So your data was stolen in a data breach AI transcript and summary - episode of podcast Planet Money
Go to PodExtra AI's episode page (So your data was stolen in a data breach) to play and view complete AI-processed content: summary, mindmap, topics, takeaways, transcript, keywords and highlights.
Go to PodExtra AI's podcast page (Planet Money) to view the AI-processed content of all episodes of this podcast.
Planet Money episodes list: view full AI transcripts and summaries of this podcast on the blog
Episode: So your data was stolen in a data breach
Author: NPR
Duration: 00:28:59
Episode Shownotes
If you... exist in the world, it's likely that you have gotten a letter or email at some point informing you that your data was stolen. This happened recently to potentially hundreds of millions of people in a hack that targeted companies like Ticketmaster, AT&T, Advance Auto Parts and others
that use the data cloud company Snowflake.On today's show, we try to figure out where that stolen data ended up, how worried we should be about it, and what we're supposed to do when bad actors take our personal and private information. And: How our information is being bought, sold, and stolen.This episode was hosted by Amanda Aronczyk and Keith Romer. It was produced by Sam Yellowhorse Kesler and edited by Meg Cramer. It was engineered by Ko Takasugi-Czernowin with an assist from Kwesi Lee, and fact-checked by Dania Suleman. Alex Goldmark is Planet Money's executive producer.Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Summary
In this episode of NPR's "Planet Money," hosts Amanda Aronczyk and Keith Romer examine the consequences of the Ticketmaster data breach, where personal information of potentially millions of consumers was compromised. Attorney Jim Francis discusses legal notification requirements following data breaches, emphasizing the importance of understanding the risks associated with different types of personal information. The episode highlights the pervasive nature of stolen data markets, the legal sale of personal information, and the inadequate privacy regulations in the U.S. Amid growing digital threats, listeners are prompted to reflect on the vulnerability of their information and the implications of credit monitoring services.
Go to PodExtra AI's episode page (So your data was stolen in a data breach) to play and view complete AI-processed content: summary, mindmap, topics, takeaways, transcript, keywords and highlights.
Full Transcript
00:00:00 Speaker_01
Support for NPR and the following message come from Edward Jones. What is rich? Maybe it's less about reaching a magic number and more about discovering the magic in life.
00:00:10 Speaker_01
Edward Jones Financial Advisors are people you can count on for financial strategies that help support a life you love. Edward Jones, member SIPC.
00:00:22 Speaker_09
Hey, it's Keith Romer. Real quick before the show today, it's election season. NPR has you covered with three podcasts that we are making for you every day. Number one, the NPR Morning News Podcast Up First. That one comes out 7 a.m.
00:00:36 Speaker_09
Eastern every weekday. Later on in the day, we have the NPR politics podcast. Whenever there is big news going down a few hours later, NPR politics podcast will be out with a show breaking it down. Finally, there is consider this.
00:00:51 Speaker_09
This is the one where NPR covers one big story in depth every weekday evening. So up first in the morning, consider this in the evening and the NPR politics podcast. Anytime important developments go down.
00:01:04 Speaker_09
It's like an around the clock election news survival kit from NPR podcasts. OK, thanks for listening. Here's the show.
00:01:13 Speaker_02
This is Planet Money from NPR.
00:01:18 Speaker_07
I recently got a letter in the mail and it's pretty likely that you got one of these, too. It is the special kind of letter that sometimes gets turned into a Planet Money episode.
00:01:28 Speaker_07
And that is because this letter is just the tip of an iceberg, and beneath the water is a profoundly deep mass of bought, sold, and stolen personal data. My data, and maybe your data, too. I took this letter to Jim Francis. Okay. So I got, where is it?
00:01:48 Speaker_06
I got a letter from Ticketmaster. It says here, um, yeah, it says the date on it, July 17th, 2024. Did you get one of these?
00:01:58 Speaker_08
I did not get one. I'm not a Ticketmaster customer, but my clients got that letter.
00:02:03 Speaker_09
Jim has clients because he is a lawyer at Francis Mailman Sumulus. He focuses on consumer protection and class actions, and he knows all about why Ticketmaster sent these letters.
