So your data was stolen in a data breach

Keith Romer

This message comes from solidigm. Yesterday's approach to storage can't meet the demands of today's AI ambitions. Bigger, faster and more energy efficient Solidigm solid state storage solutions are optimized for AI. Learn more at storageforai.com hey, it's Keith Romer. Real quick, before the show today, it's election season. NPR has you covered with three podcasts that we are making for you every every day. Number one, the NPR Morning News podcast Up First. That one comes out 7am Eastern every weekday. Later on in the day, we have the NPR Politics Podcast. Whenever there is big news going down, a few hours later, NPR Politics Podcast will be out with a show breaking it down. Finally, there is Consider this. This is the one where NPR covers one big story in depth every weekday evening. So up first in the morning, consider this in the evening and the NPR Politics Podcast. Anytime important developments go down, it's like an around the clock election news survival kit from NPR Podcasts. Okay, thanks for listening. Here's the show.

Amanda Aranczyk

This is Planet Money from npr. I recently got a letter in the mail and it's pretty likely that you got one of these, too. It is the special kind of letter that sometimes gets turned into a Planet Money episode. And then, and that is because this letter is just the tip of an iceberg and beneath the water is a profoundly deep mass of bought, sold and stolen personal data. My data, and maybe your data too. I took this letter to Jim Francis. Okay. So I got, where is it? I got a letter from Ticketmaster. It says here. Yeah, it says.

Jim Francis

What's the date?

Amanda Aranczyk

The date on it? July 17, 2024. Did you get one of these?

Jim Francis

I did not get one. I'm not a Ticketmaster customer. But my clients got that letter.

Keith Romer

Jim has clients because he is a lawyer at Francis Mailman Sumilis. He focuses on consumer protection and class actions. And he knows all about why Ticketmaster sent these letters.

Amanda Aranczyk

Now, it has nothing to do with my last purchase tickets to See Future and Metro Boomin because that's how I roll. But everything to do with a data security incident. Ticketmaster was hacked. And Jim, he is suing them on behalf of some disgruntled customers.

Keith Romer

I mean, who among us is not a disgruntled Ticketmaster customer?

Amanda Aranczyk

Oh, so many reasons to be disgruntled with Ticketmaster. Now Ticketmaster says they are investigating what happened. It is possible some bad actors took my personal data. Ticketmaster sent me this letter as a warning. Did Ticketmaster like do this out of the kindness of their heart? Did they just feel bad that they lost my data. Why did they send this?

Jim Francis

They would tell you they did it out of the kindness of their heart and their concern for their customers. The reality is some, if not all, states have a data breach notification law requiring the company to notify consumers the minute they find out that there's a breach.

Amanda Aranczyk

So, sure, I was curious about the breach and how it happened, but I confess to Jim, I wasn't actually worried. I mean, how bad is it that my data is out there? Like, I'm a little bit like, yeah, this is not my first data breach Rodeo. This happens all the time. Why should I even bother caring?

Jim Francis

Well, one of the things that varies among data breaches is the nature of the information. If somebody has all of your information, your name, your date of birth, your Social Security number, your address, your personal habits, things like that, that is significant and that is serious. And you do have to be vigilant, probably for forever because of that. Now, if it was something just forever.

Amanda Aranczyk

Forever.

Jim Francis

Forever, forever. If it was just your zip code, for example.

Amanda Aranczyk

Right.

Jim Francis

Okay. But what we understand to be the case here is this is a wide variety and a wide net of pii.

Keith Romer

Amanda, they've maybe got your pii, your personally identifiable information. So things like your Social Security number, your cell phone number. PII is kind of the jackpot of data.

Amanda Aranczyk

Yeah. Jim says that could make me a victim of identity fraud, a target for phone scams. Someone could try to get a new credit card in my name. That would be bad. And whatever was leaked in the Ticketmaster breach, that is just some of the data about me that exists online.

