Home
cover of episode So your data was stolen in a data breach

So your data was stolen in a data breach

2024/10/31
logo of podcast Planet Money

Planet Money

Key Insights

Why did Ticketmaster send breach notification letters to its customers?

Ticketmaster sent these letters to comply with state data breach notification laws, which require companies to inform consumers as soon as they discover a breach.

How serious is it when personal data is compromised in a data breach?

The severity depends on the nature of the information stolen. If the data includes sensitive details like social security numbers, addresses, and personal habits, it can lead to identity fraud and long-term vigilance is necessary.

Where did the stolen Ticketmaster data likely end up?

The data was likely posted for sale on a dark web forum called Breach Forums by a hacker group named Shiny Hunters.

What precautions were lacking that led to the Snowflake data breach?

The accounts compromised in the breach were not set up with two-step authentication, making it easier for hackers to access the data.

How does the legal market for personal data operate?

Companies buy and sell personal information through data broker marketplaces, which function like eBay for data, often without the explicit consent of the individuals involved.

What are the current regulations governing the handling of personal data in the U.S.?

Currently, HIPAA protects health information, and the Fair Credit Reporting Act (FCRA) governs credit bureaus, but there are limited laws restricting the collection and sale of other types of personal data.

What are the potential pitfalls of using free credit monitoring services offered after a data breach?

These services often require users to waive their right to sue and may collect additional personal information that could be sold or compromised in future breaches.

Chapters

The episode begins with a discussion about receiving data breach letters and the implications of having personal data stolen.
  • Receiving a data breach letter is becoming increasingly common.
  • The nature of the information stolen varies, with some breaches being more serious than others.
  • Companies are legally required to notify consumers of data breaches.

Shownotes Transcript

Translations:
中文

When voters talk during an elections season, we list, we ask questions, we follow up, and we bring along to hear what we learn, get closer to the issues, the people, and your vote at the M P R. Elections up. Visit N P R. dwork. Splash elections.

Hey, it's key thromb real quick before the show today election season. N P R, has you covered with three podcast we are making for you every day. Number one, the M P R morning news podcast up first, that one comes out seven am eastern every weekday.

Later on in the day, we have the N P R politics podcast whenever there is big news going down. Few hours later, N P R politics podcast will be out with the show breaking IT down. Finally, there is considered this.

This is the one where N P R covers one big story in depth every weekday evening. So up first in the morning. Consider this in the evening in the N P R politics podcast.

Anytime important developments go down, it's like going around the clock. Election news survival kit from N P R podcast. Okay, thanks for listening.

Here's the show. This is planet money from npr.

I recently got a letter in the mail, and it's pretty likely that you got one of these two. IT is the special kind of letter that sometimes gets turned into a planet money episode. And that is because this letter is just the tip of an iceberg, and beneath the water is a profoundly deep mass, a butt sold and stalled in personal data, my data and maybe your data, too.

I took this letter to jim Francis. Okay, so I got, where's IT? I got a letter from ticket master IT says here, yeah, says the date on IT, july seventeen, twenty twenty four. Did you get one of these?

I did not get one. I am not a ticket mayster customer, but my clients spot that letter.

Jim has clients because he is a lawyer at Frances male sumas. He focuses on consumer protection and class actions, and he knows all about why ticket master sent these letters.

No, IT has nothing to do with my last purchase tickets to see future and metro women, because that's our role, but everything to do with a data security incident. 这个 master was hacked, and jim, he is suing them on behalf of some disgruntled customers.

I mean, who among us he is not a disGraced, taken matter or customer?

So many reasons to be dissented. LED, the ticket master. Now, ticket master says they are investigating what happened.

IT is possible. Some bad actors took my personal data. Take a measure. Send me this letter as a warning. Ticket master, like, do this out of the kindness of their heart. Did they just feel bad that they lost my data? Why did they send this?

They would tell you they did IT out of the kindness of their heart and their concern for their customers. The reality is some, if not all, states have a data bridge notification law requiring the company to notify consumers the minute they find out that there is a breach.

So sure, I was curious about the breach and how IT happened, but I confessed, jim, I wasn't actually worried. Mean, how bad is IT that my data is out there? Like, i'm a little bit like, yeah, this is not my first data breach. Radio, this happens all the time. Why should I even bother caring?

Well, one of the things that varies among data breaches is the nature of the information. If somebody has all of your information, your name, your data birth, you're so security number, your address, your personal habits, things like that, that is significant and that is serious um and you do have to be vigilant probably for forever because of that. Now if there was something just forever, if IT was just your zip code, for example, right? Okay, but what we understand to be the case here is this is a wide variety and a wide net of P, I I amend .

that they've maybe got your P I I or personally identifiable information. So things like your social security number, your cell phone number, P, I, I is kind of the jackpot of data.

