Where do scammers get my details?

Rightly lifts the lid on the systemic misuse of personal information and how it’s being bought, sold, collected and traded for profit at your expense! New report is a warning to shoppers and parents with children spending time online over the holiday period, as it exposes them to scams, hacks, fraud, porn and spearfishing.

  • Personal information is collected from multiple sources, but Rightly’s report exposes competition websites as a key risk for the online security of families over Christmas. Details are entered and unknowingly sold on, exposing them to scams and spam.
  • Data brokers are profiting from the sale of private and personal information, which can often get into the wrong hands, leaving consumers exposed to risk from scammers. The more data they have the more likely you will be targets for a sophisticated attack.
  • Many companies are duping consumers into sharing their sensitive information. They do this by writing their opt in like an opt out. This is misleading as it does not actually get consent and can be shared with hundreds of companies without you realising.

London, 7 December 2021 – Rightly, the consumer data action website, today reveals the results of a four-month investigation – and subsequent report – into the shocking misuse of personal details and the risk that we all are being exposed to as a result.

Ever had a call or text from a scammer? How did they know so much about you? Or an email purporting to be from ‘your accountant’ encouraging you to click on a dodgy link, download a virus or reveal your login details? Worse still, have you ever been hacked or had credit taken out in your name?

Bad people are doing bad things using your personal information that you may have genuinely shared. Rightly can now reveal that your detailed personal information is being freely collected and traded by a barely-legal murky underground network of data aggregators and data brokers who scrape, from websites or buy from unscrupulous retailers, YOUR personal information such as your date birth, marital status, sexual orientation, previous addresses and financial information etc.

The Report: summary findings

Based on a comprehensive review of Rightly CEO James Walker’s digital footprint that took four months to gather, because it is so hard to know who has it, the report uncovered an illuminating insight into the murky world of data selling, revealing the alarming extent to which detailed personal information and profiles are shared and sold by thousands of companies, without consumer knowledge or agreement. The findings showed how so-called marketing service providers – or data brokers – can capitalise on consumer trust and ignorance, putting individuals at increased risk of digital harm and how they make money from the detailed insight they gain.

Commenting on the findings James Walker said “It was shocking to see just how many companies had obtained my personal – and what I thought was private – data. What made it even worse is the level of detail they held and the fact I did not know who had it.

“We don’t think about who has our data or we think it is too hard to manage, but we’re becoming a society of record and, as a result, cleaning up your data footprint has never been harder. The sharing of personal data can affect what prices consumers are shown on websites, insurance premiums and credit scores for example. This, coupled with the psychological burden of not knowing what information is being shared and sold on you, leaves many consumers feeling overwhelmed and powerless.

The investigation reveals a ‘dark data footprint’, with James’s personal data being shared by and to thousands of companies around the world without his consent, directly exposing him to scams, porn, spearfishing, fraud, and potential data breaches.

Data shared far and wide

Rightly’s research discovered that an individual’s personal data can be spread alarmingly far, with ‘data laundering’ accelerating this process.

In fact, James discovered that:

  • Over 400 companies had access to his contact information and other personal data, despite him no longer having a relationship with over 60% of them;
  • And over 5,000 companies had uploaded his email address into Facebook for marketing purposes without his knowledge.

The level of detailed information that these companies possess on an individual is astounding. James Walker adds “One profile shockingly even included my propensity to get cancer, which could impact the cost of services such as health and life insurance. This is sensitive data and used without my knowledge, which is unethical.”

The extent of this data abuse is particularly alarming given that data protection is enshrined in law thanks to the UK Data Protection Act and the General Data Protection Regulation (GDPR). In most cases, companies are finding ways to work around the system and some ignore requests for data to be deleted. This widespread lack of compliance and consistency is fostering a landscape in which poor data use and sharing practices have become the norm, and consumer welfare, privacy and finances are hanging in the balance.

The report identifies several market-wide deficiencies in the way consumer data is handled. These include:

  • Consumers are being duped into sharing their data. Websites are using opt-in and smart language to get ‘permission’ for data sharing. This is not only misleading but also unethical.
  • Consumer data is being shared with organisations involved with spam, scams and spearfishing. This often happens without the individual’s knowledge as companies fail to inform them when they share their data.
  • Consumers are subjected to bias and the over-pricing of services, thanks to the creation of detailed consumer profiles.
  • GDPR is being ignored. In many cases, businesses ‘work around’ GDPR at the expense of the consumer, and often don’t respond to data requests as they should. To make matters worse, rather than finding out where the data they purchase has come from, brands are often purchasing through sites that consumers have not entered that data into. Therefore, the level of due diligence requested by the ICO is not being met.

Essentially, no matter how carefully an individual tracks what they do online, there are other parties that will grow their digital footprint for them – with or without their consent. Consumers have lost control of some of their most precious and personal information and getting it back will not be easy.

It’s time to take action. In order to heal the broken data landscape, Rightly offers consumers a way to wipe their data from these companies and data brokers, preventing it falling into the wrong hands, and taking back control of their data. Given online activity is set to increase over the Christmas and New Year shopping period, taking control of one’s digital footprint has never been more important.

To reduce the risk of data harm and exposure to scams, hacks, fraud, data breaches and spearfishing, Rightly has launched a simple and free tool. It enables individuals to ask data brokers what information they hold on them and then helps them to delete this information. The new tool can be found HERE.

Contact pr@rightly.co.uk to request to read the full Rightly report on data misuse.


Research Methodology

This research used the digital footprint of Rightly’s CEO James Walker as a microcosm. James’ online behaviour can be best characterised as careful and informed about how the industry works. He shops online, has different passwords and is relatively cautious. He never frequents competition sites, for example, and tries to reject cookies where possible - although like many of us occasionally accepts them for ease.

The research began by scanning James’ inbox for company names, in order to identify companies that were sending him marketing information. This produced a list of companies that had his personal data. Although it should be acknowledged that they may have held different amounts. Using this list and his ‘right of access’ under GDPR, he sent subject access requests to every company, asking:

  • What data they had of his in their possession
  • Who they had shared his data with

James’ use of his GDPR rights meant that companies had to reply to both of his questions within one calendar month. When these replies were received, James repeated this process, asking the connected companies what they had collected or bought of his personal data and who they had shared it with. The report also supplemented this with the examination of each company’s privacy policy.