Jim Francis

You know, one of the things that I have just learned over the years, you know, almost 25 years of doing this, is that the amount of consumer data that's collected is just. It's mind boggling. You know, it's your voting affiliation, your religious affiliation, your addresses, what type of clothes you buy, your keystrokes, your fingerprints, your shopping habits, your everything. Right. You leave a trail and a footprint wherever you go and whatever you log.

Amanda Aranczyk

Into, of course, this isn't just about my trail and my footprint.

Keith Romer

Yeah. Jim says that the Ticketmaster breach was part of an even bigger hack, impacting the customers of lots of companies.

Amanda Aranczyk

So this is like potentially hundreds and hundreds of millions of people.

Jim Francis

Yeah. That's huge. A lot of these data breaches are huge. This one's particularly large.

Amanda Aranczyk

Oh, God.

Keith Romer

Amanda, it sounds like Jim is maybe starting to stress you out a little bit there.

Amanda Aranczyk

I don't know why you think that.

Keith Romer

Hello? And welcome to Planet Money. I'm Keith Romer. Amanda, we have to keep making the show.

Amanda Aranczyk

I just need a second. You go on ahead. I'll catch up.

Keith Romer

Okay. And that's Amanda Aranczyk. Today on the show, the Ticketmaster data breach.

Amanda Aranczyk

We are going to follow this all the way to find out where did my data go, how scared should I be, and what am I supposed to do about it?

Keith Romer

And how the personal and private information for all of us is being bought, sold, and stolen.

Ira Glass

This message comes from Apple Card. Apple Card is the perfect card for your holiday shopping. When you use Apple Card on your iPhone, you'll earn up to 3% daily cash back on every purchase, including products at Apple like a new iPhone 16 or Apple Watch Ultra. Apply now in the wallet app on your iPhone. Subject to credit approval. Apple Card issued by Goldman Sachs Bank USA, Salt Lake City branch terms and more@applecard.com this message comes from Grammarly. 88% of the work week is spent communicating, so it's important your team gets it right. Enter Grammarly. Grammarly's AI helps teams communicate clearly the first time. It goes beyond basic grammar to help teams instantly create and revise drafts in just one click, all without leaving the page they're on. Join the 70,000 teams and 30 million people who use Grammarly to move work forward. Go to Grammarly.com enterprise to learn more. Grammarly Enterprise Ready AI Amanda, your growing.

Keith Romer

Paranoia is basically right.

Amanda Aranczyk

Yeah, I figured.

Keith Romer

Yeah. Our data is being compromised more and more often. The number of data breaches has been steadily ticking upwards for two decades. And 2023 was, I guess, a banner year for data breaches.

Amanda Aranczyk

Yay.

Keith Romer

Yeah, it's a little too soon to say, but 2024 could set a new, new record.

Amanda Aranczyk

So where did my stolen Ticketmaster data go and what exactly was taken? The letter from Ticketmaster says it's just my name, my basic contact info, payment card info. Which is bad.

Keith Romer

Which is bad.

Amanda Aranczyk

That's bad. But Jim, the lawyer, suggested the people who stole it might have had much more than that.

Keith Romer

We sent what we knew about the breach to friend of the show, Skylar Devine. He is the former director of technology at wnyc, the NPR station here in New York. He agreed to help us try to track down your data, Amanda, find out where it went.

Amanda Aranczyk

Okay, so, Skylar, you and I are setting up our computers. Maybe I should make a zoom link.

Skylar Devine

Yeah, why don't you send me that by email? I guess.

Amanda Aranczyk

Okay.

Keith Romer

Apparently, after failing to get ransom money from Ticketmaster, a hacker group called Shiny Hunters posted the data for sale for half a million dollars on a dark website called Breach Forums.

Amanda Aranczyk

So Skyler and I decided to log onto Breach Forums and see if we could find the data ourselves.

Skylar Devine

I don't think you're gonna want to click on any media on the site.

Amanda Aranczyk

Okay. Okay.

Skylar Devine

Even if there is some.

Amanda Aranczyk

So this is not a place where we just freely click.

Skylar Devine

If you've heard of places like 4chan, yeah. You know, there's gonna be a lot of racial slurs and horrible language. Horrible people hang out there.

