The 2026 Verizon DBIR, the Aura Vishing Breach, and Why Identity Protection Companies Are Now Targets Themselves

Key Takeaways (TL;DR)

The 2026 Verizon Data Breach Investigations Report, published April 29, again confirms that the human element — phishing, social engineering, stolen credentials — is the dominant initial access vector across more than 12,000 confirmed breaches.

The most uncomfortable proof point this week: identity-protection company Aura disclosed a 900,000-record breach caused by a voice-phishing (vishing) attack on a single employee — a company that exists to protect people from this exact threat.

The U.S. Federal Trade Commission announced on May 4 that data broker Kochava and successor Collective Data Solutions will be banned from selling sensitive location data without affirmative consent — the largest broker-side enforcement action of 2026 so far.

The pattern across all three stories: attackers no longer need to break in through the firewall. They walk in through people whose personal data is already public.

For employers and CISOs, the implication is now unambiguous: removing employee PII from data-broker sites is a security control, not a privacy nice-to-have.

Story 1 — The 2026 DBIR: same finding, sharper edge

Verizon released the 2026 Data Breach Investigations Report on April 29, 2026, covering more than 12,000 confirmed breaches between November 2024 and October 2025.

The headline finding has not moved meaningfully in five years: the human element — phishing, social engineering, error, and stolen credentials — is still the most frequent path to a breach. In the previous edition, Verizon measured nearly 60% of breaches involving a human element and identified compromised credentials as the leading initial access vector at 22%. The 2026 edition again calls out social engineering, phishing, and stolen credentials as the most frequent breach causes alongside software vulnerability exploitation.

Translation for security leaders: the perimeter you actually have to defend is your people, and the data attackers use to target them is data your people did not put online themselves. It came from data brokers.

Story 2 — Aura, the identity protection company, gets vished

In late March 2026, Aura disclosed a breach exposing roughly 900,000 customer records. According to public reporting, the ShinyHunters group launched a voice-phishing (vishing) attack against an Aura employee. Posing as a trusted internal party over the phone, the attacker convinced the employee to share credentials or approve a request — and gained access for roughly one hour. That hour was enough.

The exposed data set was reported to be marketing-list information — names and email addresses — rather than the most sensitive identity data Aura holds. That detail matters less than the optics. Aura is a company whose entire product proposition is protecting consumers from this exact attack pattern. The attackers used a phone call.

This is the second-order data-broker story: when an attacker can pull an employee's name, role, employer, and direct number from a people-search site for a few dollars, the social engineering script writes itself. The Aura employee did not click a phishing email. They answered a phone call from someone who knew enough about them to sound legitimate.

Story 3 — The FTC's Kochava ban lands

On May 4, 2026, the FTC announced a settlement that bans Kochava and its successor Collective Data Solutions from selling sensitive location data without affirmative express consumer consent. The action requires the companies to build a "sensitive location data program," implement supplier consent assessments, and report incidents of contract violations to the agency.

This caps a multi-year case originally filed in August 2022 and represents the strongest broker-side enforcement action under the current FTC. Combined with the February 2026 PADFAA warning letters the FTC sent to 13 data brokers about selling Americans' sensitive data to foreign adversaries, the message is consistent: the federal regulator is treating broker data flows as a national-security and consumer-protection problem at the same time.

What ties the three stories together

Read together, these three stories say the same thing from three angles:

DBIR (defender's view): people are the attack surface.

Aura (victim's view): even a security company can be socially engineered when the data on its employees is publicly available.

Kochava + PADFAA (regulator's view): the supply of that data is now an enforcement target.

The throughline is the data-broker layer. Brokers are not the only source of personal data attackers use, but they are the cheapest, most scalable, and most legal source. A targeted spear-phishing or vishing campaign against a specific employee at a specific company is a $20 lookup at a people-search site, not a sophisticated dark-web operation.

What CISOs and HR leaders should do this quarter

If you are a security or benefits leader and you have not yet treated data-broker removal as a security control, this week is the cleanest time to start. Three concrete moves:

Inventory your top-50 attack-surface employees. Executives, finance approvers, IT admins, HR with payroll access, customer-facing engineering. Pull a public exposure scan for each.

Make broker removal a benefit, not a one-off project. Removal is not one-and-done — brokers re-publish data. A continuous-monitoring service applied as an employee benefit is what closes the loop sustainably.

Train against vishing specifically, not just email phishing. The Aura breach was a phone call. Your training program probably is not.

Priwall by mePrism is purpose-built for exactly this use case — continuous data-broker removal delivered through HRIS as an employee benefit, with per-employee admin and SOC 2 Type II controls.

Schedule a Priwall demo

If you are an individual reading this and your name is on a data-broker site (it is — that is the default), you can start with a free Priwall scan.

Sign up for Priwall coverage

Frequently asked questions

What is the 2026 Verizon DBIR?

The Verizon Data Breach Investigations Report is an annual industry analysis of confirmed data breaches, contributed by global law enforcement, forensic firms, insurers, and Verizon's own threat research team. The 2026 edition covers incidents from November 2024 through October 2025.

What is vishing and how is it different from phishing?

Vishing is voice phishing — social engineering conducted by phone rather than email. The Aura breach in March 2026 was a vishing attack: an attacker called an employee and used personal context to convince them to grant access. The U.S. National Institute of Standards and Technology categorizes both phishing and vishing as social engineering and recommends specific training and controls for each.

Why does data-broker removal matter for cybersecurity, not just privacy?

Targeted social-engineering attacks succeed when the attacker has personal context about the target — name, role, employer, phone, family, address. Data brokers and people-search sites sell exactly that context for a few dollars per record. Removing employee PII from those sources directly reduces the input data available for spear-phishing and vishing.

What does the FTC's Kochava settlement actually change?

The proposed FTC order prohibits Kochava and its successor from selling sensitive location data without affirmative express consent and requires a documented sensitive-locations program plus supplier consent assessments. It does not directly affect other brokers, but it sets a strong precedent and signals further enforcement.

Is data-broker removal legal in the U.S.?

Yes. State laws including the California Consumer Privacy Act (CCPA) and the California DELETE Act explicitly grant consumers the right to opt out of broker collection and to use an authorized agent to do so on their behalf.

By Thomas Daly, CEO, mePrism Privacy. Thomas leads mePrism Inc., the company behind Priwall by mePrism, and writes regularly on consumer privacy regulation and the B2B economics of data-broker removal.

Read more and get up to speed

Employee PII: The New Cybersecurity Perimeter — A 2026 CISO's Guide

DeleteMe vs Priwall vs Optery vs Incogni: The Honest 2026 Comparison

How to Remove Yourself from Spokeo in 2026 (Step-by-Step)