• Vulnerable U
  • Posts
  • Data Brokers and the 2025 Minnesota Lawmaker Shooting

Data Brokers and the 2025 Minnesota Lawmaker Shooting

An inside look at Vance Boelter’s use of 11 people-search services to track and attack officials, and why weak U.S. privacy laws still leave every home address exposed.

Author

Matt Johansen
June 19, 2025

Minnesota’s Vance Boelter didn’t need special-ops tradecraft.


He needed Wi-Fi, a credit card, and the 11 “people-search” sites he’d scribbled into a spiral notebook: TruePeopleSearch, Spokeo, Pipl, PeopleFinders, BeenVerified, Whitepages, TruthFinder, Intelius, Ownerly, USSearch, and PeopleLooker.

Those bargain-bin data brokers gave him everything he required to hunt, surveil, and ultimately shoot four elected officials on 14 June 2025, killing Rep. Melissa Hortman and her husband and critically wounding Sen. John Hoffman and his wife.

the playbook, step-by-step

  1. Compile a kill list. In Boelter’s SUV, investigators found notebooks naming 45 Minnesota state and federal officials with home addresses, family details, and tactical notes like “big house off golf course, two ways in to watch from one spot.”(scribd.com)

  2. Comparison-shop for dossiers. One notebook page is a literal shopping list of data brokers, including prices, feature notes, and asterisks next to preferred vendors, indicating that he was seeking the cheapest and most comprehensive reports.

  3. Map routes & timings. A seized Garmin GPS showed recent trips to each target’s house, letting him choreograph a multi-stop attack run.

  4. Exploit physical trust signals. Wearing a silicon “cop” mask, Boelter rang doors at 2 a.m. shouting “police, open up,” then forced entry with a Beretta 9 mm. (abcnews.go.com)

Everything upstream of the trigger pull was powered by legal, $0.95-to-$5 people-search queries.

why people-search sites super-charge violence

Data brokers argue they only resell “public records.” Reality: they aggregate, cleanse, geocode, and link disparate documents, turning a weekend-long courthouse crawl into a one-click report. That transformation matters for threat actors:

Pain point for stalker/killer

How a broker solves it

Finding the current address after a move

“Previous address” fields show move history and deed dates

Learning who else lives there

Relatives field links spouse & kids by name/age

Performing dry-runs

Satellite & street-view links embedded in dossiers

Scaling to many targets

Bulk CSV exports or monthly‐fee APIs

As privacy scholar Justin Sherman notes, dossiers cost as little as $0.95 each and have “enabled stalking, harassment, and murder for decades.” (lawfaremedia.org)

not a one-off: a 25-year pattern of lethal misuse

Year

Victim(s)

Data-broker enabler

Outcome

1999

Amy Boyer, NH

Stalker bought her DOB for $20 and SSN for $45 from Docusearch

Boyer shot dead outside work (landmark Remsburg v. Docusearch duty-of-care ruling)

2020

Judge Esther Salas family, NJ

Gunman built a home-address dossier from multiple people-search sites

Son killed, husband wounded → Congress passes Daniel Anderl Judicial Security & Privacy Act limiting resale of judges’ data

2025

Rep. Hortman & Sen. Hoffman families, MN

Boelter’s 11-broker list plus on-site surveillance

Two dead, two injured; reignites Hill debate on broker regulation

The constant: cheap, aggregated PII removes the hardest part of planning violence, finding the target.

the regulatory whiplash

  • Judges get an opt-out. After the Salas attack, federal judges can force brokers to delete their data, and many states copied the model for law enforcement officers.

  • Lawmakers tried, failed. A 2023 Klobuchar–Cruz amendment to the NDAA would have extended similar protections to members of Congress and their families; transparency groups killed it, arguing the public “has a right to know where elected officials live.”(politico.com)

  • Everyone else is on their own. Only a handful of states, California’s Delete Act chief among them, let ordinary citizens mass-delete broker files. For the other 280 million Americans, opt-out means slogging through 40–60 separate CAPTCHA-gated forms or paying a “privacy concierge.”

Momentum may finally shift: within 48 hours of the Minnesota shootings, senators Amy Klobuchar and Ron Wyden revived bills that would ban resale of elected officials’ home addresses and authorize FTC crack-downs on data brokers that ignore legitimate deletion requests.

what this means for security leaders & public figures

  1. Assume address compromise. If you run executive-protection or corporate travel security, treat home locations as already known to adversaries.

  2. Red-team your footprint. Pull your own dossier from two or three brokers and map how easily it leads to schools, spouses’ workplaces, and vacation homes.

  3. Shift from takedown to deterrence. Removal services are whack-a-mole; physical measures (PO boxes for vehicle titles, LLC home ownership, package lockers) persist after the next data scrape.

  4. Lobby for default opt-out. CISOs rarely get political, but here the risk surface is legislative. Engage with trade associations pushing for an opt-in data-broker model similar to GDPR’s “legitimate interest” test.

  5. Bake privacy into public-facing workflows. Many lawmakers, including the Minnesota victims, published their own home addresses on campaign or government sites to appear transparent. Build CMS defaults that substitute district office addresses unless a user explicitly overrides. (news.risky.biz)

take-aways for policymakers

  • Aggregation ≠ publication. Public records were never designed to be bulk-scraped, machine-cross-referenced, and resold; the risk calculus changes once they are.

  • Narrow carve-outs work. The judge-protection act illustrates Congress can fence off high-risk groups without gutting transparency, extend that template to lawmakers and, ultimately, to domestic-violence survivors, abortion providers, and journalists.

  • Enforcement needs real teeth. A deletion right without statutory damages or FTC penalty authority is a suggestion, not a mandate. Follow California’s lead: per-record daily fines compel compliance at petabyte scale.

  • Broker audits should be mandatory. Require annual third-party audits of data provenance, accuracy, and opt-out processes, mirroring SOC 2 or PCI.

the bottom line

Boelter’s rampage is the grim culmination of a business model that monetizes the linkability of public data. Until the U.S. treats mass aggregation of residential information as the high-risk processing it absolutely is, security teams and families must plan around the assumption that their front door is already on an attacker’s Google Map.