Keith Romer

Obviously we want to be careful here, and we do not advise you to do this at home. Dear listener, Skylar has created an anonymous account for. He set up a private window that makes us hard to track. Skyler is a low key IT guy. He's unfazed, but he is still prepared for anything.

Amanda Aranczyk

Now, I'll admit, I was expecting something different. We would download a special browser and we'd be visiting, like the infamous Silk Road, which was apparently the best place online for fireworks, cocaine, porn. Social Security numbers. I swear I wouldn't know.

Keith Romer

No, no. Why would you know?

Amanda Aranczyk

I don't know. This is a web forum. It is dedicated to the buying and selling of stolen data. Looks a little bit like Reddit, but the background is all black. Can we find the Ticketmaster data here?

Skylar Devine

Oh, probably not anymore. I think this is a very like.

Amanda Aranczyk

Ephemeral chat system, so we just poke around. The forum is actually somewhat gamified. Reminds me a little bit of duolingo.

Keith Romer

Keep your stolen data streak alive.

Amanda Aranczyk

Exactly. There is this ranking system. You can be a VIP data seller or an MVP or top level, an actual God at selling stolen data.

Keith Romer

Yesterday, Skyler says he saw posts offering more than 57,000 lines of data from BCP, the largest bank in Peru, and close to 155,000 lines of data from Banco Fallabella in Chile. Today there is some juicy US data.

Amanda Aranczyk

This appears to be somebody selling Social Security numbers. Can we look at that?

Skylar Devine

Yeah. So let's take a look. So up at the top, they give a list of the fields that they're providing. First name, last name, email mailing address, your phone numbers, Social Security number, date of birth, driver's license.

Keith Romer

Skyler explains that this is the hackers posting a summary of the data fields they have. And then below that there's a little sampler, maybe the details they have for five or ten different people.

Amanda Aranczyk

Now, you usually only have one Social Security number. You only get one date of birth. And once someone has those details about you, it's not like you can ever get them back.

Keith Romer

Yeah. These are incredibly valuable pieces of personally identifying information. They are really helpful if somebody wants to steal your identity.

Amanda Aranczyk

But we were not here to just look at any old data breach. We were looking for my data, Specifically that Ticketmaster data. Can you scroll up for a second?

Skylar Devine

Yeah.

Amanda Aranczyk

And then as we start to poke around the message boards, can we look for Shiny Hunters? Like, is there a way to search this?

Skylar Devine

Let's see. Shiny Hunters. Banned.

Amanda Aranczyk

Banned. Their name is crossed out. We have no clue why. We figure we have reached a dead end, but we continue to search the word Ticketmaster. And then we notice something a little odd. A post from a user with an avatar like Shiny Hunters. The avatar is from Pokemon, but it is a different username, Spider Hunters. And apparently they are an MVP at selling stolen data.

Keith Romer

The post has a big Ticketmaster logo right at the top.

Amanda Aranczyk

Ticketmaster will not respond to requests to buy data from us. They care not for the privacy of 680 million customers. So give you the first million users free. What do you make of this?

Skylar Devine

I mean, it certainly looks related, right? And the timing somewhat matches.

Amanda Aranczyk

Skylar, I think you found the Ticketmaster data leak.

Skylar Devine

It certainly looks like it could be.

Amanda Aranczyk

Now, my data is not part of the tiny sample that is posted here, but if someone bought my Ticketmaster data, they would presumably have a lot on me, and they could combine it with data that was compromised in some other data breach. Maybe they could get into my phone or my icloud or my bank account.

Keith Romer

The only way we could know for sure is if we went and bought that data. But as much as we at Planet Money like to get our hands dirty learning about the economy, we did not get permission to buy stolen data on the Dark Web.

Amanda Aranczyk

But we have learned a lot about this market. It is brazen, it is bustling, and it is organized. Skyler does point out that we shouldn't necessarily take all of this at face value. Some of the people on this forum might actually work on the security side of things. The FBI has actually shut down the site multiple times. It's even possible the entire site is a honeypot, just a way to monitor and trap hackers.