00:02:16 Speaker_07
Now, it has nothing to do with my last purchase, tickets to see Future and Metro Boomin, because that's how I roll, but everything to do with a data security incident. Ticketmaster was hacked.
00:02:30 Speaker_07
And Jim, he is suing them on behalf of some disgruntled customers.
00:02:34 Speaker_09
I mean, who among us is not a disgruntled Ticketmaster customer?
00:02:37 Speaker_07
Oh, so many reasons to be disgruntled with Ticketmaster. Now, Ticketmaster says they are investigating what happened. It is possible some bad actors took my personal data. Ticketmaster sent me this letter as a warning.
00:02:50 Speaker_07
Did Ticketmaster, like, do this out of the kindness of their heart? Did they just feel bad that they lost my data? Why did they send this?
00:02:57 Speaker_08
They would tell you they did it out of the kindness of their heart and their concern for their customers. The reality is some, if not all, states have a data breach notification law requiring the company to notify consumers.
00:03:13 Speaker_08
the minute they find out that there's a breach.
00:03:16 Speaker_07
So sure, I was curious about the breach and how it happened. But I confess to Jim, I wasn't actually worried. I mean, how bad is it that my data is out there? Like I'm a little bit like, yeah, this is not my first data breach rodeo.
00:03:29 Speaker_07
This happens all the time. Why should I even bother caring?
00:03:33 Speaker_08
Uh, one of the things that varies among data breaches is the nature of the information.
00:03:39 Speaker_08
If somebody has all of your information, your name, your date of birth, your social security number, your address, your personal habits, things like that, that is significant and that is serious.
00:03:50 Speaker_08
Um, and you do have to be vigilant probably for forever because of that. Now, if it was something just... Forever. Forever. Forever. If it was just your zip code, for example. Right. Okay.
00:04:02 Speaker_08
But what we understand to be the case here is this is a wide variety and a wide net of PII.
00:04:09 Speaker_09
Amanda, they've maybe got your PII, your personally identifiable information. So things like your social security number, your cell phone number, PII is kind of the jackpot of data.
00:04:21 Speaker_07
Yeah, Jim says that could make me a victim of identity fraud, a target for phone scams. Someone could try to get a new credit card in my name. That would be bad.
00:04:31 Speaker_07
And whatever was leaked in the Ticketmaster breach, that is just some of the data about me that exists online.
00:04:38 Speaker_08
You know, one of the things that I have just learned over the years, you know, almost 25 years of doing this is that the amount of consumer data that's collected is just, it's mind boggling.
00:04:49 Speaker_08
You know, it's your voting affiliation, your religious affiliation, your addresses, what type of clothes you buy, your keystrokes, your fingerprints, your shopping habits, your everything. right?
00:05:04 Speaker_08
You leave a trail and a footprint wherever you go and whatever you log into.
00:05:09 Speaker_07
Of course, this isn't just about my trail and my footprint.
00:05:13 Speaker_09
Yeah. Jim says that the Ticketmaster breach was part of an even bigger hack impacting the customers of lots of companies. So this is like potentially hundreds and hundreds of millions of people.
00:05:24 Speaker_08
Yeah, that's huge. A lot of these data breaches are huge. This one's particularly large.
00:05:30 Speaker_07
Oh God.
00:05:32 Speaker_09
Amanda, it sounds like Jim is maybe starting to stress you out a little bit there.
00:05:37 Speaker_07
I don't know why you think that.
00:05:44 Speaker_09
Hello and welcome to Planet Money. I'm Keith Romer. Amanda, we have to keep making the show.
00:05:49 Speaker_07
I just need a second.
00:05:51 Speaker_09
You go on ahead. I'll catch up. Okay. And that's Amanda Aronchik. Today on the show, the Ticketmaster data breach.
00:06:01 Speaker_07
We are going to follow this all the way to find out where did my data go, how scared should I be, and what am I supposed to do about it?
00:06:10 Speaker_09
And how the personal and private information for all of us is being bought, sold, and stolen.
00:06:21 Speaker_00
This message comes from Middi Health. Women in midlife face a health care desert, but Middi is here to fill the gap, offering expert care for paramenopause and menopause covered by insurance.
