Personal data removal & breach briefings
40 briefingsThe briefings here address data privacy from a practical standpoint: what do data brokers and people-search platforms hold about you, what rights do you have to remove or suppress that information, and what does a realistic removal effort actually achieve in each jurisdiction?
The research is built from primary sources — regulator decisions, court records, direct broker policy documents, and field tests rather than aggregator summaries. The guidance is structured to be actionable. Each guide tells you what to do, in what order, which brokers and legal mechanisms apply in your jurisdiction, and where the ceiling sits on what you can realistically achieve without a professional service.
Coverage includes the broker ecosystem and removal mechanics for major jurisdictions (EU, UK, US, Germany, and Australia/New Zealand), how credential leaks and infostealer exposure create personal risk, the economics that make automated removal subscriptions underperform against a structured manual approach, and the GDPR and equivalent rights that work in practice — including the ones that data brokers resist and the paths for escalating when they do.
Data Brokers
View hub →Search Result Removal Is Not Data Removal
Search engines can hide a result without deleting the source behind it, which is why durable removal starts at the source, not the search box.
ANALYSISThe Security Case for Cleaning Up Your Digital Footprint
Footprint cleanup is not privacy theatre. It improves security when it removes the data attackers use to profile, impersonate, recover accounts, and build credible pretexts.
ANALYSISIs Your Telecom Operator a Data Broker? Running the Framework on Utiq
Four European telecoms operators built Utiq, an advertising identifier generated from your network connection. Put beside a cookie and run through the data-broker framework, it raises a sharper question than the marketing suggests.
ANALYSISHow to Identify a Data Broker in the EU (When They Don't Call Themselves One)
European data brokers rarely call themselves data brokers, and no EU registry lists them. An EDPB market study offers a reusable framework to identify one by what it does.
ANALYSISInside the Data Clean Room: How Your Profile Is Rebuilt Without Being Stored
Data clean rooms merge data about you, build a profile sharp enough to target you, then decline to store it. Here is the mechanism, and where the privacy claim breaks.
ANALYSISWhat Two LexisNexis Breaches Reveal About Trusting Data Brokers
LexisNexis was breached twice in fourteen months. What that reveals about trusting data brokers with data you never gave them.
ANALYSISHow Your Digital Footprint Becomes Prices, Scores and Decisions
A single fact about you is worth a fraction of a cent. Refined by brokers, resolvers and scoring vendors, it decides your credit, insurance, rent and the price you pay.
METHODHow an Eraser Engagement Runs
A methodology walkthrough of the Eraser engagement — from the Mirror and Lockdown investigation foundation through active removal, verification, and the 90-day re-scrub.
ANALYSISGermany’s Data Economy: What the Auskunfteien, Address Traders, and Adtech Platforms Know About You
Germany ranks near the top of European privacy surveys and hosts one of the continent’s most sophisticated data trading ecosystems. This maps the credit bureaus, address traders, and adtech platforms that hold data about German residents — and the legal mechanisms that limit enforcement against each.
GUIDEBest Data Broker Removal Services in the US: What Actually Works (2026)
Six US data broker removal services tested against the August 2024 Consumer Reports field test — and why the free manual baseline outperformed every paid vendor in the cohort.
ANALYSISWhy Data Brokers Make Opt-Outs Hard: The Economics of Friction
Broker opt-out URLs break for a structural reason: working opt-outs lower subscription revenue. The SEC-anchored math behind the friction.
GUIDEHow to Delete Your Personal Information from the Internet — The Practitioner’s Sequence
Removing your personal information from the internet is four problems, not one. Each layer has its own legal mechanic and its own DIY ceiling.
GUIDEData Brokers in the UK: Your Rights Under UK GDPR and the DUAA 2025
Who the UK's data brokers are, what the Data (Use and Access) Act 2025 changed, and why individual GDPR action now does what the ICO no longer can.
GUIDEDo Data Broker Removal Services Actually Work? A Practitioner’s Answer
A practitioner’s answer on how data broker removal works under GDPR and CCPA, and when a subscription service, DIY, or full OSINT investigation is the right fit.
GUIDEIs Data Broker Removal Legal in Europe Under GDPR?
Data broker removal is legal across the EU under GDPR Articles 17 and 21 — but the "legitimate interest" argument brokers rely on usually does not survive a proper balancing test.
GUIDEBest Data Broker Removal Services in Europe: Country-by-Country (2026)
A verified, country-by-country comparison of data broker opt out services in France, Germany, Netherlands, Spain and the UK — using Consumer Reports 2024 results and direct pricing checks, not vendor marketing.
GUIDEData Broker Removal in Europe: What a Professional Engagement Actually Looks Like
Automated removal services average a 48 per cent success rate. Here is what a professional, human-led data broker removal engagement in Europe involves — from discovery through deletion, suppression, and ongoing monitoring.
GUIDEGDPR Data Subject Access Request: Template and Complete Guide
A complete guide to GDPR Data Subject Access Requests — what the law says, what you are entitled to receive, enforcement case law, and a ready-to-use template.
GUIDEHow to Disappear from the Internet
A practitioner’s guide to reducing your digital footprint. What you can remove yourself, what persists regardless, and where DIY efforts reach their structural limit.