Keith Romer

Still, just in case this is a real post, Amanda, you went ahead and sent a message to Spider Hunters to ask if they wanted to, you know, discuss your data. Spider Hunters, by the way, is not spelled the way you might expect.

Amanda Aranczyk

It's SP1D3.

Skylar Devine

You don't have to worry about that part.

Amanda Aranczyk

Oh, I just feel like it's respectful. It's more Respectful.

Keith Romer

Yeah.

Amanda Aranczyk

Here we go. Okay, fair enough. Hello, Spider Hunters. I'm one of the hosts of the NPR show Planet Money. We're a popular NPR podcast that covers business, finance and economics. Is this too much? Does this seem like I'm just asking for them to donate as a listener? We finished the email. Add one of those emojis with the tongue out because we're fun like that. Also, an email address they can reach us at, and we hit send. I do not leave my own personal contact info, though, because, hey, they already have it.

Keith Romer

So while we wait to see if we get a response from Spider Hunters, we decide that the next thing we need to do is figure out how Amanda's data was stolen. What exactly happened. And this leads us to an equally unsettling market for our data, the legal market where personal information is bought and sold every day. That's after the break.

Ira Glass

This message comes from Capital One. Banking with Capital One helps you keep more money in your wallet with no fees or minimums on checking accounts. What's in your wallet? Terms apply. See capitalone.combank for details. Capital One NA Member FDIC.

Keith Romer

This is Ira Glass of this American Life. Each week on our show, we choose a theme, tell different stories on that theme. All right, I'm just going to stop right there. You're listening to an NPR podcast. Chances are you know our show. So instead I'm going to tell you we've just been on a run of really good shows lately, some big, epic, emotional stories and some weird, funny stuff, too. Download us. This is AMERICAN life. Alexi Horowitz Ghazi here. Sure, subscriptions offer convenience, but are they bad for competition? When you're not canceling because you forget about it or it's difficult to cancel, those forces of consumers taking their business to another product are blunted. That's from our recent Planet Money bonus episode, my extended interview with Stanford economist Neil Mahoney. Listen with NPR+@plus.NPR.org the code switch team.

Amanda Aranczyk

Spent Election Day talking to folks about how the outcome might impact them. It's a time capsule of people's hopes and fears before they knew the results.

Keith Romer

One way or another, there's a change coming.

Amanda Aranczyk

I wanted to vote, but I voted.

Jim Francis

For her gays, for Trump.

Amanda Aranczyk

I cried this morning. I've been crying on and off. I'm terrified. Listen to Code Switch, the podcast about race and identity from npr. In my letter from Ticketmaster, they say that my data was stolen from an unnamed data services provider. Turns out this is a tech company called Snowflake Snowflake does data storage and analysis. Basically, if you are a company that needs to keep a lot of data somewhere, Snowflake could be like your warehouse for it. That's what they are for Ticketmaster for at least some of their user data.

Keith Romer

By the way, we did write to Ticketmaster and to Snowflake, but they didn't get back to us in time for this episode. Now, one thing that is not spelled out in Amanda's original data breach letter is how her data was stolen. But here's what we found out. Back in April, a cybersecurity company started noticing something suspicious. Some bad actor or bad actors was targeting Snowflake. And some of the companies that use.

Amanda Aranczyk

Snowflake, companies like AT&T advance Auto Parts, Neiman Marcus, Cricket Wireless. These cybersecurity researchers figured out that hackers had stolen a bunch of Snowflake customer logins. These were the logins that like Ticketmaster or AT&T would use to access their data on Snowflake. So obviously somebody should have changed their password. People change your passwords.

Keith Romer

These accounts were also not set up with two step authentication. You know, where you like, you're logging in and then you get asked for your password and then you also get your cell phone pinged for another code. Two steps to confirm that it is actually you trying to access your sensitive and valuable data.

Amanda Aranczyk

People turn on two step authentication.

Keith Romer

Yeah. Ticketmaster and Snowflake did not require users to use two step authentication. So it was like there was a little window that was easy to pry open and the bad actor went right through that window and stole the data.

