Who’s Got Hold of Your Personal Information? Data Brokers Are Big Business

Who’s Got Hold of Your Personal Information? Data Brokers Are Big Business
May 4, 2022 9 Min Read

Who’s Got Hold of Your Personal Information? Data Brokers Are Big Business

Data brokers are companies that collect and sell personally identifiable information to third parties. This industry has become a multibillion-dollar industry, but it also presents risks to individuals and businesses whose personal information may be used for nefarious purposes.

Key Takeaways
  1. Data brokers gather information — often sourced from commercial databases or from the open web — and sell or license that information to third parties for a fee.
  2. The use of PII by data brokers can range from commonplace to controversial, and can also be exploited by cyber criminals for malicious purposes.
  3. Individuals and businesses should regularly assess and manage their personal information online, including utilizing opt-out options, to protect against data brokering and potential abuse.


The internet has made collecting and selling personal data easier than ever, and personally identifiable information (PII) is particularly valuable to one growing industry: data brokers.

Data brokers are businesses that gather information — often sourced from commercial databases or from the open web — and sell or license that information to third parties for a fee. This data can come from public records, consumer marketing lists and social media. Data brokering has become a multi-billion dollar industry, and these businesses use personal information in ways that range from the commonplace to the controversial.

“The primary focus of these sites is to collect information such as dates of birth, home addresses, personal contact details, emails and names of relatives,” says Catarina Kim, managing director of the Intelligence Group in Aon’s Cyber Solutions. “They have dual use purposes. On the surface, a user can buy a report on the site to vet the background of a person. However, this data can also be used by bad actors to conduct social engineering, account takeovers or target members of the public.”

There are also other, more nefarious data brokers. These threat actors typically operate on the dark web and traffic data that have been stolen or exfiltrated through third-party data breaches.

For business leaders or other high-net-worth individuals, either type of data brokering activity can present a very real risk if their personal information is used by individuals who might want to target them or their families for harassment, fraud or criminal activities.

Quote icon

The primary focus of these sites is to collect information such as dates of birth, home addresses, personal contact details, emails and names of relatives.

Catarina Kim
Managing Director, Intelligence Group, Aon’s Cyber Solutions

In Depth

The amount of personal information available on the open web is vast and often highly accessible, especially in the United States. A simple search can provide such details as an individual’s associated telephone number, email address, mother’s maiden name and other data that can used for phishing, answering password reset questions and even engaging in more sophisticated attacks to defeat two-factor authentication on bank accounts. Vehicle license plate numbers and information about the make and model of an executive’s car might also be readily available.

“People are often unaware of how much PII is available about them online. Cyber criminals can complement what’s accessible for free on the open web by leveraging data found on the dark web, including compromised passwords for email addresses that were breached through third party sites such as a food delivery service or online marketplace,” says Dennis Lawrence, a senior consultant in the Intelligence Group at Aon’s Cyber Solutions. “This is particularly relevant since many people reuse old passwords or use slight variations of them.”

“Those are all things that could be used and leveraged in a very strategic way by certain people if they got into the wrong hands, especially if it is information about a senior executive or a high-net-worth individual,” says Kim. “It can be used to access their email accounts, extort them, impersonate them and to commit fraud.”

Identifying and Controlling Data Vulnerability

Determining what information might be available about executives or other prominent individuals is an important process and one that must be repeated regularly.

“On the open web, the companies that sell this information are legitimate businesses. This is not obviously stolen data, these are data sets that they are buying from other companies that have collected this information,” says Kim. “If the sites refresh their data in six months, information gets repopulated even after an opt-out request has been submitted. So it’s not necessarily a one-and-done.” As a result, it’s best to take a proactive approach to managing personal information online. Individuals can begin with a vulnerability assessment to examine their digital footprint, using open, deep and dark web sources to identify areas of risk.

“Anything that’s publicly accessible, anything that we can glean from social media, anything that we can glean from the dark web, those are the first things people should consider reviewing,” says Kim. When possible, individuals can opt out from having their information sold, or, in some cases, records can simply be removed from websites.

If individuals choose to keep posting on social media, they should understand the privacy settings they can apply to their activities. “There are ways that you can lock down your profile so you can still share information without providing access to people outside your circle,” Kim says, noting the benefits of “proactive monitoring.” This entails constantly scanning the open and dark web for information on individuals that might be leveraged against them.

As Information Moves, Risks Increase

A lawsuit filed earlier this year by a data broker against one of its customers speaks to some of the risks associated with information as it changes hands.

While there aren’t widespread laws governing data brokers’ activities, some U.S. states like California require databrokers to register with the state’s attorney general. The California Consumer Privacy Act also gives residents of the state some rights and protections concerning their personal information. “It’s very specific to California residents,” says Kim. “I don’t foresee that happening uniformly across the United States.”

Other regions have specific legislation in place to protect individuals from data exposure risks. In Europe, the EU has pursued data brokers accused of violating the General Data Protection Regulation (GDPR).

Managing the Power of Personal Data

Personal information about executives or high-net-worth individuals that falls into the wrong hands becomes a powerful risk. Once sensitive data has made its way to the internet, it may be too late to control potential damage. However, by understanding the sorts of information being collected and shared by data brokers and taking steps to limit the amount of data available, individuals can better protect their personal information online.

“Clients will often come to us once an event has happened,” says Lawrence. “But the best way to think about this is that you can help avoid a lot of heartache and violation of privacy if you take action before that potential event occurs down the road.”

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner