So your data was stolen in a data breach

Summary

Planet Money: So Your Data Was Stolen in a Data Breach

Hosted by Amanda Aranczyk and Keith Romer, NPR’s Planet Money delves deep into the unsettling world of data breaches, exploring how personal information is stolen, sold, and exploited. In this episode, Amanda receives a concerning letter from Ticketmaster indicating a data breach, setting off a journey to uncover where her data—and yours—might have ended up.

1. Receiving the Breach Notification

[01:10] Amanda Aranczyk:
Amanda introduces the episode by sharing her experience of receiving a letter from Ticketmaster about a data breach. She speculates that listeners might have received similar notifications, highlighting the pervasive nature of such incidents.

Amanda:
“...this letter is just the tip of an iceberg and beneath the water is a profoundly deep mass of bought, sold and stolen personal data.”

2. Understanding the Severity of Data Breaches

[02:30] Keith Romer:
Keith brings in Jim Francis, a lawyer specializing in consumer protection and class actions, to shed light on why Ticketmaster sent the breach notification.

Jim Francis:
“...some, if not all, states have a data breach notification law requiring the company to notify consumers the minute they find out that there's a breach.”

[03:12] Amanda:
Amanda admits her initial lack of concern, equating repeated data breaches to just another routine event.

Jim Francis:
“If somebody has all of your information, your name, your date of birth, your Social Security number, your address, your personal habits, things like that, that is significant and that is serious.”

3. The Expansive Reach of the Breach

[05:17] Skylar Devine:
Skylar, former director of technology at WNYC, assists Amanda in tracking the breach's extent. They discover that the Ticketmaster breach is part of a larger hack affecting millions.

Amanda:
“So this is like potentially hundreds and hundreds of millions of people.”

[07:20] Keith Romer:
Keith emphasizes the increasing frequency of data breaches, noting 2023 as a particularly bad year with expectations of 2024 potentially breaking records.

4. Navigating the Dark Web Marketplace

[08:13] Keith Romer:
The team explains their venture into Breach Forums, a dark web site where stolen data is sold. They encounter a hacker group named Shiny Hunters, who posted the stolen Ticketmaster data for sale.

Skylar Devine:
“If you've heard of places like 4chan, yeah. You know, there's gonna be a lot of racial slurs and horrible language. Horrible people hang out there.”

[09:50] Skylar Devine:
Describes the forum's structure, highlighting its gamified system for sellers.

Keith Romer:
“Yesterday, Skyler says he saw posts offering more than 57,000 lines of data from BCP, the largest bank in Peru, and close to 155,000 lines of data from Banco Fallabella in Chile. Today there is some juicy US data.”

5. The Legal Data Market and Data Brokers

[18:39] Justin Sherman:
Justin, a cybersecurity and data privacy expert, explains the legal marketplaces where personal data is sold, comparing them to platforms like eBay.

Justin Sherman:
“...it's like ebay. For your data, you type in health or location, you hit enter, you add to cart, and you check out.”

[19:21] Amanda:
She questions the vast number of data points collected on individuals.

Justin Sherman:
“If you think of every single moment of your life that can be tracked, those are the kinds of data points that can be bought and sold.”

[20:28] Amanda:
Amanda expresses her discomfort with both illegal and legal data trading.

Justin Sherman:
“We are building a really attractive target where if someone gets in, all of this aggregated commercial data is sitting there ready for the taking.”

6. Regulatory Challenges and the Fair Credit Reporting Act

[22:30] Rohit Chopra:
Rohit, Director of the Consumer Financial Protection Bureau (CFPB), discusses the limited regulations governing data harvesting in the U.S., aside from the Fair Credit Reporting Act of 1970.

Rohit Chopra:
“In the US we don't have that many laws that put restrictions on the type of data you can harvest on people.”

[25:02] Keith Romer:
Explains the Fair Credit Reporting Act, emphasizing its role in ensuring data accuracy and limiting its use to specific entities like employers and lenders.

Rohit Chopra:
“These credit bureaus can't just sell this data to anyone that wants it. They say they're not credit bureaus, even though they might be selling things like info about our salaries.”