Yeah, jim says that could be a victim of identity fraud, a target for phone scams. Someone could try to get a new credit card in my name that would be bad. And whatever was leaked in the ticket master breach, that is just some of the data about me that exists online.

One of the things that I have just learned over the know almost twenty five years of doing this is that the amount of consumer data that's collected is just its mind boggling. You know, it's your voting a filling ation your religious affiliation ation your address is what type of close you buy, your key strokes, your finger prints, your shopping habits, your everything right? You leave a trail in a foot took int wherever you go and whatever you log into.

Of course, this isn't just about my trail and my flow print.

Yeah, jim says that the ticket master breach was part of an even bigger hack impacting the customers of lots of companies.

So this is like potentially hundreds and hundreds of .

millions of people. That's huge. Lot of these data aches are huge, this ones particularly large.

Oh god, then that sounds like Jimmy maybe started .

in to stressed you a little bit. I don't .

know why you think that.

Hello and welcome to planet money. I'm kiz romer. Man, do we have to keep making the show?

You need a second. You go on ahead. OK.

okay. And that's amended on check today on the show, the ticket master data breach.

We are going to follow this all the way to find out where did my data go, how scared should I be, and what am I supposed to do about IT and .

how the personal and private information for all of us is being bought, sold and stone.

This message comes from wise the APP for doing things in other currencies and spend a receive money internationally and always get the real time midd market exchange rate with no hidden fees. Download the wise APP today or visit wise not season sees apply this election season.

you can expect to hear a lot of news, some of IT meaningful, much of IT not. Give the up first podcast fifteen minutes, sometimes little less, and will help you sort IT out what's going on around the world. Ended home three stories, fifteen minutes, up first every day, listen every morning wherever you get your podcasts.

Hey, it's an issue, Harris, from pop culture happy hour. If you love and para podcast, want the new N P R plus podcast bundle, enjoy in all, you can need selection of N P R plus podcast with sponsor free listening and bonus episodes, plus you'll be supporting public radio check IT out at plus that M P R that work.

AManda, your growing paranoia is basically right. Yeah.

I figured .

that our data is being compromised more and more often. The number of data breaches has been steadily taking upwards for two decades and twenty twenty three was, I guess, a banner year for data breaches. Yes, it's it's a little too soon to say, but twenty twenty four could set a new, new record.

So where did my stolen ticket master data go? And what exactly was taken? The letter from dicky master says, it's just my name, my basic contact info, payment card info, which is a but jim, the lawyer suggested the people who stole IT might have had much more than that.

We sent what we knew about the breach to front of the shows. Skylar devine is the former director of technology at W N C, the M P R station here in new york. He agreed to help us try to track down your data and and find out where I went to.

Skylar u and I are setting up computers, maybe SHE zoom link.

yeah. Why don't you send me that by email like a okay.

apparently, after fAiling to get rent some money from ticket master, a hacker group called shiny hunters posted the date of her sale for half a million dollars on a dark website called breach forms.

So scholar and I decided to log on to breach forms and see if we could find the da ourselves.

I don't think you're gonna want to click on any media on the site OK, even if there is.

So this is not a place where we just fly .

click um if you've heard of places like for chain, yeah you know there's going to be A A lot of racial slur and horribly language. So horrible people hang out there.

Obviously, we want to be careful here and we do not advise you to do this at home. Dear listener, sky has created an anonymous account for us. He set up a private window that makes us hard to track.

Skylar is a low key. I, T. Guy is unphased, but he is still prepared for anything.

Now, i'll admit I was expecting something different. We would download a special browser, and we'd be visiting like the infamous silk road, which was apparently the best place online for fireworks, cocaine, porn, social current number ers. I swear.

I wouldn't know. No, no.

Why would you know? I don't know. This is a web forum. IT is dedicated to the buying and selling of stolen data. Looks a little bit like reddit, but the background is all black. Can we find the ticket master data here?

Oh, probably not anymore. I think this is a very like a final system.

so we just poke around. The forum is actually somewhat game. A fied reminds me a little bit of dual lingo.

Keep your still in data street alive.

There is this ranking system. You can be A V I P data seller, or an M V P or top level, an actual god at selling stolen data.

Yesterday, skyler says he saw posts offering more than fifty seven thousand lines of data from bcp, the largest bank in perou, and close to one hundred fifty five thousand lines of data from banco fola Bella in chili. Today there is some juicy U. S. data.

This appears to be somebody is selling social security numbers. Can we look at that?

yeah. So want to take a look. So up at the top, they give up a list of the fields that they're providing, first name, last name, email, mAiling address, your phone numbers, a social security number, data, birth drivers, license.

Skylar explains that this is the hackers posting a summary of the data fields they have. Then below that, there's a little sampler, maybe the details they have for five or ten different people.