00:06:31 Speaker_00
Hot flashes, insomnia, brain fog, weight gain, and moodiness don't have to be accepted as just another part of aging. Middi clinicians understand how these symptoms can connect to menopause and prescribe a wide range of solutions.
00:06:43 Speaker_00
Book your visit today at joinmiddi.com. That's joinmiddi.com. This message comes from Middie Health.
00:06:52 Speaker_00
Women in midlife face a healthcare desert, but Middie is here to fill the gap, offering expert care for paramenopause and menopause covered by insurance.
00:07:00 Speaker_00
Hot flashes, insomnia, brain fog, weight gain, and moodiness don't have to be accepted as just another part of aging. Middie clinicians understand how these symptoms can connect to menopause and prescribe a wide range of solutions.
00:07:12 Speaker_00
Book your visit today at joinmiddie.com. That's joinmiddie.com.
00:07:19 Speaker_09
Amanda, your growing paranoia is basically right.
00:07:24 Speaker_07
Yeah, I figured.
00:07:25 Speaker_09
Yeah, our data is being compromised more and more often. The number of data breaches has been steadily ticking upwards for two decades, and 2023 was, I guess, a banner year for data breaches.
00:07:38 Speaker_05
Yay.
00:07:40 Speaker_09
Yeah, it's a little too soon to say, but 2024 could set a new new record.
00:07:45 Speaker_07
So where did my stolen Ticketmaster data go? And what exactly was taken? The letter from Ticketmaster says, it's just my name, my basic contact info, payment card info, which is bad. Which is bad. That's bad.
00:07:59 Speaker_07
But Jim, the lawyer, suggested the people who stole it might have had much more than that.
00:08:05 Speaker_09
We sent what we knew about the breach to friend of the show Skylar Deveen. He is the former director of technology at WNYC, the NPR station here in New York. He agreed to help us try to track down your data, Amanda. Find out where it went.
00:08:18 Speaker_07
OK, so Skylar, you and I are setting up our computers. Maybe I should make a Zoom link.
00:08:24 Speaker_04
Yeah, why don't you send me that by email, I guess. OK.
00:08:28 Speaker_09
Apparently, after failing to get ransom money from Ticketmaster, a hacker group called Shiny Hunters posted the data for sale for half a million dollars on a dark website called Breach Forums.
00:08:40 Speaker_07
So Skylar and I decided to log onto Breach Forums and see if we could find the data ourselves.
00:08:47 Speaker_04
I don't think you're going to want to click on any media on the site.
00:08:52 Speaker_07
OK.
00:08:53 Speaker_04
Even if there is some. So this is not a place where we just freely click? If you've heard of places like 4chan, you know, there's going to be a lot of racial slurs and horrible language. Horrible people hang out there.
00:09:10 Speaker_09
Obviously, we want to be careful here, and we do not advise you to do this at home, dear listener. Skyler has created an anonymous account for us. He set up a private window that makes us hard to track. Skyler is a low-key IT guy.
00:09:23 Speaker_09
He's unfazed, but he is still prepared for anything.
00:09:25 Speaker_07
Now, I'll admit I was expecting something different. We would download a special browser and we'd be visiting like the infamous Silk Road, which was apparently the best place online for fireworks, cocaine, porn, social security numbers.
00:09:40 Speaker_07
I swear I wouldn't know. No, no. Why would you know? I don't know. This is a web forum. It is dedicated to the buying and selling of stolen data. Looks a little bit like Reddit, but the background is all black. Can we find the Ticketmaster data here?
00:09:55 Speaker_04
Oh, probably not anymore. I think this is a very, like, ephemeral chat system.
00:10:04 Speaker_07
So we just poke around. The forum is actually somewhat gamified. Reminds me a little bit of Duolingo. Keep your stolen data streak alive. There is this ranking system.
00:10:16 Speaker_07
You can be a VIP data seller or an MVP or top level, an actual god at selling stolen data.
00:10:24 Speaker_09
Yesterday, Schuyler says he saw posts offering more than 57,000 lines of data from BCP, the largest bank in Peru, and close to 155,000 lines of data from Banco Falabella in Chile. Today, there is some juicy U.S. data.
00:10:40 Speaker_06
This appears to be somebody selling Social Security numbers. Can we look at that?
00:10:44 Speaker_04
Yeah, so let's take a look. So up at the top, they give a list of the fields that they're providing. First name, last name, email, mailing address, your phone numbers, social security number, date of birth, driver's license.
00:11:02 Speaker_09
Skylar explains that this is the hackers posting a summary of the data fields they have. And then below that, there's a little sampler, maybe the details they have for five or 10 different people.
00:11:13 Speaker_07
Now, you usually only have one social security number. You only get one date of birth. And when someone has those details about you, it's not like you can ever get them back.
00:11:23 Speaker_09
Yeah. These are incredibly valuable pieces of personally identifying information. They are really helpful if somebody wants to steal your identity.
00:11:31 Speaker_07
But we were not here to just look at any old data breach. We were looking for my data, specifically, that Ticketmaster data. Can you scroll up for a second? And then, as we start to poke around the message boards, can we look for Shiny Hunters?
00:11:46 Speaker_07
Is there a way to search this?
00:11:48 Speaker_04
Let's see. Shiny Hunters. Banned.
00:11:55 Speaker_07
banned. Their name is crossed out. We have no clue why. We figure we have reached a dead end. But we continue to search the word Ticketmaster. And then we notice something a little odd. A post from a user with an avatar like Shiny Hunters.
00:12:11 Speaker_07
The avatar is from Pokemon, but it is a different username, Spider Hunters. And apparently they are an MVP at selling stolen data.
00:12:21 Speaker_09
The post has a big Ticketmaster logo right at the top.
00:12:25 Speaker_07
Ticketmaster will not respond to requests to buy data from us. They care not for the privacy of 680 million customers, so give you the first million users free.
00:12:36 Speaker_04
What do you make of this? I mean, it certainly looks related, right? And the timing somewhat matches. Skylar, I think you found the Ticketmaster data leak.
00:12:48 Speaker_07
It certainly looks like it could be.
00:12:49 Speaker_07
Now, my data is not part of the tiny sample that is posted here, but if someone bought my Ticketmaster data, they would presumably have a lot on me, and they could combine it with data that was compromised in some other data breach.
00:13:04 Speaker_07
Maybe they could get into my phone or my iCloud or my bank account.
00:13:09 Speaker_09
The only way we could know for sure is if we went and bought that data. But as much as we at Planet Money like to get our hands dirty learning about the economy, we did not get permission to buy stolen data on the dark web.
00:13:21 Speaker_07
But we have learned a lot about this market. It is brazen, it is bustling, and it is organized. Skyler does point out that we shouldn't necessarily take all of this at face value.
00:13:33 Speaker_07
Some of the people on this forum might actually work on the security side of things. The FBI has actually shut down the site multiple times. It's even possible the entire site is a honeypot, just a way to monitor and trap hackers.
00:13:47 Speaker_09
Still, just in case this is a real post, Amanda, you went ahead and sent a message to Spider Hunters to ask if they wanted to, you know, discuss your data. Spider Hunters, by the way, is not spelled the way you might expect.
00:14:00 Speaker_06
It's S-P-1-D-3-R.
00:14:03 Speaker_09
You don't have to worry about that part.
00:14:05 Speaker_07
Oh, I just feel like it's respectful.
00:14:06 Speaker_04
It's more respectful. Yeah, yeah, yeah. Yeah, here we go. OK. Fair enough.
00:14:09 Speaker_07
Hello, Spider Hunters. I'm one of the hosts of the NPR show Planet Money. We're a popular NPR podcast that covers business, finance, and economics. Is this too much? Does this seem like I'm just asking for them to donate as a listener?
00:14:23 Speaker_07
We finish the email, add one of those emojis with the tongue out because we're fun like that, also an email address they can reach us at, and we hit send. I do not leave my own personal contact info, though, because, hey, they already have it.
00:14:37 Speaker_09
So, while we wait to see if we get a response from spider hunters, we decide that the next thing we need to do is figure out how Amanda's data was stolen. What exactly happened?
00:14:48 Speaker_09
And this leads us to an equally unsettling market for our data, the legal market, where our personal information is bought and sold every day. That's after the break.
00:15:03 Speaker_00
This message comes from NITI Health. If you're a woman over 40 dealing with hot flashes, insomnia, weight gain, or brain fog, you don't have to accept it as just another part of aging.
00:15:13 Speaker_00
The clinicians at Middie Health understand what you're experiencing and know how to help. Middie Health provides specialized care for paramenopause and menopause covered by insurance. Book your visit today at joinmiddie.com. That's joinmiddie.com.
00:15:28 Speaker_01
This message comes from NPR sponsor, Charles Schwab. Financial decisions can be tricky. Your cognitive and emotional biases can lead you astray. Financial Decoder, an original podcast from Charles Schwab, can help.
00:15:41 Speaker_01
Listen today at schwab.com slash financial decoder.
00:15:47 Speaker_00
This message comes from NPR sponsor, Discover. Have you heard about double nomics? If not, here's an example. Discover automatically doubles the cash back earned on your credit card at the end of your first year with cash back match.
00:15:59 Speaker_00
That means with Discover, you could turn $150 cash back to $300. It pays to Discover. See terms at discover.com slash credit card. Support for this podcast and the following message come from Dignity Memorial.
00:16:14 Speaker_00
When your celebration of life is prepaid today, your family is protected tomorrow. Planning ahead is truly one of the best gifts you can give your family. For additional information, visit dignitymemorial.com.
00:16:28 Speaker_07
In my letter from Ticketmaster, they say that my data was stolen from an unnamed data services provider. Turns out this is a tech company called Snowflake. Snowflake does data storage and analysis.
00:16:41 Speaker_07
Basically, if you are a company that needs to keep a lot of data somewhere, Snowflake could be like your warehouse for it. That's what they are for Ticketmaster, for at least some of their user data.
00:16:50 Speaker_09
By the way, we did write to Ticketmaster and to Snowflake, but they didn't get back to us in time for this episode. Now, one thing that is not spelled out in Amanda's original data breach letter is how her data was stolen.
00:17:04 Speaker_09
But here's what we found out. Back in April, a cybersecurity company started noticing something suspicious. Some bad actor or bad actors was targeting Snowflake and some of the companies that use Snowflake.
00:17:17 Speaker_07
Companies like AT&T, Advanced Auto Parts, Neiman Marcus, Cricket Wireless, these cybersecurity researchers figured out that hackers had stolen a bunch of Snowflake customer logins.
00:17:28 Speaker_07
These were the logins that, like Ticketmaster or AT&T, would use to access their data on Snowflake. So obviously, somebody should have changed their password. People, change your passwords.
00:17:41 Speaker_09
These accounts were also not set up with two-step authentication, where you're logging in and then you get asked for your password, and then you also get your cell phone ping for another code.
00:17:51 Speaker_09
Two steps to confirm that it is actually you trying to access your sensitive and valuable data.
00:17:56 Speaker_07
People, turn on two-step authentication.
00:17:59 Speaker_09
Yeah, Ticketmaster and Snowflake did not require users to use two-step authentication. So it was like there was a little window that was easy to pry open, and the bad actor went right through that window and stole the data of millions of people.
00:18:13 Speaker_07
Including, probably, my data. Did you get one of these?
00:18:17 Speaker_03
I did get one of these as a fellow Ticketmaster user.
00:18:22 Speaker_09
Justin Sherman thinks his most recent Ticketmaster purchase was tickets to CISA, aside from loving contemporary R&B.
00:18:30 Speaker_09
Justin also founded a company called Global Cyber Strategies in D.C., and he's the go-to guy for all things cybersecurity, data privacy, AI.
00:18:40 Speaker_07
Justin says that Snowflake, the company at the center of the breach, their business isn't just about storing and analyzing data. They also operate a data broker marketplace.
00:18:51 Speaker_03
And it's like eBay for your data. You type in health or location, you hit enter, you add to cart and you check out.
00:18:59 Speaker_09
This data marketplace is part of a multibillion dollar industry that makes its money off of the buying and selling of personal information, a lot of personal information.
00:19:09 Speaker_07
How many pieces of data about me do you think are out there?
00:19:12 Speaker_03
I'm glad you asked this question. So there are single companies that sell 13,000 or 14,000-plus data points on one person.
