The Senate just put a number on it
The Joint Economic Committee of the U.S. Senate dropped a report this week that should make every American furious. Four data broker breaches — companies you never heard of, never signed up with, never gave permission to — exposed nearly 700 million people's personal information. The estimated damage to consumers: $20.8 billion.
Not to the companies. To you. In identity theft, fraudulent accounts, stolen tax refunds, wrecked credit, and years of damage control. Twenty point eight billion dollars — and most of the people who got hit are still walking around wondering why their credit score dropped, why their bank flagged a suspicious account, why they got denied for a loan they qualified for last year.
The Senate found that just four data broker breaches over the past decade exposed hundreds of millions of Americans. Using median identity theft loss estimates of $200 per affected person, Congressional staff calculated the total consumer damage at $20.8 billion — with zero accountability from the companies responsible.
This wasn't leaked by a hacker group. This was a Senate committee report, triggered by investigative journalism from CalMatters and The Markup. The data brokers — companies whose entire business model is collecting and selling your personal information — got breached, leaked your data to criminals, and kept operating like nothing happened.
The four breaches that cost you $20.8 billion
Let's name names. These aren't mystery companies. Two of them are the same credit bureaus managing your credit file right now.
| Company | Year | People Exposed | Your Risk |
|---|---|---|---|
| Equifax | 2017 | 147 million | Critical |
| Exactis | 2018 | 230 million | Critical |
| National Public Data | 2023 | 270 million | Critical |
| TransUnion | 2025 | 4 million | High |
Add those numbers up. That's 651 million records. In a country of 330 million people. Statistically, you were hit more than once — you just don't know it. Exactis in 2018 leaked 230 million records from a database sitting on a publicly accessible server. No hack required. Just negligence. National Public Data in 2023 leaked names, Social Security numbers, addresses, and family relationships for 270 million people — the entire backbone of what criminals need to open accounts in your name.
"Your data was collected without your consent, sold without your knowledge, and leaked to criminals without your notification. Then the bill was handed to you."
And the Equifax breach of 2017 — which exposed 147 million people — directly put Social Security numbers, birth dates, addresses, and driver's license numbers in criminal hands. That breach is still being weaponized today to open fraudulent credit accounts, file fake tax returns, and manipulate credit files.
How this hits your credit file specifically
Data broker breaches don't just sit in the abstract. They land on your credit report. Here's the direct pipeline from breach to damaged score:
-
1Criminal gets your SSN + address from a data broker leak. Opens a new credit card in your name. The account hits your report as an unknown hard inquiry, then as a new account you didn't open.
-
2They max out the card. Utilization spikes to 100% on a fraudulent account. Your score tanks 40–80 points before you ever see the statement.
-
3They stop paying. The delinquency hits 30, 60, 90 days late. Each milestone is another negative mark on your report — under your name, your SSN, your credit file.
-
4Collection agencies buy the debt. Now you have collection accounts you don't owe. Each one adds a new negative tradeline. The debt follows you for 7 years unless you fight it.
-
5You apply for a mortgage, car loan, apartment. Denied. Or approved at a rate 3–5% higher because your score shows 4 late payments and 2 collections that aren't yours.
Credit bureaus are required to investigate identity theft disputes under the FCRA — but with the CFPB gutted in 2025, enforcement of that requirement is near zero. Experian is resolving less than 1% of consumer complaints in your favor. TransUnion's relief rate collapsed in the summer of 2025. You're on your own unless you know exactly how to fight.
What Congress is doing about it (and what they're not)
Senator Maggie Hassan's report is a shot across the bow at the data broker industry. The findings are damning — but as of March 2026, there is no federal law requiring data brokers to secure your data, notify you when they're breached, or delete your information on request. Congress is talking. Nobody has acted.
What has happened: California launched something called DROP — the Delete Request and Opt Out Platform. It's a one-stop portal where California residents can file a single deletion request with over 500 registered data brokers. Starting August 1, 2026, those brokers must start processing those requests or face penalties. If you live in California, this is real and you should use it. If you don't live in California — you have nothing equivalent at the federal level. Yet.
Data brokers responded to the Senate report by promising to make it "easier to opt out." That's voluntary. There's no law forcing them to do anything until Congress acts. Opting out also doesn't delete data they've already sold — it only (maybe) stops future collection. The data that already leaked isn't coming back.
What you actually need to do right now
Stop waiting for Congress to protect you. Here's the NMD playbook for dealing with the fallout from data broker breaches — whether you know you've been hit or not.
-
1Pull all three reports free at AnnualCreditReport.com. Look for accounts you didn't open, addresses you don't recognize, employers you never worked for, and hard inquiries from lenders you never contacted. These are the fingerprints of identity theft.
-
2Place a credit freeze at all three bureaus — right now. Not a fraud alert. A freeze. Equifax, Experian, TransUnion. Also freeze Innovis and ChexSystems. A freeze is free and prevents new credit from being opened in your name without your explicit unfreeze.
-
3File an FTC Identity Theft Report at IdentityTheft.gov if you find fraudulent accounts. This report is your legal weapon — send it to every bureau and creditor with the fraudulent accounts to trigger mandatory investigation and removal.
-
4Dispute every fraudulent tradeline in writing. Certified mail. Return receipt. Specifically cite the FCRA Section 605B, which requires bureaus to block fraudulent information within 4 business days of receiving a valid identity theft report and dispute.
-
5Opt out of data brokers now. Use DeleteMe, Privacy Bee, or go manual with OptOutPrescreen.com (stops pre-screened credit offers), DMAchoice.org, and the major broker opt-out pages. This won't undo past damage — but it limits future exposure.
-
6Monitor aggressively. Free credit monitoring through your existing cards, Experian's free tier, or CreditKarma. Set up alerts for any new account, hard inquiry, or address change. Speed is everything — the faster you catch it, the faster you can kill it.
The NMD Solutions connection
At NMD, we built our entire operation around the reality that the systems designed to protect your credit file don't actually work the way they're supposed to. Data brokers leak your data. Bureaus fail to fix it. The CFPB stopped enforcing. Your credit score becomes a crime scene while you're still figuring out what happened.
That's exactly why we built the NMD AI Credit Suite — a set of tools that puts the power back in your hands. Our dispute engine knows exactly which laws to cite, which language triggers escalation, and which creditors fold fastest when they see a properly constructed challenge. Our identity theft recovery track guides you step by step from discovery to clean file.
The data brokers got rich selling your information. The criminals used it. And now you're left holding the credit score — unless you fight back.
Fix It With AI. $29 Flat.
The NMD Credit Bot handles disputes, identity theft recovery, score optimization, and bureau follow-up — automatically. No monthly fees. No law firm markups. Just results.
Data breaches, bureau changes, FCRA loopholes, score moves. NMD drops it first — before your bank tells you and definitely before your credit score reflects it.
You're in. Watch your inbox.