GUIDEWhy Data Broker Opt-Outs Don't Stick: The Bounce-Back Problem Explained
A realistic framework for data broker removal: how broker tiers work, why deletions bounce back, and how to use GDPR/CCPA leverage effectively.
GUIDEData Brokers in the United States: No Federal Law, 25 Brokers, and How to Opt Out
The US has no comprehensive federal privacy law. Data brokers hold vast quantities of personal data on Americans with almost no legal obligation to stop. What the FCRA and state patchwork cover, 25 brokers with opt-out links, and why California's DELETE Act in 2026 changes everything.
GUIDEData Brokers in Europe: GDPR, UK Law, Germany, France — and the US Surveillance Risk Nobody Warned You About
GDPR gives Europeans powerful rights over their data. But data brokers exploit legitimate interest loopholes, US surveillance law undermines every EU-US transfer framework, and a third Schrems ruling may invalidate the current system again. A complete guide to EU privacy law, major fines, and how to use your rights.
GUIDEData Brokers in Australia and New Zealand: What They Hold, What the Law Allows, and How to Get Out
Australia has had some of the world's largest data breaches. But most Australians don't realise data brokers legally hold and sell their personal data every day — with few legal obligations to stop. What the law says, who the 25 biggest brokers are, and how to opt out.
ANALYSISAll Odido Data Is Now Online. Here Is What Happens Next.
When stolen data moves from 'for sale' to 'free for anyone', the real damage begins. Here is what typically happens next — illustrated with real Dutch and European cases.
INTELThe Right to Delete Your Data Exists. Data Brokers Are Ignoring It.
35 brokers hid their opt-out pages from Google. 43% ignored deletion requests entirely. California's new DROP tool changes everything. Here is the evidence — and how to fight back.
GUIDE15 Major Data Brokers: Direct Opt-Out Links (2026)
A practical guide to identifying data brokers holding your personal information and the most effective removal strategies available — including what they won't tell you.
Credential Leaks
View hub →Why Cybercrime Isn't About You: Motivation, Opportunity, and How Victims Are Surfaced
In most cyber incidents no human selected the victim. Exposure did. Why motivation is not the bottleneck, and what that changes about defence.
GUIDEWhat to Do After a Data Breach: A Step-by-Step Playbook
A step-by-step playbook for the moment you learn you have been breached: secure your accounts, triage by data class, work the four-wave attack timeline, and use your EU rights.
GUIDEWhat Is Account Takeover: The Full Attack Anatomy
A practitioner-level anatomy of account takeover — the credential supply chain, MFA bypass mechanics, post-access exploitation, and a layered defence that maps to each attack class.
ANALYSISFrom Gamble to Calculation: How Your Exposure Decides Who Gets Attacked
An intrusion told backwards from a single email address, and why a findable digital footprint turns a target from a gamble an attacker takes into a calculation they can run.
ANALYSISHow Modern Infostealers Work: Execution, Telemetry, and the 2026 Log Economy
How RedLine, Lumma, and Vidar execute on the host, what they harvest, what is visible on the wire, and how stolen credentials flow through 2026 log markets.
METHODHow a Lockdown Investigation Runs
The Lockdown is the credential-and-account-takeover tier of our investigation work. Five business days, fixed €995, the full Mirror foundation plus seven Lockdown-specific deliverables. This article walks the methodology stage by stage: discovery, cross-reference, verification, report.
ANALYSISHow Crypto Anonymity Breaks at the Endpoint
Crypto privacy was designed against chain analysis, not against the endpoint. The Fowler 2026 database showed why that gap is now the dominant threat.
GUIDEDark Web Monitoring: What It Actually Does and When It’s Worth Paying For
What dark web monitoring actually catches, what it misses on stealer logs and live session cookies, and when bundled, standalone, or human-led options each make sense.
INTELStealer Logs: Inside The Credential Market HIBP Doesn't See
Stealer logs are the credential exposure vector most organisations cannot see — per-device snapshots containing passwords and live session cookies, sold in underground markets within hours of infection.
GUIDEIf You Were in the Odido Breach — What to Do Now
The Odido dataset is public. If you were a customer — even a decade ago — your data is likely in it. This is what the exposure enables, and what closes it.
INTELOdido: One Month After Disclosure, the Breach Is Still Expanding
One month after Odido disclosed the breach, every dimension has escalated. The full dataset is public. Ministers and protected persons are in it. Former customers who left a decade ago are in it. And the fraud is doubling.
INTELThe Odido Breach: 30 Days of Criminal Activity, Documented
The Odido breach was confirmed February 12. Within 19 days, the full dataset was published on criminal infrastructure. Within 20 days, active phishing campaigns were running. This is not a prediction — it is a documented sequence.
ANALYSISSynthetic Identity Fraud Is Becoming an Identity-Bypass Chain
MFA was supposed to solve password theft. KYC was supposed to solve identity fraud. Both assumptions are now broken — defeated not by nation-states but by criminal groups using free software, breach data as raw material, and OSINT to source every component.
INTELOdido Breach: How ShinyHunters Stole 6.2M Records
ShinyHunters is publishing stolen Odido customer data daily — names, IBANs, ID numbers, sensitive account notes. The attack used a phone call, not a zero-day. Here is exactly how it unfolded.
If you want long-term removal across the broker ecosystem, the Eraser runs the multi-week purge.
Reduce broker exposure