How did they get my data? I uncovered the hidden web of networks behind telemarketers

Last year, I started getting a lot of unsolicited phone calls, mainly from people trying to sell me things. This came as a surprise because, as a data scientist, I am very careful about what personal information I let out into the world. So I set out to discover what had happened.

My investigation took several months. It eventually led me to the labyrinthine world of data brokers.

In today’s digital age, where personal data is a new kind of gold, these companies wield significant power, creating networks where our personal information is shared between brokers and telemarketers as easily as TikTok videos. Their businesses profit from the data they collect, and many of the calls they enable come from scammers.

This comes at an enormous cost: in 2023, Australians lost $2.7 billion to scams^[1]. This highlights the urgent need for stronger privacy protections to limit how our personal data is collected and shared.

In an attempt to address this need, the Australian government this month introduced long-overdue privacy reforms. But these reforms are still inadequate^[2] for the many privacy issues affecting people today, including targeting by data brokers and telemarketers.

Investigating the hidden web

One of the mechanisms designed to protect us from unwanted calls is the Do Not Call Register^[3].

Managed by the Australian Communications and Media Authority, the registry holds more than 12 million phone numbers^[4], including mine. The registry is supposed to block unsolicited calls. But last year, despite being on the list, I began to receive dozens of unwanted calls – on average, about three per day.

Curious, I started tracing the origins of these calls. What I uncovered was a network of hidden connections between data brokers, telemarketers and large organisations – including a major political party. It became clear that simply being on the Do Not Call Register wasn’t enough to protect my privacy.

I started by asking the callers what data they held, and how they had obtained mine. I requested details about the companies they represented, including their websites and Australian Business Numbers (ABNs) – the unique identifiers for Australian businesses.

Most callers hung up the moment I started asking questions, until one day I spoke with a man named Paul, who worked in the real estate sector – an industry worth more than $10 trillion^[5] as of 2024. The high-value real-estate market makes our personal data especially valuable to businesses operating within the industry.

Digging deeper

The unique thing about Paul was that he knew my real name, whereas other telemarketers only had access to the pseudonyms I’d used to protect my identity online. Paul explained he had licensed my data from the real estate giant CoreLogic Australia^[6].

This discovery pushed me to dig deeper. After a lot of back and forth, I finally obtained my data from CoreLogic. The amount of information was small, but surprisingly accurate – especially considering the steps I’d taken to hide my identity. It made me wonder where they got it from, as only organisations such as utility companies, banks or the government would hold that type of information.

CoreLogic told me in an email that:

CoreLogic gets data from a variety of sources … most of the information we collect comes from public records, which we license from government departments and agencies. We may also collect personal information from third parties such as through real estate agents, tenancy and strata mangers, financial institutions and marketing database providers.

This was a troubling discovery, because the institutions on which we depend for essentials such as public services, housing and finance – and from which we can’t hide our identities – may be selling our personal information to data brokers, who then pass it along to telemarketers.

What’s even more alarming is that the data is shared unmasked, meaning personal details such as our names, genders and phone numbers are fully visible. Once this information is out in the open, it becomes almost impossible to control how it’s recorded or shared.

It’s also nearly impossible to stop it being passed to overseas telemarketers, who aren’t bound by Australian privacy laws.

References

1. ^{^} Australians lost $2.7 billion to scams (www.accc.gov.au)
2. ^{^} are still inadequate (theconversation.com)
3. ^{^} Do Not Call Register (www.donotcall.gov.au)
4. ^{^} more than 12 million phone numbers (www.donotcall.gov.au)
5. ^{^} more than $10 trillion (www.abs.gov.au)
6. ^{^} CoreLogic Australia (www.corelogic.com.au)
7. ^{^} IgorGolovniov/Shutterstock (www.shutterstock.com)
8. ^{^} Smrtr (smrtr.com.au)
9. ^{^} EightDragons Digital (8ddigital.com.au)
10. ^{^} It collects personal data (v.fastcdn.co)