That's a very good question. This is how it works: Data brokers have become an industry unto themselves. Personal information is now worth money, and it usually passes through many hands. There's not one identity thief, but several: there's the person who collects it, the person who sells it, and the person who makes money off of it. Ultimately you need to get to a valid piece of usually government-issued ID. But to get there, often what's collected is invalid, stolen, or borrowed pieces of personal information that can come from a wide variety of sources. The private sector is often where it originates, but usually identity thieves will need some valid piece or what looks like a valid piece in order to do a legitimate transaction. We have recommended a wide range of approaches, from better personal information handling practices to more restrained collection to disposing of information when you no longer need it, and then, ultimately, to criminal sanctions for the very worst case of identity theft.
Does that answer your question?