00:19:22 Speaker_07
Okay, okay. So let me break this down for me. So one data point is my first name.
00:19:25 Speaker_06
One data point is my last name. One data point is my date of birth. What are the other 12,997 other data points? Let's put it this way.
00:19:35 Speaker_03
If you think of every single moment of your life that can be tracked, those are the kinds of data points that can be bought and sold.
00:19:43 Speaker_09
Yeah, that's how a lot of the Internet gets paid for. We get to use websites for free. And those websites make money by collecting data about us and selling that data on to whoever will pay for it.
00:19:54 Speaker_07
And what has been happening over the last decade is some companies have collected a truly astounding amount of data. Justin says they've become these giant centralized repositories for all of our personal information.
00:20:07 Speaker_03
We all know the saying, don't put all your eggs in one basket.
00:20:11 Speaker_07
Yeah, my 13,000 eggs.
00:20:12 Speaker_03
Exactly.
00:20:13 Speaker_03
When companies or government agencies take thousands of those eggs on hundreds of millions of people and plop them in one place, you're building a really attractive target where if someone gets in, all of this aggregated commercial data is sitting there ready for the taking.
00:20:29 Speaker_07
So in many ways, the illegal market depends on the legal market, on all of these companies collecting all of our information.
00:20:38 Speaker_09
Now, Justin isn't just worried about hackers stealing our data. He is also really troubled by this fundamental invasion of our privacy online, how these companies buy and sell our personal information on the legal market.
00:20:52 Speaker_07
So the next thing he wants to show me is part of that legal marketplace. It's a website that sells lists of senior citizens.
00:21:00 Speaker_03
So what we're looking at here is a database that it says, quote, gives you access to seniors who are currently being cared for by an adult child or family member, unquote.
00:21:13 Speaker_06
So this is people who require pretty extensive care, seniors who require care.
00:21:17 Speaker_03
These are people who require extensive care. There are over 20 million people in this database. It is for sale. And you'll see here that it includes ways you can contact these people, their postal information, their email, and much more.
00:21:34 Speaker_07
And this isn't like skirting around the law like this is legal legal.
00:21:40 Speaker_03
This is driving down the highway, minding my own business, legal.
00:21:43 Speaker_09
This site says it is a direct marketing company. Their business is selling lists of people who fit certain demographics.
00:21:50 Speaker_03
What's really horrible is there is a phrase, suckers lists. And this refers to exactly what we're looking at on the screen. It refers to databases about people that companies have determined are gullible.
00:22:07 Speaker_03
This is often elderly people and often includes diminished cognitive capacity, so suffering from Alzheimer's or dementia. And the reason they're called suckers lists is scammers love these lists of people.
00:22:21 Speaker_09
It is creepy enough when I imagine a bunch of cyber criminals buying and selling my data, but it's even creepier when it is happening in the legal market.
00:22:31 Speaker_07
So what are the rules governing that giant basket of my 13,000 eggs? To find out, we called up a regulator, not just any regulator, but the director of the Consumer Financial Protection Bureau, Rohit Chopra.
00:22:45 Speaker_07
Of course, the first thing I do is show him my letter from Ticketmaster.
00:22:49 Speaker_02
Did you get one of these? Oh, the breach notification letter? Yeah, I got that. Look, I get these things on an almost monthly basis. CFPB directors, they're just like us.
00:23:02 Speaker_09
For Director Chopra, his downfall was buying tickets for the Eagles, the football team, not the band.
00:23:07 Speaker_07
go birds. Yeah. Very authentic. Thank you. So back to the reason I reached out to Director Chopra, the rules. Now, there is, of course, HIPAA, which prevents your doctor from selling your private health information. There's also a law protecting students.
00:23:22 Speaker_07
Some states have their own privacy laws, too. Really, though, Director Chopra says there is not much more than that.
00:23:29 Speaker_02
In the US, we don't have that many laws that put restrictions on the type of data you can harvest on people, except really for one, the Fair Credit Reporting Act of 1970.
00:23:45 Speaker_09
Before 1970, all kinds of businesses in the U.S. kept track of all sorts of personal information.