No, you usually only have one social security number. You only get one date of birth, and once someone has those details about you, it's not like you can ever get them back.

These are incredibly valuable pieces of personally identifying information that they are really helpful if somebody wants to steal your identity.

But we were not here to just look at any old data breach. We were looking for my data, specifically that ticket master data t scholar, for a second. And then as we start to poke around the message boards, can we look for shiny hunters?

That's resets. What's see the shiny hunters band band.

Their name is crossed out. We have no clue why we figure we have reached a dead end, but we continue to search the word ticket master. And then we noticed something a little odd, a post from a user with an avatar a like shiny hunters. The avatar a is from hokee, but IT is a different user name, spider hunters, and apparently they are an M V P at selling stolen data.

We post has a big ticket master logo right at the top.

Ticket master will not respond to request to buy data from us. They care not for the privacy of six hundred and eighty million customers. So give you the first million users free. What do you make of this?

I mean, IT certainly looks related right in the timing somewhat matches.

Skylar, I think you found the ticket master data league.

IT certainly looks like IT could be.

Now my data is not part of the tiny sample that is posted here, but if someone bought my ticket master data, they would presumably have a lot on me, and they could combine IT with data that was compromising some data breach. Maybe they could get into my phone or my eye cloud or my bank account.

The only way we could know for sure is if we went and bought that data as much as we yet planet money like to get our hands dirty learning about the economy. We did not get permission to buy stolen data on the dark web.

but we have learned a lot about this market. IT is brazing, IT is bustling and IT is organized. Skylar does point out that we shouldn't necessarily take all of this at face value.

Some of the people in this form might actually work on the security side of things. The FBI has actually shut down the site multiple times. It's even possible the entire site is a honeypot, just a way to monitor and trap hackers.

So just in case this is a real post, AManda, you went ahead and send a message to spider hunters to ask if they wanted to, you know, discuss your data. Spider hunters, by the way, is not spelled the way you might expect.

Sp, one d, three, part. H, I just feel like it's respectful, is more respect. Hello, spider hunters. And one of the hosts of the mp r show, planet money, where a popular N P R podcast that covers business finance and economics. Is this too much as I seem like i'm just asking for them to donate as a listener?

Um we .

finish the email. I had one of those gees with the tune out because we're fun like that. Also, an email just read and I hit, sent. I do not leave my own personal contact in photo because, hey, they already have IT.

So while we wait to see if we get a response from spider hunters, we decide that the next thing we need to do is figure out how a end as data was, stop what exactly happened. And this leads us to an equally unsettling market for our data, the legal market, where our personal information is boat and sold every day. That's after the way.

It's a high stakes election year, so it's not enough to just follow along. You need to understand what's happening so you are fully informed. On november, every weekday on the entire politics podcast are political reporters break down important stories and back stories camp gn trail, so you understand why that matters to you.

Listen to the M P R politics podcast wherever you get your. If you are a regular listener of planet money, then you probably enjoy some other N P R podcast two with M P R. Plus you get perks like sponsoring listening bonus episodes, early access shop discounts and more for over twenty different n VR podcasts like this one.

So start supporting what you love and stop hearing promos like this one at plus, not N P R dot ork. Okay, so does this sound like you you love and P S podcast, you wish you could get more of all your favorite chose, and you want to support N P S mission to create a more informed public. If all that sounds appealing, then IT is time to sign up for the N P R plus bundle. Learn more at plus D N P R .

dot work.

This message comes from wondering, anty boy, the vast idea yet is a new podcast about the untold origin stories of the products you're obsessed with and the people who made them go viral. Listen to the best idea yet wherever you get your podcasts.

In my letter from ticket master, they say that my data was stolen from an unnamed data services provider. Turns out this is a tech company called snowflake. Snowflake does data storage and analysis. Basically, if you are a company that needs to keep a lot of data somewhere, snowflake could be like your warehouse for IT. That's what they offer a ticket master, or at least some of their user data.

By the way, we did write two ticket master and to snowflake, but they didn't get back to us in time for this episode. Now one thing that is not spelled out in AManda's, the original data breach letter, is how her data was stolen. But here's what we found out.

Back in April, a cyber security company started noticing something suspicious. Some bad actor or bad actors was targeting snowflake. And some of the companies that use .

snowflake companies like A N. T. Advances of parts, mars, cricket, wireless, these cyber security researchers figured out that hackers had stolen a bunch of snowflake customer loggins.

These were the logging that like digamma ter or A T N T would use to access their data on snowflake. So obviously, somebody should have changed their password. People change your passwords. These accounts .

were also not set up with two step authentication, know where you like, you logging in, and then you can ask your password, and then you also get cell phone paying for another code. Two steps to confirm that this is actually you trying to access your sensitive and valuable data.

People turned on two step authentication.

