Why CISA, the U.S. Treasury, and the DOJ now treat people-search sites and data brokers as a national security threat — and what enterprise security leaders should do about it before their next risk review.

TL;DR

• In July 2025, CISA, FBI, and the Cyber National Mission Force formally named Scattered Spider (UNC3944) as a threat actor that "enriches campaigns with personal information from commercial intelligence tools and database leaks." This is the first time a U.S. federal cyber advisory has identified data brokers by function as an attacker resource.

• In March 2025, Treasury OFAC sanctioned Zhou Shuai as a "China-based hacker and data broker" — the first time the U.S. government has applied the data broker label inside a national-security sanctions action.

• A June 2025 court filing in the assassination of Minnesota state legislator Melissa Hortman explicitly named people-search sites as the source of the shooter's target addresses — the first documented broker-to-murder causal chain on U.S. soil.

• Across 18 months, at least seven inflection points — including the Gravy Analytics 17TB GPS-ping breach, the National Public Data 2.9B-record dump, the UnitedHealthcare CEO murder, and a DOJ indictment of North Korean IT-worker facilitators — confirm that brokered PII is now the reconnaissance layer of the modern attack chain.

• Traditional security investments (MFA, EDR, SOC, SAT) do not remove the upstream data that makes these attacks possible. Continuous broker-data removal is now the missing control.

For the last decade, data brokers and people-search sites were treated as a consumer privacy nuisance.

As of June 2026, that framing is obsolete.

The U.S. federal government, multiple foreign-intelligence services, organized ransomware crews, and at least one politically motivated assassin have all demonstrated, in the open record, that brokered personal data is now load-bearing infrastructure for cyber and physical attacks against U.S. organizations and the people who run them.

This post catalogs seven recent, well-documented cases, explains how attackers actually use broker data, and lays out what defenders need to do.

Why "Data Broker → Threat Actor" Suddenly Matters

Three structural shifts converged in 2024–2025:

Help-desk social engineering became the #1 ransomware entry vector

Mandiant, Microsoft, and CrowdStrike all reported that Scattered Spider and affiliated crews now defeat MFA by impersonating employees on calls to IT help desks — a method that depends on rich, accurate personal profiles.

Data broker breaches industrialized

The National Public Data leak exposed 2.9 billion records — including SSNs — in a single dump.

Gravy Analytics leaked 17 terabytes of GPS pings tracking individuals into the White House, the Kremlin, and the Pentagon.

Brokered data crossed into physical-violence cases

The murders of UnitedHealthcare CEO Brian Thompson and Minnesota state legislator Melissa Hortman have moved executive and public-official exposure from a theoretical to an operational threat.

The result: every U.S. organization with executives, sensitive employees, or government-facing roles is now downstream of an attacker supply chain it has no contractual relationship with — the data broker ecosystem.

Seven Documented Cases, August 2024 → July 2025

1. July 2025 — CISA, FBI, and CNMF formally name data brokers in a federal advisory

In the July 2025 update of joint advisory AA23-320A, CISA, FBI, and the Cyber National Mission Force wrote that Scattered Spider operators "enrich campaigns with personal information from commercial intelligence tools and database leaks to perform social engineering."

This is the first time a U.S. federal cyber advisory has identified the data-broker reconnaissance pattern by function.

The advisory recommends "removing or limiting publicly available information about employees" as a mitigation — a control most enterprise security programs do not yet operate.

2. June 2025 — Court filing ties Minnesota legislator shooting directly to people-search sites

The June 2025 attack on Minnesota state representative Melissa Hortman (killed) and state senator John Hoffman (wounded) was followed by a federal criminal complaint and an EPIC analysis showing the shooter compiled a target list of public officials using people-search websites.

This is the first documented case in the United States in which a data broker lookup is named, in court filings, as the proximate source of a homicide victim's home address.

3. March 2025 — OFAC sanctions a "China-based hacker and data broker"

On March 5, 2025, the U.S. Treasury OFAC sanctioned Zhou Shuai, identifying him explicitly as a "China-based hacker and data broker" engaged in the sale of compromised U.S. data to Chinese intelligence services.

This is the first U.S. sanctions action to apply the "data broker" label inside a national-security context — formal recognition that the sale of brokered personal data is now a sanctionable threat-actor activity.

4. January 2025 — Gravy Analytics breach exposes 17TB of GPS pings

In January 2025, location-data broker Gravy Analytics suffered a 17-terabyte breach that exposed precise GPS pings tracking individuals into the White House, the Kremlin, the Pentagon, military bases, places of worship, and abortion clinics.

The leaked dataset, now circulating in criminal markets, allows targeted physical reconnaissance against any individual whose phone was captured — including executives, board members, and federal employees.

5. December 2024 — UnitedHealthcare CEO Brian Thompson murdered in Manhattan

The December 4, 2024 killing of UnitedHealthcare CEO Brian Thompson on a Manhattan sidewalk reframed executive protection for every Fortune 500 board.