00:23:51 Speaker_02
We've had a long history in our country of companies digging up dirt on all of us. Did we pay our bills on time? Who are we associating ourselves with? Are we cheating on our spouse?
00:24:07 Speaker_02
Companies would sell reports about us, about our character, about who's a good one and who's late on their bills.
00:24:18 Speaker_09
Director Chopra is talking about credit reporting and the companies that determine what today we call your credit score.
00:24:24 Speaker_07
Isn't this sort of a service? Like, this is how commerce works. You need to know if somebody is worthy of credit, worthy of loans. Maybe it's a very reasonable thing to do?
00:24:34 Speaker_02
Well, I think where the concerns were was the consumer never really consented to any of this. The reports that were about them could have been totally inaccurate or just full of rumors.
00:24:51 Speaker_02
And I think there was a sense in the Congress that there needs to be some limits on this, because it isn't just creepy, it really felt unfair.
00:25:03 Speaker_09
Hence the Fair Credit Reporting Act of 1970.
00:25:05 Speaker_09
It's been amended a few times since then, but basically the law requires that credit bureaus make sure the information they have is accurate, make sure consumers can access these reports, and that people can dispute anything that's not accurate.
00:25:20 Speaker_07
And these credit bureaus can't just sell this data to anyone that wants it. It is for potential employers or potential lenders or potential insurers, that kind of thing. That is how our data is supposed to be managed.
00:25:33 Speaker_02
But when we actually look at today's economy, we see a lot of other companies who are essentially doing the same exact thing.
00:25:44 Speaker_09
selling our background information, digging up dirt on us for companies that want to sell things to us using targeted marketing. And these data brokers, they don't usually consider themselves covered by this law.
00:25:57 Speaker_09
They say they're not credit bureaus, even though they might be selling things like info about our salaries.
00:26:04 Speaker_02
So we are developing rules that will bring some sanity into how our personal data is handled, and in many cases, on whether it should be trafficked at all?
00:26:19 Speaker_09
The idea is for these new rules to extend some of the protections that are in the Fair Credit Reporting Act to the other companies that have a lot of our data. The CFPB says they're publishing these proposed rules soon.
00:26:32 Speaker_07
But for now, without more regulation, I guess this is on me. My data is out there doing God only knows what, and it seems there's not much I can do about it. The most obvious thing I can do is in that original letter from Ticketmaster.
00:26:48 Speaker_07
They have offered me free credit monitoring. I asked Jim, the lawyer, to help me decide whether or not I should take it.
00:26:55 Speaker_08
You will have access to one or more credit monitoring services through one of the big three credit bureaus, TransUnion, Equifax or Experian.
00:27:03 Speaker_07
So basically, one of those big three credit bureaus will monitor my online info. In my case, it's going to be TransUnion.
00:27:10 Speaker_09
Yeah. If spider hunters sold your data to a bunch of scammers, they might try to get a credit card in your name, steal your identity. Who knows? And this monthly report will let you know if something like that actually happens.
00:27:21 Speaker_07
By the way, spider hunters never did message me back. I will probably never know where my data ended up. Maybe credit monitoring is a good option. Jim and I look at the offer together. I have a code.
00:27:36 Speaker_07
Should I not do this or should I put in my activate now?
00:27:39 Speaker_08
Let's see. Hang on a second. Let me just look here to see. Terms and conditions.
00:27:44 Speaker_06
Oh, this is so great to look at terms and conditions with a lawyer. Very helpful.
00:27:49 Speaker_07
It says right here, if you click on it, the terms and conditions below contain an arbitration agreement and a class action waiver.
00:27:55 Speaker_08
There you go. So you're out of the class and you can't bring a class action against transunion
00:28:02 Speaker_07
So basically, if I take the free credit monitoring service, I waive my right to sue. Then, Jim says, let us take a closer look at some of the other terms and conditions.
00:28:13 Speaker_08
Oh, by the way, by accessing CreditView Dashboard, you agree that TransUnion may use and share your information. No. Yes. So the company that you're hiring to protect you is using this as a grab bag to sell your data.
00:28:28 Speaker_09
Jim points to the very bottom of TransUnion's website. In small font, there are the words privacy policy. If you click that link, you will find pages and pages about all the ways in which they disregard your privacy.
