Your Personal Data Is About to Get Sold for $600

The "data enrichment" profiles of 203 million consumers are up for sale online, according to Steve Ragan at CSO Online. Whoever buys the files — the asking price is only $600 — will be able to use the records for phishing scams, spamming, and possibly identity theft.

That loyalty card means everything he's buying goes into his consumer profile. Credit: BikeRiderLondon/Shutterstock

(Image credit: That loyalty card means everything he's buying goes into his consumer profile. Credit: BikeRiderLondon/Shutterstock)

Consumer data enrichment is what happens when you shop online or use a loyalty card at a retail chain. Your shopping habits are aggregated along with almost everything anyone would want to know about about you — your credit history, marital status, income, occupation, number of children, political persuasion and dozens of other "data points." Several different firms legally collect and analyze this data, then sell it to advertisers and marketers.

All of this information is part of the data being offered online by an unknown seller, Ragan said. Because the apparently stolen records also include each person's full name, street address and date of birth, they could also be used for identity theft, even though Social Security numbers are not included.

MORE: What to Do After a Data Breach

The seller claims the data is from Experian, but that company told Ragan that was false. It's possible the set instead came from Acxiom, a company that's not a household name but which may have the largest repository of data on Americans in existence and has been called "the private NSA." Acxiom didn't respond to Ragan's queries.

It's also possible that the data was collected from several sources using various methods and is simply being packaged as part of a single data breach.

Experts who were part of the Peerlyst security-professional community took a look at a sample of the data provided by the seller and decided it looked genuine. Ragan called several telephone numbers included with the sample, but all went to voicemail.

If the data is real and your information is part of it, there's unfortunately not much that you can do about it. You can move forward by treating unsolicited email messages with suspicion, by checking URLs of websites that you land on via shortened links and by installing and running antivirus software — in other words, all the things you really ought to be doing already.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.