NEW YORK (CNN/Money) – In the past four weeks alone, there have been reports of massive security breaches of over 2 million people's sensitive personal information.
Time Warner reported that records on past and current employees, and their beneficiaries, were lost. Shoe retailer DSW and online broker Ameritrade reported that customer records were lost or stolen.
You may think your chance of having your identity stolen increases when a company tells you that your name, Social Security number, checking account information, credit card number or other sensitive information has been exposed.
But much of your information is already bought and sold year-round. And you never know into whose hands it falls since identity thieves and company insiders have proven quite clever at obtaining records.
And identity theft or no, there's a lot of money to be made off your good name.
"It's easily a multi-billion-dollar business," said Evan Hendricks, editor of newsletter Privacy Times, author of Credit Scores & Credit Reports: How the System Really Works, and an expert witness on identity theft issues on Capitol Hill.
Here's just a partial list of who profits from your profile:
The credit bureaus
In addition to selling your credit report to lenders with whom you wish to do business, the three major credit bureaus -- Equifax, Experian and TransUnion – and a lesser known one called Innovis make money by selling "header" information from your credit report to credit card companies and other lenders interested in mass marketing credit offers to consumers.
Included in a header are your name, address, phone number, date of birth and Social Security number.
Header information is the source for a majority of the pre-approved credit offers mailed to consumers. Last year was a record year. Seventy-one percent of U.S. households received at least one card offer a month, and among those the average received for the year was 68, according to Synovate.
By law, the bureaus can't sell credit report information for non-credit purposes. But they have a second, unregulated line of business in which they collect data that they can sell to businesses offering non-credit products and to government agencies, Hendricks said.
That information can include everything available in public records, such as driver's license information, to specifics on your buying habits.
Retailers and manufacturers
From Mom-and-Pop shops to nationwide drug stores and supermarkets to the manufacturer of your coffeemaker, there's information companies collect on you and may sell to information brokers.
That information can come from your use of a store loyalty/discount card, a product warranty form, or a consumer survey.
For instance, a supermarket offering a discount card can create a detailed profile of your consumption habits, including not only what you eat, but what alcohol and pharmaceuticals you consume, according to the Electronic Privacy Information Center. And there's nothing legally preventing them from selling that information to, say, a health insurer.
A warranty card, meanwhile, may ask for information unrelated to your purchase, such as your income, age and interests or ailments.
Commercial data brokers
Legitimate brokers such as ChoicePoint, Acxiom and Lexis/Nexis unit Seisint purchase data from a host of sources, including government agencies, businesses, credit bureaus and investigators.
They then package and resell the data to a host of parties, many of whom were the original sources of the information: government agencies, businesses, investigators, debt collectors and lawyers.
The amount of information they have on you extends to the identities and contact information for your relatives and neighbors, along with a list of assets, licenses, bankruptcies, liens, business affiliations and criminal offenses. A full dossier on a consumer at ChoicePoint, for example, can run as long as 30 pages or more.
While the records are intended for "legitimate" use by employers, landlords, insurers and others, identity thieves have been able to access them.
For example, ChoicePoint earlier this year reported that at least 145,000 records were breached by small business customers who opened ChoicePoint accounts by using stolen identities and altered documents. The company has since said it is strengthening its customer credentialing procedures.
The 'gray/black' market
Scores of Web sites that trade in personal information are what former private investigator Robert Douglas classifies as the "gray/black market."
Douglas, the CEO of PrivacyToday.com, has testified numerous times before Congress on securing personal data.
"If they trust you and don't think they're talking to a reporter, they'll sell you anything," Douglas said. "Anyone can go to a gray market and buy anything on anyone."
"Anything" includes not only Social Security numbers, but phone-call records, employment information, health information and even your bank account information, which is illegal to sell.
A lot of the information may be obtained legally – from public records, for instance. But some of it is likely to be obtained illegally – for example, through a ploy known as "pre-text calling."
In a pre-text call, someone might, for instance, call a bank and pose fraudulently as a business with a legitimate interest in verifying your account or as the account holder himself.
Or they may pay or trick insiders to provide the information, said Douglas, who also has worked the Federal Trade Commission on sting operations to nab those engaged in illegal sales of information.
How much will it cost you to do a "background" check on someone online? Anywhere from $9.95 for basic phone-book information to $130 for a full dossier, said Chris Hoofnagle, director of the West Coast office of the Electronic Privacy Information Center.
'Gray' market brokers, combined with identity thieves are breaching information security systems across all business and government sectors every day, Douglas told the Senate Judiciary Committee in April. "You don't get 10 million identity theft victims (in 2004) and $50-plus billion dollars in losses to identity theft related to financial fraud from dumpster divers."
You can't entirely eliminate your chances of identity theft, but there are steps you can take to minimize them, particularly if you do learn your records have been breached. To see how, click here.
Plus, to see how safe your computer is from hackers, click here.