Data Brokers  ·  Privacy
· 7 min read

Your Home Address Has Already Been Sold

Data brokers aggregate public registries, social platforms and transaction histories into detailed personal profiles — then sell access to anyone willing to pay a subscription. For European executives, the GDPR is frequently misunderstood as protection. It is not.

What the data broker industry actually is

Data brokers are companies whose primary business is the aggregation, enrichment and resale of personal information. They are not hackers, and they do not steal data. They collect it from sources that are either public, commercially licensed or purchased from other data companies — and they combine those sources into profiles that are substantially more detailed than any single source alone.

The industry is dominated by US-based firms — Acxiom, LexisNexis, Whitepages, BeenVerified, Spokeo — but their data coverage extends fully into Europe. They aggregate from European public registries, cross-reference against social media platforms, and supplement with travel, retail and financial data purchased from loyalty programmes and payment processors.

The profile produced for a European executive typically contains: full name, all known addresses (current and historical), date of birth, family members and their addresses, telephone numbers (including mobile), email addresses, employment history, vehicle registrations, estimated net worth bracket, and in some jurisdictions, property ownership and transaction history.

Where the data originates

  1. Commercial registers — KvK, Handelsregister, Companies House. All publish director names and, in many cases, addresses. These are scraped and sold.
  2. Electoral rolls — In some EU member states, the electoral roll is a public document or is accessible under certain conditions. Brokers have historically acquired this data legally.
  3. Property registries — Land registry data confirms ownership, purchase price and property address. Most EU land registries make this queryable.
  4. Social media platforms — Profile data, connection graphs and location check-ins scraped before platform API restrictions, and ongoing where APIs remain open.
  5. Data purchased from apps — Weather apps, fitness trackers, games and loyalty programmes routinely sell anonymised (and occasionally re-identifiable) location and behavioural data to brokers.

Why GDPR does not solve this

The GDPR grants European residents the right to request deletion of their personal data from organisations processing it. In theory, this applies to data brokers. In practice, the mechanism is designed for individual companies receiving individual requests — not for an ecosystem of several thousand brokers operating across jurisdictions.

A single deletion request to a single broker takes between four and twelve weeks to process, requires identity verification that creates its own data trail, and applies only to that broker's own systems. The broker's licensees — who may number in the hundreds — are separate entities, each requiring individual requests.

The practical arithmetic: a conservative estimate of meaningful data brokers holding profiles on European executives is 300 to 500. Filing individual GDPR deletion requests with each, following up on non-responses and re-filing after re-aggregation — which brokers do automatically — is not a realistic remediation strategy without systematic tooling and legal support.

What targeted data broker exposure looks like

The relevant question for an executive is not whether their data is held by brokers — it is. The question is what that data enables. Three scenarios are operationally significant.

Physical access. The home address confirmed through broker data is the most direct physical security risk. Combined with a pattern of life established from other OSINT sources, it provides an adversary with location, access timing and household composition.

Social engineering scaffolding. A well-constructed pretext call to a PA, an IT help desk or a financial institution is substantially more convincing when the caller can confirm accurate personal details. Broker data provides the detail density that makes impersonation plausible.

Family member targeting. Brokers profile families, not just individuals. A minor's school — inferable from a family address and standard school catchment data — or a partner's employer is frequently visible in broker profiles. These are entry points that bypass the security posture of the primary target entirely.

What effective remediation looks like

Systematic opt-out across priority brokers reduces the data available in current searches. The priority list is not all brokers — it is the subset that aggregates to most consumer-facing queries and to the tools used by private investigators and security researchers in Europe.

Parallel to opt-out: the KvK privacy shield in the Netherlands conceals residential addresses from public registry searches. Equivalent mechanisms exist in Germany (Handelsregister), Austria and Switzerland. These cut off one of the primary data sources brokers use for European re-aggregation.

Neither measure is permanent. Brokers re-aggregate on quarterly cycles. Remediation is a maintenance activity, not a one-time action.

Next step

Find out what brokers know about you — and close the gap.

Our exposure assessment includes a full data broker profile of the subject, a priority opt-out filing plan and structural recommendations to prevent re-aggregation.

Request intake
← Back to all briefings