Subsequent reporting confirmed the shooter assembled a target dossier using publicly available information — the same kind of data routinely aggregated and resold by people-search sites.

6. December 2024 — DOJ indicts North Korean IT-worker facilitators relying on background-check subscriptions

A December 2024 DOJ indictment of facilitators in the North Korean IT-worker scheme detailed how DPRK operatives — placed inside more than 300 U.S. companies — used commercial background-check and people-search subscriptions to construct fraudulent U.S. identities that defeated hiring screens.

This is the most explicit U.S. government finding to date that adversarial state actors are paying customers of the U.S. data broker industry.

7. August 2024 — National Public Data publishes 2.9 billion records

In August 2024, the National Public Data breach leaked approximately 2.9 billion records — names, addresses, SSNs, and family relationships for hundreds of millions of Americans — and the dataset was published in full on a criminal forum.

NPD is a downstream aggregator of dozens of upstream broker sources, making the breach a single-point-of-failure event for the entire ecosystem.

How Attackers Actually Use Broker Data: The Four-Stage Kill Chain

Across the cases above, a consistent four-stage pattern emerges:

Stage 1: Reconnaissance — under $1 per lookup

People-search sites and data broker APIs return names, dates of birth, partial Social Security numbers, mobile numbers, current and prior home addresses, vehicle records, and relatives.

A target dossier sufficient for help-desk impersonation now costs less than a cup of coffee.

Stage 2: Pretext construction

Operators combine broker-sourced PII with breach dumps (NPD, Gravy, and dozens of others) to build impersonation scripts that pass identity verification.

Scattered Spider's documented technique — calling a help desk, citing the employee's home address and last four of SSN, requesting an MFA reset — is the canonical example.

Stage 3: Multi-channel delivery

Smish the personal cell number, vish the help desk, swap the SIM, then pivot through corporate SSO into M365, Snowflake, or the crown-jewel system.

Every step is enabled by broker-grade personal data that the target organization has no contractual ability to remove.

Stage 4: Physical escalation

When digital paths are hardened, the same data drives doxxing, swatting, harassment, and — increasingly — in-person violence.

The Hortman shooting and Thompson murder are not edge cases; they are the visible tail of a much larger pattern that includes hundreds of swatting incidents against federal judges, election workers, and public officials.

Why MFA, EDR, and SOC Spend Don't Fix This

Modern enterprise security stacks assume the attacker has to find the target.

The data broker industry has eliminated that assumption.

The information is pre-staged on hundreds of broker sites, refreshed weekly, and sold by subscription to anyone with a credit card — including, as the OFAC action against Zhou Shuai and the DOJ DPRK indictment confirm, hostile foreign intelligence services and sanctioned individuals.

This means:

• MFA fatigue and SIM-swap attacks start with broker-sourced mobile numbers and addresses.

• Help-desk social engineering starts with broker-sourced personal data sufficient to defeat identity verification.

• Executive and board threats start with broker-sourced home addresses, family members, and travel patterns.

• Insider-threat and fraudulent-hire risk starts with broker-sourced background data being purchased by adversaries before — not after — they apply.

No amount of endpoint detection or security-awareness training removes the upstream supply.

Only continuous removal of personal data from broker sites does.

What Enterprise Security Leaders Should Do This Quarter

Add data broker exposure to your annual risk register

Treat broker-resident PII for executives, board, and high-risk roles (help-desk, finance, IT admin, M&A) as a measurable, reportable risk.

The July 2025 CISA advisory provides the federal validation your CFO will want to see.

Map your exposure

Run a broker-data lookup on a sample of executives and high-risk employees.

The volume of returned records is typically a board-meeting moment.

Operate a continuous removal program

One-time opt-outs do not work — brokers re-list within 30–90 days.

Removal must be continuous, family-inclusive (spouse, dependents, prior addresses), and mapped to threat-informed priorities (which sites Scattered Spider, APT41, and DPRK actors actually query).

Tie the program to existing frameworks

NIST SP 800-53 PM-12, the FTC Safeguards Rule, and emerging state data broker laws in California, Texas, Vermont, and Oregon all now provide regulatory anchor points for the spend.

Pre-position incident-response playbooks

Pre-position incident-response playbooks for help-desk impersonation, executive doxxing, and SIM-swap attacks — all of which now begin with broker data.

What Priwall by mePrism Delivers

Priwall is the enterprise data-broker removal layer built for the 2025 threat landscape:

• Continuous removal from 200+ U.S. people-search and broker sites, refreshed weekly to catch re-listings.

• Executive, board, and family coverage — spouse, dependents, prior addresses, and relatives.

• Employee bulk enrollment for high-risk roles (help-desk, finance, IT admin, M&A teams).

• Compliance-grade audit trail mapped to NIST SP 800-53 PM-12, FTC Safeguards, and the California, Texas, Vermont, and Oregon data broker statutes.

• Threat-informed prioritization — we remove first from the broker sites that Scattered Spider, APT41-adjacent operators, and DPRK IT-worker rings actually query.