Amanda Aranczyk

Of millions of people, including probably my data. Did you get one of these?

Justin Sherman

I did get one of these as a fellow Ticketmaster user.

Amanda Aranczyk

Okay.

Keith Romer

Justin Sherman thinks his most recent Ticketmaster purchase was tickets to sza. Aside from loving contemporary R and B, Justin also founded a company called Global cyber strategies in D.C. and he's the go to guy for all things CyberSecurity Data Privacy AI.

Amanda Aranczyk

Justin says that Snowflake, the company at the center of the breach, their business isn't just about storing and analyzing data. They also operate a data broker marketplace.

Justin Sherman

And it's like ebay. For your data, you type in health or location, you hit enter, you add to cart, and you check out.

Keith Romer

This data marketplace is part of a multibillion dollar industry that makes its money off of the buying and selling of personal information. A lot of personal information.

Amanda Aranczyk

How many pieces of data about me do you think are out there?

Justin Sherman

I'm glad you asked this question. So there are single companies that sell 13 or 14,000 plus data points on one person.

Amanda Aranczyk

Okay, okay, so let me get to break this down for me. So one data point is my first name. One data point is my last name. One data point is my date of birth. What are the other 12,997 other data points?

Justin Sherman

Let's put it this way. If you think of every single moment of your life that can be tracked, those are the kinds of data points that can be bought and sold.

Keith Romer

Yeah, that's how a lot of the Internet gets paid for. We get to use websites for free. And those websites make money by collecting data about us and selling that data on to whoever will pay for it.

Amanda Aranczyk

And what has been happening over the last decade is some companies have collected a truly astounding amount of data. Justin says they have become these giant centralized repositories for all of our personal information.

Justin Sherman

We all know the saying, don't put all your eggs in one basket.

Amanda Aranczyk

Yeah, my 13,000 eggs.

Justin Sherman

Exactly. When companies or government agencies take thousands of those eggs on hundreds of millions of people and plop them in one place, you're building a really attractive target where if someone gets in, all of this aggregated commercial data is sitting there ready for the taking.

Amanda Aranczyk

So in many ways, the illegal market depends on the legal market, on all of these companies collecting all of our information.

Keith Romer

Now, Justin isn't just worried about hackers stealing our data. He is also really troubled by this fundamental invasion of our privacy online, how these companies buy and sell our personal information on the legal market.

Amanda Aranczyk

So the next thing he wants to show me is part of that legal marketplace. It's a website that sells lists of senior citizens.

Justin Sherman

So what we're looking at here is a database that it says, quote, gives you access to seniors who are currently being cared for by an adult child or family member, unquote.

Amanda Aranczyk

So this is people who require pretty extensive care. Seniors who require care.

Justin Sherman

These are people who require extensive care. There are over 20 million people in this database. It is for sale. And you'll see here that it includes ways you can contact these people, their postal information, their email, and much more.

Amanda Aranczyk

And this isn't like skirting around the law. Like, this is legal. Legal.

Justin Sherman

This is driving down the highway, minding my own business. Legal.

Keith Romer

This site says it is a direct marketing company. Their business is selling lists of people who fit certain demographics.

Justin Sherman

What's really horrible is there's a phrase, suckers lists, and this refers to exactly what we're looking at on the screen. It refers to databases about people that companies have determined are gullible. This is often elderly people and often includes diminished cognitive capacity. So suffering from Alzheimer's or dementia. And the reason they're called suckers. Lists is scammers. Love these lists of people.

Keith Romer

It is creepy enough when I imagine a bunch of cyber criminals buying and selling my data, but it's even creepier when it is happening in the legal market.

Amanda Aranczyk

So what are the rules governing that giant basket of my 13,000 eggs? To find out, we called up a regulator. Not just any regulator, but the director of the Consumer Financial Protection Bureau, Rohit Chopra. Of course, the first thing I do is show him my letter from Ticketmaster. Did you get one of these?

Rohit Chopra

Oh, the breach notification letter. Yeah, I got that. Look, I get these things on an almost monthly basis.

