Deretti Cyber Labs/Privacy & Identity/Data Brokers

05 — Research

The Breach Before the Breach: Data Brokers & Digital Exposure

Your name, address, phone number, relatives, employer, and location history are commercially available. This is not the breach — it is what makes the breach targeted, convincing, and effective.

Tiago DerettiMay 202511 min read
17B
location signals per day collected by Gravy Analytics (FTC action, Dec 2024)
13
FTC warning letters issued for PADFAA violations, Feb 2026
$53K
per-violation civil penalty ceiling under PADFAA for foreign adversary data transfers

The data broker ecosystem is one of the most consequential and least understood parts of the digital economy. Data brokers compile, package, and sell detailed profiles on individuals drawn from public records, commercial transactions, app-level tracking, social media scraping, and bulk data purchases — then resell that information to anyone willing to pay.

What Data Brokers Actually Collect

The category of information is broader than most people assume. A typical commercial data broker profile may contain:

Full name & name history
Current and past addresses
Phone numbers (all carriers)
Email addresses
Known relatives & associates
Vehicle registration history
Real-time location (app data)
Social media profiles & posts
Political affiliation
Financial indicators (credit tier)
Health inferences
Purchase & behavioral history

Gravy Analytics and the FTC Action

In December 2024, the FTC took action against Gravy Analytics, a major commercial location data broker collecting approximately 17 billion location signals per day from mobile devices. The FTC found that Gravy was selling sensitive location data — including locations associated with medical facilities, religious institutions, and political events — without adequate consent or disclosure. The enforcement action included prohibition on selling sensitive location data and a requirement to delete existing datasets.

This is not an isolated case. The FTC has indicated that location data, health data, and data that enables inferences about sensitive characteristics represent priority areas for enforcement. The Gravy action illustrates that the data broker problem is not theoretical: 17 billion signals per day, collected from consumer apps, sold commercially.

The Foreign Adversary Dimension: PADFAA

The Protecting Americans from Foreign Adversary Controlled Applications Act (PADFAA), enacted in 2024, creates a legal framework for blocking the transfer of sensitive personal data to entities controlled by designated foreign adversaries (China, Russia, North Korea, Iran, Cuba, and Venezuela). In February 2026, the FTC issued 13 warning letters to companies it believes may be selling data covered by PADFAA regulations, with per-violation civil penalties of up to $53,000.

The relevance to individuals: PADFAA makes explicit that bulk personal data — including location, health inferences, financial data, and biometrics — can constitute a national security concern. This framing is useful because it underlines that data broker exposure is not merely a privacy concern. It is a security concern at both personal and national scale.

How Exposure Becomes Attack Infrastructure

The connection between data broker profiles and targeted attacks is direct. A profile that includes full name, current address, phone number, relatives, employer, and financial tier provides:

  • Spear phishing context — personalized emails referencing real relationships, recent transactions, or correct employment details
  • SIM swap intelligence — personal information used to social-engineer carrier support agents
  • AI impersonation material — voice samples from social media combined with family knowledge from public records
  • Physical security risk — home address for executives, journalists, and activists
  • Doxxing and targeted harassment — aggregated information published to enable third-party harassment

Practical Exposure Reduction

Complete removal from the data broker ecosystem is not achievable, but systematic reduction is. Priority actions:

  • Use a data broker opt-out service (DeleteMe, Privacy Bee) for systematic removal — manual opt-outs require ongoing effort because re-aggregation happens continuously
  • Use a PO Box or virtual address for commercial mail and registrations not requiring a physical address
  • Use a secondary phone number (Google Voice, MySudo) for forms, registrations, and accounts that do not require your primary number
  • Audit app location permissions quarterly — most apps do not need location access and should be set to "Never" or "While Using"
  • Freeze credit at all three bureaus — Equifax, Experian, TransUnion — as the baseline protection against new account fraud
  • Review what is publicly visible on social media: family member names, home city, employer, phone number

The Cognitive Firewall

The concept applies directly to data broker exposure. When someone contacts you — by phone, email, or text — with information that sounds specific and accurate (your address, your carrier, your bank), that accuracy is not proof of legitimacy. It is proof that your information is commercially available. Treat accuracy of personal details as a neutral data point, not as evidence of authenticity. The defense is verification through independent contact channels, not trust in demonstrated knowledge of your personal information.

Continue Reading

Ongoing

Field Notes

Active scam patterns, SIM swap, AI voice clones, and data broker updates.

Read

Tool

Identity Security Checklist

Credit freezes, phone number separation, and opt-out steps included.

Start