Data brokers are companies that collect and aggregate information on consumers to create detailed profiles that are then sold to other companies to determine if an individual is qualified for loans, mortgages, jobs, and other things. But sometimes, these companies get their hands on unauthorized, highly sensitive personal information and sell it. Today, four connected data brokers agreed to settle federal charges of selling this sort of information to unscrupulous customers.
The Federal Trade Commission announced today that a group of defendants settled charges they knowingly provided scammers with the personal information – including Social Security numbers and bank account numbers — of hundreds of thousands of consumers to alleged scammers.
According to the FTC’s original complaint [PDF] against John Ayers, LeapLab, Leads Company, and SiteSearch, the companies bought hundreds of thousands of loan applications submitted by financially vulnerable consumers to payday loan sites.
The applications contained the consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number.
The data brokers then sold about 95% of that information for $.50 each to non-lenders that had no legitimate use for the details, the FTC alleges.
In one case, the FTC claims a buyer of the information used it to withdraw millions of dollars from consumers’ accounts without authorization. That company, Ideal Financial Solutions, is party to another FTC case.
Under the proposed consent orders with the data brokers, John Ayers [PDF], LeapLab [PDF], and Leads Company [PDF] are barred from selling or transferring sensitive personal information about consumers to third parties.
They are also prohibited from misleading consumers about the terms of a loan offer or the likelihood of getting a loan.
The orders for the three companies also includes a suspended $5.7 million judgement.
According to the order [PDF] against SiteSearch, the company is subject to the same bans as the other brokers but must pay $4.1 million to affected consumers.
All four companies are required to destroy any consumer data in their possession within 30 days.