Keith Romer

CFPB directors, they're just like us. For Director Chopra, his downfall was buying tickets for the Eagles, the football team, not the band.

Amanda Aranczyk

Go Birds.

Keith Romer

Yay. Very authentic.

Amanda Aranczyk

Thank you. So back to the reason I reached out to Director Chopra. The rules. Now, there is of course, hipaa, which prevents your doctor from selling your private health information. There's also a law protecting students. Some states have their own privacy laws too. Really? Though Director Chopra says there is not much more than that.

Rohit Chopra

In the US we don't have that many laws that put restrictions on the type of data you can harvest on people. Except really for one, the Fair Credit Reporting act of 1970.

Keith Romer

Before 1970, all kinds of businesses in the US kept track of all sorts of personal information.

Rohit Chopra

We've had a long history in our country of companies digging up dirt on all of us. Did we pay our bills on time? Who are we associating ourselves with? Are we cheating on our spouse? Companies would sell reports about us, about our character, about who's a good one and whose laid on their bills.

Keith Romer

Director Chopra is talking about credit reporting and the companies that determine what today we call your credit score.

Amanda Aranczyk

Isn't this sort of a service like this is how commerce works? You need to know if somebody is worthy of credit, worthy of loans. Maybe it's a very reasonable thing to do.

Rohit Chopra

Well, I think where the concerns were was the consumer never really consented to any of this. The reports that were about them could have been totally inaccurate or just full of rumors. And I think there was a sense in the Congress that there needs to be some limits on this because it isn't just creepy, it really felt unfair.

Keith Romer

Hence the Fair Credit Reporting act of 1970. It's been amended a few times since then, but basically the law requires that credit bureaus make sure the information they have is accurate, make sure consumers can access these reports, and that people can dispute anything that's not accurate.

Amanda Aranczyk

And these credit bureaus can't just sell this data to anyone that wants it. It is for potential employers or potential lenders or potential insurers, that kind of thing. That is how our data is supposed to be managed.

Rohit Chopra

But when we actually look at today's economy, we see a lot of other companies who are essentially doing the same.

Keith Romer

Exact thing, selling our background information, digging up dirt on us for companies that want to sell things to us using targeted marketing. And these data brokers, they don't usually consider themselves covered by this law. They say they're not credit bureaus, even though they might be selling things like info about our salaries.

Rohit Chopra

So we are developing rules that will bring some sanity into how our personal data is handled and in many cases, on whether it should be trafficked at all.

Keith Romer

The idea is for these new rules to extend some of the protections that are in the Fair Credit Reporting act to the other companies that have a lot of our data. The CFPB says they're publishing these proposed.

Amanda Aranczyk

Rules soon, but for now, without more regulation, I guess this is on me. My data is out there doing God only knows what, and it seems there's not much I can do about it. The most obvious thing I can do is in that original letter from Ticketmaster, they have offered me free credit monitoring. I asked Jim the lawyer to help me decide whether or not I should take it.

Jim Francis

You will have access to one or more credit monitoring services through one of the big three credit bureaus, TransUnion, Equifax, or Experian.

Amanda Aranczyk

So basically, one of those big three credit bureaus will monitor my online info. In my case, it's going to be transunion.

Keith Romer

Yeah. If Spider Hunters sold your data to a bunch of scammers, they might try to get a credit card in your name, steal your identity, who knows? And this monthly report will let you know if something like that actually happens.

Amanda Aranczyk

By the way, Spider Hunters never did message me back. I will probably never know where my data ended up. So maybe credit monitoring is a good option. Jim and I look at the offer together. Okay. And I have a code.

Jim Francis

Careful.

Amanda Aranczyk

So, yeah. So should I not do this or should I put in my activate now?

Jim Francis

Well, let's see. Hang on a second. Let me just look here to see terms and conditions.

Amanda Aranczyk

Oh, this is so great to look at terms and conditions with a lawyer. Very helpful. It says right here, if you click on it, the terms and conditions below contain an arbitration agreement and a class action waiver.

Jim Francis

There you go. So you're out of the class and you can't bring a class action against TransUnion.