00:28:42 Speaker_07
So it says when you enroll, TransUnion is collecting the usuals, my cell number, my date of birth, my social security number.
00:28:48 Speaker_07
And this privacy policy is saying that they may also start collecting and selling more personal information, my ethnicity, marital status, where I work, where I am.
00:29:00 Speaker_07
What I've been putting into online forms, how long it took me to fill in those online forms, oh, and everything I buy, everywhere I go, and everything I do online.
00:29:09 Speaker_08
So you clicked in as something as a result of a data breach to use their credit monitoring service, and you've just agreed for them to share all of your data and use it basically however they want.
00:29:24 Speaker_05
Oh, it's really bad, Jim. It's so bad. It's so cynical. It's so bad.
00:29:29 Speaker_08
It's bad. It's bad.
00:29:31 Speaker_09
We reached out to TransUnion. A spokesman said that the arbitration waiver, the part where Amanda had to waive her right to sue them, that was posted in error. We checked and it has now been removed.
00:29:43 Speaker_09
A spokesman also said when Amanda logged in to get her credit monitoring, that she was using a product called My True Identity.
00:29:51 Speaker_09
And that the information TransUnion requests when consumers enroll in MyTrueIdentity is, quote, essential for verifying their identities and providing the requested services, and that MyTrueIdentity does not sell consumers personal information to any third party for any reason, end quote.
00:30:09 Speaker_07
So TransUnion is saying that, no, they will not sell my usuals, my cell number, my date of birth, my Social Security number. They won't sell the information that I gave them to enroll in this program.
00:30:22 Speaker_07
But I definitely had to agree to their privacy policy, which states pretty clearly that they're going to collect other personal information and maybe sell that. And who knows? What if that data someday gets stolen in a data breach by a hacker?
00:30:37 Speaker_09
Which, I mean, it feels like we're back at the beginning of the episode, Amanda.
00:30:41 Speaker_07
Yeah, we might as well just start it again.
00:30:43 Speaker_09
Little Mobius strip, Planet Money.
00:30:45 Speaker_07
There you go. We could just play it over and over and over again, endlessly. How does it start? It starts like this. OK, hold on. Wait, wait. What's this over here? Oh, it's my letter from Ticketmaster. Did you get one of these?
00:30:56 Speaker_07
Oh, yeah, I did get one of those. No, you don't lie. Oh, I didn't get one, Amanda. Let me tell you what it says right here. Notice of data breach.
00:31:12 Speaker_09
Today's episode was produced by Sam Yellowhorse-Kessler and edited by Meg Kramer, engineered by Ko Takasugi-Chernovin with an assist from Kwesi Lee, and fact-checked by Danya Suleyman. Alex Goldmark is our executive producer.
00:31:26 Speaker_07
Thanks this week to Brent Bracelan at Piper Sandler, Joel Fischbein at Truist Securities, and Troy Hunt. I'm Keith Romer. And I'm Amanda Aranchik. This is NPR. Thanks for listening.
00:31:44 Speaker_00
Support for NPR and the following message come from Rosetta Stone, the perfect app to achieve your language learning goals no matter how busy your schedule gets.
00:31:52 Speaker_00
It's designed to maximize study time with immersive 10-minute lessons and audio practice for your commute. Plus, tailor your learning plan for specific objectives like travel.
00:32:02 Speaker_00
Get Rosetta Stone's lifetime membership for 50% off and unlimited access to 25 language courses. Learn more at rosettastone.com slash NPR. Support for NPR and the following message come from IXL Online.
00:32:17 Speaker_00
Is your child asking questions on their homework you don't feel equipped to answer? IXL Learning uses advanced algorithms to give the right help to each kid, no matter the age or personality. One subscription gets you everything.
00:32:29 Speaker_00
One site for all the kids in your home, pre-K to 12th grade. Make an impact on your child's learning. Get iXL now. And NPR listeners can get an exclusive 20% off iXL membership when they sign up today at ixl.com slash NPR.
00:32:44 Speaker_00
And a special thanks to our funder, the Alfred P. Sloan Foundation, for helping to support this podcast.