7. Consumer Options and Privacy Concerns

[26:18] Amanda:
Amanda considers taking up Ticketmaster’s offer for free credit monitoring but discovers concerning terms and conditions.

Jim Francis:
“You will have access to one or more credit monitoring services through one of the big three credit bureaus, TransUnion, Equifax, or Experian.”

[28:12] Jim Francis:
Points out that enrolling in these services often involves waiving the right to sue and agreeing to extensive data sharing.

Amanda:
“So, basically, one of those big three credit bureaus will monitor my online info...”

Jim Francis:
“So you're out of the class and you can't bring a class action against TransUnion.”

8. Reflection on the Data Breach Cycle

[30:37] Keith Romer & Amanda:
Amanda and Keith reflect on the cyclical nature of data breaches and the ongoing struggle to protect personal information.

Amanda:
“So why should I even bother caring?”

Keith Romer:
“It feels like we're back at the beginning of the episode, Amanda.”

Key Takeaways

Widespread Impact: Data breaches can affect millions, compromising sensitive personal information that can lead to identity theft and other malicious activities.
Dark Web Marketplaces: Stolen data is actively bought and sold on platforms like Breach Forums, making it accessible to cybercriminals globally.
Legal Data Brokers: Beyond illegal markets, legal marketplaces also trade vast amounts of personal data, often with minimal regulation.
Regulatory Gaps: Current U.S. laws like the Fair Credit Reporting Act offer limited protection, leaving much personal data vulnerable.
Consumer Dilemma: Options like credit monitoring services come with their own privacy concerns, potentially exacerbating data exposure.

Notable Quotes

Jim Francis:
“If somebody has all of your information, your name, your date of birth, your Social Security number, your address, your personal habits, things like that, that is significant and that is serious.” [03:12]
Justin Sherman:
“...it's like ebay. For your data, you type in health or location, you hit enter, you add to cart, and you check out.” [18:51]
Rohit Chopra:
“In the US we don't have that many laws that put restrictions on the type of data you can harvest on people.” [23:28]
Amanda Aranczyk:
“So basically, one of those big three credit bureaus will monitor my online info... and I have a code.” [27:10]

Produced by: Sam Yellow Horse Kessler
Edited by: Meg Kramer
Engineered by: Ko Takasuki Chernovin
Executive Producer: Alex Goldmark

This episode underscores the urgent need for stronger data protection regulations and greater consumer awareness in an increasingly digital world.

Summary

Planet Money: So Your Data Was Stolen in a Data Breach

1. Receiving the Breach Notification

Amanda:
“...this letter is just the tip of an iceberg and beneath the water is a profoundly deep mass of bought, sold and stolen personal data.”

2. Understanding the Severity of Data Breaches

[02:30] Keith Romer:
Keith brings in Jim Francis, a lawyer specializing in consumer protection and class actions, to shed light on why Ticketmaster sent the breach notification.

Jim Francis:
“...some, if not all, states have a data breach notification law requiring the company to notify consumers the minute they find out that there's a breach.”

[03:12] Amanda:
Amanda admits her initial lack of concern, equating repeated data breaches to just another routine event.

3. The Expansive Reach of the Breach

Amanda:
“So this is like potentially hundreds and hundreds of millions of people.”

[07:20] Keith Romer:
Keith emphasizes the increasing frequency of data breaches, noting 2023 as a particularly bad year with expectations of 2024 potentially breaking records.

4. Navigating the Dark Web Marketplace

Skylar Devine:
“If you've heard of places like 4chan, yeah. You know, there's gonna be a lot of racial slurs and horrible language. Horrible people hang out there.”

[09:50] Skylar Devine:
Describes the forum's structure, highlighting its gamified system for sellers.

5. The Legal Data Market and Data Brokers

[18:39] Justin Sherman:
Justin, a cybersecurity and data privacy expert, explains the legal marketplaces where personal data is sold, comparing them to platforms like eBay.

Justin Sherman:
“...it's like ebay. For your data, you type in health or location, you hit enter, you add to cart, and you check out.”