Amanda Aranczyk

So basically, if I take the free credit monitoring service, I waive my right to sue. Then Jim says, let us take a closer look at some of the other terms and conditions.

Jim Francis

Oh, by the way, by accessing CreditVue Dashboard, you agree that TransUnion may use and share your information?

Amanda Aranczyk

No.

Jim Francis

Yes. So the company that you're hiring to protect you is using this as a grab bag to sell your data.

Keith Romer

Jim points to the very bottom of TransUnion's website. In small font, there are the words privacy policy. If you click that link, you will find pages and pages about all the ways in which they disregard your privacy.

Amanda Aranczyk

So it says, when you enroll, TransUnion is collecting the usuals. My cell number, my date of birth, my Social Security number. And this privacy policy is saying that they may also start collecting and selling more personal information. My ethnicity, marital status, where I work, where I am, what I've been putting into online forms, how long it took me to fill in those online forms. Oh, and everything I buy everywhere I go and everything I do online.

Jim Francis

So you clicked in as something as a result of a data breach to use their credit monitoring service, and you've just agreed for them to share all of your data and use it basically however they want.

Amanda Aranczyk

Oh, it's really bad, Jim. It's so bad. It's so cynical. It's so bad.

Jim Francis

It's bad, it's bad.

Keith Romer

We reached out to TransUnion. A spokesman said that the arbitration waiver, the part where Amanda had to waive her right to sue them, that was posted in error. We checked, and it has now been removed. A spokesman also said when Amanda logged in to get her credit monitoring, that she was using a product called My True Identity and that the information TransUnion requests when consumers enroll in My True Identity is essential for verifying their identities and providing the requested services. And that My True Identity does not sell consumers personal information to any third party for any reason.

Amanda Aranczyk

So TransUnion is saying that no, they will not sell my usuals, my cell number, my date of birth, my Social Security number. They won't sell the information that I gave them to enroll in this program, but I definitely had to agree to their privacy policy, which states pretty clearly that they're going to collect other personal information and maybe sell that. And who knows what if that data someday gets stolen in a data breach by a hacker, which.

Keith Romer

I mean, it feels like we're back at the beginning of the episode, Amanda.

Amanda Aranczyk

Yeah, we might as well just start it again.

Keith Romer

Little Mobius strip Planet Money.

Amanda Aranczyk

There you go. We could just play it over and over and over again. Endlessly.

Keith Romer

How's it started?

Amanda Aranczyk

It starts like this. Okay, hold on. Wait, wait. What's this over here? Oh, it's my letter from Ticketmaster. Did you get one of these?

Keith Romer

Oh, yeah, I did get one of those.

Amanda Aranczyk

No. You don't lie.

Keith Romer

Oh, I didn't get one, Amanda.

Amanda Aranczyk

Let me tell you what it says right here. Notice of data breach.

Keith Romer

That sounds bad.

Amanda Aranczyk

It is bad.

Keith Romer

Today's episode was produced by Sam Yellow Horse Kessler and edited by Meg Kramer. Engineered by Ko Takasuki Chernovin with an assist from Kwezi Lee and fact checked by Danya Suleiman. Alex Goldmark is our executive producer.

Amanda Aranczyk

Thanks this week to Brent Bracelin at Piper Sandler, Joel Fishbein at Truist securities, and Troy Hunt.

Keith Romer

I'm Keith Romer.

Amanda Aranczyk

And I'm Amanda Aronchik. This is npr. Thanks for listening.

Ira Glass

This message comes from Wondery. Some of the craziest conspiracy theories are actually classified government operations. To hear more about these hidden truths, listen to Declassified Mysteries with Luke lamanna on the Wondery app or wherever you get your podcasts. This message comes from Osiya. Their Super Glow body set is the perfect gift. Get the set valued at $106 for $72, plus an additional 10% off when you use code holiday@oseamalibu.com Joe Biden's on his way out.

Amanda Aranczyk

Donald Trump's on his way back. Want to know what's happening as the presidential transition is underway? The NPR Politics Podcast has you covered with the latest news and analysis. Listen to the NPR Politics Podcast.