In September 2017, Equifax disclosed a breach exposing the personal data of 147 million Americans -- nearly half the US population. Data stolen included Social Security numbers, birth dates, addresses, and driver's license numbers -- everything needed for identity theft. The breach exploited a known Apache Struts vulnerability (CVE-2017-5638) that had a patch available for two months before Equifax was breached. Equifax failed to apply the patch. The company's CISO, Susan Mauldin, held a Master of Fine Arts degree in music composition -- not computer science or information security. Three Equifax executives sold $1.8 million in company stock after the breach was discovered internally but before it was disclosed publicly. Jun Ying, the company's CIO, was sentenced to 4 months in prison for insider trading. The FTC settlement: $700 million, the largest data breach settlement in history. Equifax's breach response website itself had vulnerabilities, and the company initially directed consumers to a phishing look-alike domain.

Experian is simultaneously a credit bureau, a data broker, and an identity verification provider. The company sells consumer data to marketers, employers, landlords, and insurers — while also selling consumers a product to monitor who accesses their data. In 2020, a researcher demonstrated that Experian's API could be used to retrieve the credit score of any American by providing their name, address, and date of birth — with no authentication.

X-Mode's location tracking SDK was embedded in over 400 apps, including Muslim prayer apps, dating apps, and weather apps. The collected location data was sold to US military contractors and intelligence agencies. In 2020, both Apple and Google banned X-Mode's SDK from their app stores — an unprecedented action. X-Mode rebranded as "Outlogic" and continued operations.

Motherboard revealed in 2020 that SafeGraph sold location data harvested from Muslim prayer apps — including Muslim Pro (100M+ downloads) — to the US military and defence contractors. The data showed which devices visited mosques, when they prayed, and where they went afterwards. SafeGraph bought this data from SDKs embedded in prayer apps whose users had no idea their worship was being tracked and sold to the Pentagon.

In 2024, 404 Media discovered that Au10tix had left identity verification credentials on an unsecured server since December 2022 — over a year. The exposed credentials could access identity documents (passports, driving licences, selfies) submitted by users of Uber, TikTok, X (Twitter), LinkedIn, Coinbase, and other platforms that use Au10tix for verification. You verified your identity on TikTok. Your passport photo sat on Au10tix's unsecured server.

Near Intelligence tracked 1.6 billion devices across 44 countries, selling location data to the US Department of Defence, hedge funds, and real estate companies. The FTC found Near sold data it promised to anonymise that could still identify individuals. In 2023, Near filed for bankruptcy. The company's primary asset — 1.6 billion device profiles — was potentially available for purchase by any buyer in bankruptcy proceedings.

Onfido processes identity documents and facial biometrics for companies including Revolut, Bitstamp, and Zipcar. In 2024, Onfido was acquired by Entrust — a US digital security company that also provides identity solutions to governments. The acquisition means biometric data collected for fintech verification is now held by a company that works with government agencies. Users who verified identity for a crypto exchange are now in a government contractor's database.

LiveRamp (formerly Acxiom's data onboarding division) maintains profiles on over 700 million consumers globally, matching real-world identities to digital device IDs, cookies, and advertising identifiers. The company acts as a "Rosetta Stone" between offline data (credit cards, loyalty cards, public records) and online data (browsing, app usage, ad clicks). You are identified even when you think you are anonymous.