Data brokers, in bed with scammers, have directed their algorithms at millions of vulnerable seniors —

Image Click to listen to the AARP podcast I host, The Perfect Scam

Several big data brokers have profited for years by selling what are, cruelly, called “sucker lists” to criminals who have used them to refine scams designed to trick the elderly and vulnerable, a new report on LawfareBlog explains. It’s a shocking analysis that sheds light on an open secret affecting many industries: Stealing from older people is good business and rarely involves much risk.

The Lawfare story – written by Justin Sherman and Alistair Simmons, describes the pursuit of three major data brokers – Epsilon, Macromark and KBM Group – over the past two years. The details of the guilty pleas are heartbreaking. Lots more below, but first, a quick step on the soap box:

Mid-size criminal gangs, or even small-scale criminals, are usually behind the scams I’ve been writing about for several decades – fake sweepstakes, fraudulent grant schemes, and the like. Many change the lives of victims. Often all their savings are stolen. For the elderly, there is no time to recover from such a scam. Some get sick or even kill themselves after a fight with a scam like this. Criminals who take their money must be prosecuted vigorously, of course. But for many years, I saw that a list of legitimate multinational corporations facilitated these crimes. Sometimes they even profit from these crimes. And sometimes their very business model depends on this dirty business. Yet those companies that stay away from the victims often suffer little or no consequences. This must change. Matt Stoller, a staunch advocate of antitrust reform, has a habit of shouting “Jail Time!” when obvious corporate wrongdoing is largely ignored by our justice system. It’s a cry more should join. Stealing from the elderly and vulnerable should not be an acceptable business model, or even an acceptable by-product of a business model. People who help criminals steal from the elderly should go to jail.

On the details. Readers may recall Epsilon from a decade-old incident, when the then-obscure data hoarding company suffered this some have called it the biggest data breach in history. Beginning before this incident and continuing through July 2017 – for more than a decade – Epsilon employees helped criminals send mail stuffed with all kinds of obvious scams, according to court documents. There were fake sweepstakes, purported personal astrology invitations, auto guarantee solicitations, dietary supplement scams, and fraudulent government grant offers. Epsilon employees knew these were scams. Clients were sometimes arrested. In one case, a worker complained that a customer “brought us rev[enue] for 5 years, but the law caught up with them and shut them down.

The solicitations were fraudulent on their face. Recipients of contest mails were told they were one of a kind; it was obviously impossible for them all to be winners. Yet Epsilon continued to work with such companies. He made money by selling targeted lists of those who were most likely to respond. In fact, he had special names for the characters in this scam: the targeted consumers were euphemistically called “opportunity seekers”, before they fell victim. Customers who sent the fraudulent emails were labeled as “opportunists”. The Department of Justice leaves no doubt about the real meaning of these terms – “opportunity seekers often belonged to the same demographic group: elderly and vulnerable Americans”.

During that decade, Epsilon helped criminals attack 30 million U.S. consumers by selling data to those companies that was used to facilitate “fraudulent direct mail schemes,” according to the Department of Justice.

During this time, there was also an evil feedback loop. Data from criminal enterprises was used to refine Epsiolon’s algorithms, as Sherman and Simmons explain in their paper:

“Two employees” collaborated on a model in February 2016 “for customers involved in a fraud that used data from” one of Epsilon’s customers. They expanded Epsilon’s databases by gathering information from the scammers, then used that information to determine which people would be most likely to be targeted in the future. In other words, those who have fallen for a scam once would be documented in Epsilon’s database, which could provide other scammers with lists of people identified as being… susceptible to it. kind of marketing.

Epsilon agreed to “defer prosecution” in his case, meaning he essentially pleaded guilty and agreed to pay $150 million in fines and restitution. Separately, two former Epsilon employees have been criminally charged, a welcome development. A year later, their federal cases are progressing slowly in federal court in Colorado. The most recent filing action in the case involved Epsilon trying to overturn a subpoena issued by the defendants, who appear to believe corporate documents could exonerate them by showing they were only following orders. Epsilon denies this and says the defendants are on a probationary fishing plan.

Macromark’s suit followed similar lines, court documents say. This company has also spent over a decade helping criminals steal millions of dollars from thousands of targeted victims because they were likely to respond to a fraudulent psychic scam.

“In general, the most effective mailing lists for any particular fraudulent mass mailing were lists comprised of victims of other mass mailing campaigns that used similar deceptive letters,” Macromark’s guilty plea read.

There was no doubt that Macromark knew what the customers were doing, according to the plea document: “A Macromark executive sent a customer a link to a newspaper article with the headline ‘Feds: Mail Fraud Schemes Scam the elderly,” as well as documents linking the client’s own clients. Letters about the newspaper article. The guilty plea says a Macromark employee actually helped a client change his name to escape the law enforcement.

“List brokers and service providers such as Macromark who facilitate these schemes are particularly dangerous,” said Inspector-in-Charge Delany DeLeon-Colon of the U.S. Postal Inspection Service’s Criminal Investigations Group, which investigated the crime. “Data companies like this have extraordinary access to consumers’ personal information, not just their mailing address. Selling and distributing this data exponentially amplifies the scale and impact of these programs. Macromark pleaded guilty to wire fraud and admitted that the lists provided to scammers resulted in losses of $9.5 million to victims. The company was sentenced to three years probation and fined $1 million.

Two Macromark executives have also been charged with mail and wire fraud in connection with the investigation.

At KBM Group, an employee had fun laughing at the expense of the victims, court documents say. A solicitation sent using KBM data said recipients were entitled to $45,000 from an old inactive account, which would be released if a small fee was paid. A KBM chief executive said in an email: “Who responds to this stuff? Obviously, we have these people. Later, that same manager fought over a customer that another employee had flagged as fraudulent, resulting in the sale of 100,000 consumer data.

KBM pleaded guilty and agreed to pay victim compensation fines totaling $42 million.

Fines are good. Sometimes the victims of these scams get money back through restitution funds, and that’s good too, although often years behind and a lot of dollars short. Yet these examples show how brazen companies can be when providing a platform for criminals to connect with vulnerable people. The platform’s accountability calls for swift justice and jail time. Every week, as host of The Perfect Scam, I listen to people talk about their lives torn apart by crimes like these.

When your actions logically begin a chain of events that lead to ruined lives, well, your life should be ruined too.

I let Shermer and Simmons have the last word:

“Data brokers are extremely profitable and can overcome fines imposed while continuing their operations. The more money they earn, the more money they will have to spend on their legal defenses. In all three cases mentioned, the internal compliance measures of the data brokers were ineffective, because these companies already knew that they were partnering with scammers and continued to do so because they saw a financial advantage. If controls were in place, they were ignored. And in the one case where checks were applied, the checks were overridden by data broker employees who were looking for profit above all else. This raises a series of critical policy questions about the effectiveness of enterprise controls today and how many enterprise controls should be prioritized as part of a policy solution when there is evidence that they can be overridden.

Comprehensive legislation, at the federal if not state level, to regulate data brokerage and prevent and mitigate its harms is necessary to protect all Americans. This should include a focus on stopping the algorithmic revictimization of people who have been scammed. It should also focus on controlling the sale and licensing of data on vulnerable Americans, especially when data brokers knowingly use this information to help scammers prey on the elderly, cognitive impairment and otherwise vulnerable.

Sharon D. Cole