by both parties, that give Americans more rights and protections over their credit data—and these newly proposed measures update the regulations for the modern age, in line with the original law’s purpose,” he added. “For all the CFPB’s essential work on this topic, it also underscores how far we have to go; the ultimate solutions to data brokerage privacy and security threats, including the serious threats to our national security, are legislative, and it’s yet another reminder that Congress needs to regulate this industry that harms all Americans.”

Law enforcement agencies often buy such data for their own investigations without a court order or other legal mechanism. The press release says the rule would “preserve existing pathways created by the FCRA for government agencies to access consumer report information for legitimate law enforcement, counterterrorism, and counterintelligence purposes.”

Senator Ron Wyden, whose office previously investigated the use of credit header data by law enforcement agencies and explicitly asked the CFPB to tighten the rules around credit header data, told 404 Media in a statement that “The CFPB is putting up points for American’s privacy right down to the buzzer by acting on my 2021 request to close a key loophole that enables sleazy data brokers to sell Americans’ personal data to criminals, stalkers and foreign spies. Letting anyone with a credit card buy this data doesn’t just harm Americans’ privacy, it seriously threatens national security when sensitive information about law enforcement, judges, and members of the armed forces is on the open market.”

“Unfortunately, it will be up to Trump’s CFPB to finalize this proposed rule, and he and his billionaire donors are intent on shutting this agency down to take away a key advocate for American consumers,” he added.

Ultimately, it is unclear how effective the CFPB’s proposed rule will be at stopping the abuse of credit header data. If the rule does cut off those companies that fraudsters often gain access to, maybe it could have some impact in the underground ecosystem of doxing and harassment services.

On the call with reporters before the announcement, a CFPB official said the proposal will be open for comments until March 2025. At which point, the CFPB could make further changes.

About the author

Joseph is an award-winning investigative journalist focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, shut down tech companies, and much more.