[19:21] Amanda:
She questions the vast number of data points collected on individuals.

Justin Sherman:
“If you think of every single moment of your life that can be tracked, those are the kinds of data points that can be bought and sold.”

[20:28] Amanda:
Amanda expresses her discomfort with both illegal and legal data trading.

Justin Sherman:
“We are building a really attractive target where if someone gets in, all of this aggregated commercial data is sitting there ready for the taking.”

6. Regulatory Challenges and the Fair Credit Reporting Act

Rohit Chopra:
“In the US we don't have that many laws that put restrictions on the type of data you can harvest on people.”

[25:02] Keith Romer:
Explains the Fair Credit Reporting Act, emphasizing its role in ensuring data accuracy and limiting its use to specific entities like employers and lenders.

7. Consumer Options and Privacy Concerns

[26:18] Amanda:
Amanda considers taking up Ticketmaster’s offer for free credit monitoring but discovers concerning terms and conditions.

Jim Francis:
“You will have access to one or more credit monitoring services through one of the big three credit bureaus, TransUnion, Equifax, or Experian.”

[28:12] Jim Francis:
Points out that enrolling in these services often involves waiving the right to sue and agreeing to extensive data sharing.

Amanda:
“So, basically, one of those big three credit bureaus will monitor my online info...”

Jim Francis:
“So you're out of the class and you can't bring a class action against TransUnion.”

8. Reflection on the Data Breach Cycle

[30:37] Keith Romer & Amanda:
Amanda and Keith reflect on the cyclical nature of data breaches and the ongoing struggle to protect personal information.

Amanda:
“So why should I even bother caring?”

Keith Romer:
“It feels like we're back at the beginning of the episode, Amanda.”

Key Takeaways

Widespread Impact: Data breaches can affect millions, compromising sensitive personal information that can lead to identity theft and other malicious activities.
Dark Web Marketplaces: Stolen data is actively bought and sold on platforms like Breach Forums, making it accessible to cybercriminals globally.
Legal Data Brokers: Beyond illegal markets, legal marketplaces also trade vast amounts of personal data, often with minimal regulation.
Regulatory Gaps: Current U.S. laws like the Fair Credit Reporting Act offer limited protection, leaving much personal data vulnerable.
Consumer Dilemma: Options like credit monitoring services come with their own privacy concerns, potentially exacerbating data exposure.

Notable Quotes

Jim Francis:
“If somebody has all of your information, your name, your date of birth, your Social Security number, your address, your personal habits, things like that, that is significant and that is serious.” [03:12]
Justin Sherman:
“...it's like ebay. For your data, you type in health or location, you hit enter, you add to cart, and you check out.” [18:51]
Rohit Chopra:
“In the US we don't have that many laws that put restrictions on the type of data you can harvest on people.” [23:28]
Amanda Aranczyk:
“So basically, one of those big three credit bureaus will monitor my online info... and I have a code.” [27:10]

Produced by: Sam Yellow Horse Kessler
Edited by: Meg Kramer
Engineered by: Ko Takasuki Chernovin
Executive Producer: Alex Goldmark

This episode underscores the urgent need for stronger data protection regulations and greater consumer awareness in an increasingly digital world.

wavePod

Powered by Wave AI

Summary

1. Receiving the Breach Notification

2. Understanding the Severity of Data Breaches

3. The Expansive Reach of the Breach

4. Navigating the Dark Web Marketplace

5. The Legal Data Market and Data Brokers

6. Regulatory Challenges and the Fair Credit Reporting Act

7. Consumer Options and Privacy Concerns

8. Reflection on the Data Breach Cycle

Key Takeaways

Notable Quotes

Summary

1. Receiving the Breach Notification

2. Understanding the Severity of Data Breaches

3. The Expansive Reach of the Breach

4. Navigating the Dark Web Marketplace

5. The Legal Data Market and Data Brokers

6. Regulatory Challenges and the Fair Credit Reporting Act

7. Consumer Options and Privacy Concerns

8. Reflection on the Data Breach Cycle

Key Takeaways

Notable Quotes