New SPPI Report Exposes Chamber of Commerce Data Failures and Debunks “Phishing” Claims

ALBUQUERQUE, NM—The Southwest Public Policy Institute (SPPI) has released a new investigative report titled Access Granted, revealing how chambers of commerce, most notably the Rio Rancho Regional Chamber of Commerce, have mischaracterized legitimate data aggregation as phishing in an effort to deflect from their own cybersecurity shortcomings.

The report, which includes a real-world emulation using artificial intelligence and basic web scraping tools, demonstrates how easily public-facing member directories hosted by chambers of commerce can be compiled and repackaged by third parties. Contrary to alarming claims issued by some chambers and echoed by the Better Business Bureau (BBB), these activities do not constitute phishing, cybercrime, or fraud, but instead reflect common practices in digital marketing and lead generation.

“Phishing is a serious threat involving deception, impersonation, and theft,” said Patrick M. Brenner, President of the Southwest Public Policy Institute. “But what happened here is something far more mundane and far more embarrassing for the Chamber: their public data was accessed by a third party and offered in a more convenient format. That’s not fraud. That’s a market service.”

SPPI’s report dismantles the alarmist narrative perpetuated by chambers like Rio Rancho’s, whose public statement claimed that the offer of a membership list by an external party constituted a scam. In reality, SPPI found no meaningful security protections in place: no HTTPS protocol, no CAPTCHA, no access controls, and no technical safeguards to prevent automated scraping of the member directory.

Access Granted also explains the critical role played by data brokers, digital intermediaries, and list providers in today’s marketplace, expanding on themes introduced in SPPI’s 2025 white paper Swipe Right.

“Instead of modernizing their web practices, these chambers are inventing cybersecurity crises to excuse their own negligence,” Brenner added. “This is digital malpractice disguised as consumer protection.”

The full report, including technical documentation and policy recommendations, is now available at https://southwestpolicy.com/report-access-granted