Several large data brokers profited for years by selling what are known, cruelly, as “suckers lists” to criminals who used them to fine-tune scams designed to cheat elderly and vulnerable people, a new report on LawfareBlog explains. It’s a stomach-churning analysis which shines a harsh light on an open secret about many industries: Stealing from the elderly is good business, and rarely comes with much risk.
The Lawfare story — written by Justin Sherman and Alistair Simmons, describes the prosecution of three large data brokers — Epsilon, Macromark, and KBM Group — during the past couple of years. Details in the guilty pleas are harrowing. Much more below, but first, a quick step onto the soap box:
Medium-sized crime gangs, or even small-time criminals, are usually behind the scams I’ve written about for several decades — fake sweepstakes, fraudulent grant programs, and so on. Many are life-altering for the victims. Often, their entire life savings is stolen. For the elderly, there is no time to recover from such a scam. Some get sick, or even commit suicide after a bout with a scam like this. The criminals who take their money should be vigorously prosecuted, of course. But for many years, I have seen that a slate of legitimate, multi-national companies facilitate these crimes. Sometimes, they even profit from these crimes. And sometimes, their very business model depends on this dirty business. Yet, these companies that remain an arm’s length from the victims often suffer little to no consequence. That has to change. Matt Stoller, a loud advocate for antitrust reforms, has a habit of yelling “Jail Time!” when obvious corporate malfeasance is largely ignored by our judicial system. It’s a cry more should join. Stealing from the elderly and vulnerable should not be an acceptable business model, or even an acceptable by-product of a business model. People who help criminals steal from the elderly should go to jail.
Onto the details. Readers might remember Epsilon from an incident that’s a decade old, when the then-obscure data hoarding firm suffered what some called the largest data breach in history. Starting before that incident, and lasting through July 2017 — for more than a decade — Epsilon employees helped criminals send mail stuffed with all manner of obvious scams, according to court documents. There were fake sweepstakes, alleged personal astrology invitations, auto-warranty solicitations, dietary-supplement scams, and fraudulent government grant offers. Epsilon employees knew these were scams. Clients would occasionally get arrested. In one case, a worker lamented that one client, “brought us rev[enue] for 5 years but the law caught up with them and shut them down.”
The solicitations were fraudulent on their face. Sweepstakes mailer recipients were told they were one of a kind; it was obviously impossible they could all be winners. Yet Epsilon continued to work with such firms. It earned money from selling targeted lists of those who were most likely to respond. In fact, it had special names for the characters in this scam: targeted consumers were called euphemistically “opportunity seekers,” before they were victims. Clients who sent the fraudulent mailers were called “opportunistic.” The Justice Department leaves no doubt what these terms really meant — “opportunity seekers frequently fell within the same demographic pool: elderly and vulnerable Americans.”
During this decade, Epsilon helped criminals attack 30 million American consumers by selling these companies data that was used to facilitate “fraudulent mass-mailing schemes,” according to the Department of Justice.
Meanwhile, there was a devilish feedback loop also. Data from the criminal enterprises was used to hone Epsiolon’s algorithms, as Sherman and Simmons explain in their piece:
“Two employees ‘collaborated on a model in February 2016 ‘for clients engaged in fraud that used data from’ one of Epsilon’s clients. They expanded Epsilon’s databases by getting information back from scammers, and then used that information to determine which people would be most susceptible to future targeting. In other words, those who fell for a scam once would be documented in Epsilon’s database, so it could provide other scammers with lists of people who were identified to be … receptive to that kind of marketing.”
Epsilon agreed to “deferred prosecution” in its case, which means it essentially pled guilty and agreed to pay $150 million in fines and restitution. Separately, two former Epsilon employees have been charged criminally, a welcome development. One year later, their federal cases are slowly moving their way through a Colorado federal court. The most recent filing action in the case involved Epsilon trying to quash a subpoena issued by the defendants, who seem to believe corporate documents could exonerate them by showing they were just following orders. Epsilon denies that and says the defendants are on an evidentiary fishing scheme.
Macromark’s prosecution followed similar lines, court documents say. That firm also spent more than a decade helping criminals steal millions of dollars from thousands of victims who were targeted because they were likely to respond to a fraudulent psychic scam.
“In general, the most effective mailing lists for any particular fraudulent mass mailing were lists made up of victims of other mass-mailing campaigns that used similarly deceptive letters,” the Macromark guilty plea says.
There was no doubt Macromark knew what clients were doing, according to the plea document: “A Macromark executive sent a client a link to a newspaper article with the headline ‘Feds: Mail fraud schemes scam seniors,’ together with materials connecting the client’s own letters to the subject of the newspaper article.” The guilty plea says a Macromark employee actually helped a client change names to evade law enforcement.
“List brokers and service providers such as Macromark who facilitate these schemes are especially dangerous,” said Inspector in Charge Delany DeLeon-Colon of the U.S. Postal Inspection Service’s Criminal Investigations Group, which investigated the crime. “Data firms such as this have extraordinary access to consumer’s personal information, not just their mailing address. The sale and distribution of this data exponentially magnifies the scale and impact of these schemes. Macromark pleaded guilty to wire fraud, and admitted that the lists it provided to scammers led to losses of $9.5 million from victims. The company was sentenced to three years of probation and a $1 million fine.
Two Macromark executives were also indicted for mail and wire fraud as part of that investigation.
At KBM Group, an employee enjoyed a laugh at the expense of victims, court documents say. One solicitation sent using KBM data said recipients were entitled to $45,000 from an old dormant account, which would be released if a small fee was paid. A general manager at KBM said in an email, “Who responds to this stuff?? Obviously, we have those people.” Later, that same manager fought for a client that another employee had flagged as fraudulent, leading to the sale of 100,000 consumers’ data.
KBM pled guilty and paid agreed to pay victim compensation penalties totaling $42 million.
Fines are fine. Occasionally, victims of these frauds do get some money back thanks to restitution funds, and that’s fine, too, though often years late and many dollars short. Still, these examples show how brazen companies can be when providing a platform for criminals to connect with vulnerable people. Platform accountability calls for swift justice and jail time. Each week as host of The Perfect Scam, I listen to people talk about their lives torn apart by crimes like these.
When your actions logically begin a chain of events that leads to ruined lives, well, your life should be ruined, too.
I’ll let Shermer and Simmons have the last word:
“Data brokers are extremely profitable and can overcome imposed fines while continuing their operations. The more money they make, the more money they will have to spend on legal defenses. In the three mentioned cases, the data brokers’ internal compliance measures were ineffective, because these companies already knew that they were partnering with scammers and continued to do so because they saw it as financially advantageous. If controls were in place, they were ignored. And in the one case where controls were enforced, the controls were overridden by data broker employees pushing for profit above all else. This raises a series of critical policy questions about the effectiveness of company controls today and how much company controls should be prioritized as part of a policy solution when there is evidence that they can be overridden.
Comprehensive legislation, at the federal if not state level, to regulate data brokerage and prevent and mitigate its harms is necessary to protect all Americans. This should include a focus on stopping the algorithmic revictimization of people who fall for scams. It should also include a focus on controlling the sale and licensing of data on vulnerable Americans—particularly when data brokers knowingly use that information to help scammers prey on the elderly, cognitively impaired, and otherwise vulnerable.