In mid-May 2025, the Consumer Financial Protection Bureau (CFPB) officially withdrew a proposed regulation designed to curb data brokers’ ability to sell personal data, an action that has significantly lowered barriers for malicious actors seeking sensitive information.  

The rollback poses threats to physical and digital security, especially for high-profile individuals. 

On June 14, 2025, Vance Luther Boelter leveraged multiple data broker platforms to compile a “hit list” and locate homes of government officials. Boelter is alleged to have used this information to carry out two fatal political assassinations and another shooting that left two injured. Given the drastic implications, it’s important that we examine the regulatory rollback, its operational impact, and how easily accessible brokered data can lead to physical risk.

Rollback of Data Broker Regulations

On May 15, 2025, CFPB acting director Russell Vought formally withdrew the draft rule known as Protecting Americans from Harmful Data Broker Practices. Originally introduced in 2024, the proposal mandated data brokers comply with the Fair Credit Reporting Act (FCRA), and would require individual consent before brokers could collect or sell sensitive financial and personally identifiable information (PII), including social security numbers and addresses.

The withdrawal notice stated that the proposal was not “aligned with the Bureau’s current interpretation of the FCRA.”

Billions of records of sensitive information, including SSNs and location data, were accessed from a single data broker breach in 2024. Former CFPB Director Rohit Chopra wrote that recent data broker hacks “represent a systemic vulnerability in how our personal data is bought and sold.” And consumer advocates warn that this “quiet killing” of oversight eliminates a key barrier preventing unregulated brokers from freely distributing sensitive data. 

Exploitation via Data Brokers in Minnesota Killings

  • In the June 14, 2025 shootings, suspect Vance Boelter is alleged to have used no fewer than 11 data broker platforms to gather home addresses and biographical details for 45+ political targets. 
  • Platforms identified in his notes and court filings include: TruePeopleSearch, Spokeo, Pipl, PeopleFinders, TruthFinder, Intelius, and Whitepages. 
  • Authorities state he used this brokered intelligence to create a “hit list” and stalk targeted public officials in their homes, resulting in the assassination of former Speaker Melissa Hortman and her husband, and shooting injuries to Senator John Hoffman and his wife. 

Threat Analysis & Implications

  • Unfettered access to PII enables operational planning: Without regulatory friction, the suspect gathered sensitive PII (addresses, family data), compiled logs, and conducted in-person reconnaissance.
  • Facilitated political targeting: The ability to quickly scale and filter personal data across hundreds of brokers enabled the creation of targeted attack packages, akin to doxxing at scale.
  • Pattern risk: As experts highlight, this case underscores how political assassins can weaponize everyday people‑finder tools, prompting a surge in calls for legislative reform including the Federal Delete Act, and parallels to New Jersey’s Daniel’s Law. 
  • Operational threats extend beyond brokers: As the Guardian reports, besides addresses, malicious actors now rely on online murder manuals, tradecraft guides, and even 3D-printed weapon blueprints, all increasingly accessible. 

Conclusion and Further Recommendations 

The CFPB’s rollback of the data broker rule effectively removed critical guardrails designed to protect American citizens, including politicians, from misuse of their personal data. The Minnesota killings are a tragic proof-of-concept: with minimal friction, a would-be assassin leveraged brokered address and identity data to execute targeted political violence. Absent regulatory reform and protective countermeasures, this playbook could continue endangering public figures and private citizens alike.

To mitigate these types of threats, BlackCloak recommends taking immediate action to reduce your personal exposure and harden your physical security posture by: 

  • Removing home addresses, phone numbers, and family affiliations from data broker sites and online public records. You’ll need to fill out an opt-out request form via each site (BlackCloak offers specialized data removal services to assist with this). 
  • Limiting public access to images of your home by enabling home blurring features on mapping platforms and removing property photos from real estate sites like Zillow. Avoid sharing home interior or exterior images on public social media posts, especially those that reveal layouts, entrances, or security features.
  • Assessing residential security infrastructure, including camera placement, lighting, entry reinforcement, and emergency alert systems. BlackCloak partners with a range of Executive Protection firms who can provide a physical threat assessment.  
  • Educating family members on how to verify a visitor’s identity, particularly anyone claiming to be from law enforcement, ideally using secondary verification measures.  Prior to verifying identity, never grant access to your residence. 

For more information about how BlackCloak helps secure your entire digital footprint through luxury cybersecurity services, visit blackcloak.io or click here to request a demo.