Yeah, ticket vester and snowflake did not require users to use to step. The indication was like there was a little window that was easy to pray open. And the bad actor went right through that window and store the data of millions of people.

including probably my data. Did you get one of these?

I did get one of these as A A fellow ticket master user here. okay.

Justin sherman thinks his most recent ticket matter purchase was tickets to seism. Aside from loving contemporary R, N, B, Justin also founded a company called global cyber strategies in dc. And he's to go to guy for all things cybersecurity did a privacy ai.

Justin says that snowflake, the company at the center of the breach. Their business isn't just about storing and analyzing data. They also Operate a data broker marketplace.

And it's like ebay for your data, you type and health or location you had enter, you add cart and you check out this .

data marketplace is part of a multibillion dollar industry that makes its money off of the buying and selling of personal information. A lot of personal information.

How many pieces of data about me do you thinking out there?

Got you ask this question. So there are single companies that sell thirteen or fourteen thousand plus data points on one person.

Okay, okay. So let me get going to break this down for me. So one data point is my first name. One data point is my last name, one data point of my data birth. What are the other twelve thousand, nine hundred and ninety seven other data points?

Let's put in this way, if you think of every single moment of your life that can be tracked, those are the kinds of data points that can be bought and sold.

Yeah, that's how a lot of the internet gets paid for. We get to use websites for free. And those websites make money by collecting data about us and selling that data onto whoever will pay for IT.

And would have been happening over the last decade is some companies have collected a truly astounding amount of data. Justin says they have become these giant centralized power tories. For all of our personal information.

we all know the same. Don't put all your eggs in one basket.

Yeah, my thirty thousand eggs. exactly.

When the companies are government, take thousands of those eggs and hundreds of millions of people and plop them in one place, your building are really attractive target. Where if someone gets in, all of this aggregate commercial data is sitting there ready for the taking.

So in many ways, the illegal market depends on the legal market and all of these companies collecting all of our information.

Now, Justin isn't just worried about hacker is stealing our data. He is also really troubled by this fundamental invasion of our privacy online. These companies buy and sell our personal information on the legal market.

So the next thing he wants to show me is part of that legal marketplace is a website that sells lists of senior citizens.

So what we're looking at here is a data base that IT says, quote, gives you access to seniors who are currently being cared for by an adult child or family member unquote.

So this is people who require pretty extensive care. Seniors who require care.

These are people who require sensitive care. There are over twenty million people in this base. IT is for sale. And you'll see here that IT includes ways you can contact these people, their postal information, their email and much more.

And this isn't like skirting around the law, like this is legal, legal.

This is driving down the highway. Mind my own business, legal.

This site says IT is a direct marketing company. Their business is selling list of people who fit certain demographics.

What's really horrible is there is a phrase, soccer list. And this refers to exactly what we're looking at on the screen. IT refers to database about people that companies have determined or global. This is often elderly people and often includes diminished cognitive capacity of suffering from alzheimer. And the reason they are called suckers list is scammers love these list of people.

IT is creepy enough when I imagine a bunch of cybercriminals buying and selling my data, but it's even creepier when IT is happening in .

the legal market. So what are the rules governing that giant basket of my thirty thousand eggs? To find out, we called up a regulator, not just any regulator, but the director of the consumer financial protection bureau hit choir. Of course, the first thing I do is show him my letter from ticket master. Did you get one of these .

of the breach notification letter? Yeah, I got that. Look, I get these things on an almost monthly basis.

C, F, P, B. Directors, they're just like us. For director chopra, his downfall was buying tickets for the eagles, the the ball team, not the .

band go birds.

Very authentic.

Thank you. So back to the reason I reached out to director chopra. The rules now there is, of course, hippa, which prevents your doctor from selling your private health information.

There's also a law protecting students. Some states have their own privacy laws too, really, though dr. Roper says there is not much more than .

that in the us. We don't have that many laws that put restrictions on the type of data you can harvest on people except really, for one, the fair credit reporting, active thousand, nine hundred and seventy four.

one hundred and seventy, all kinds of businesses in the U. S. capp. Track of all sorts of personal information.

We ve had a long history in our country of companies digging up dirt on all of us. Did we pay our bills on time? Who are we associating ourselves with? Or are we cheating on our spouse? Companies would sell reports about us, about our character, about who's a good one and who's laid on their bills.

Director chopra is talking about credit reporting and the companies that determine what today we call your credit score.

Isn't this sort of a service like this is how commerce works. You need to know if somebody is worthy of credit, worthy of loans. Maybe it's a very reasonable thing to do.

Well, I think where the concerns were was the consumer never really consented to any of this. The reports that were about them could have been totally inaccurate or just full of rumors. And I think there was a sense in the congress that there needs to be some limits on this because IT isn't just creepy. IT really felt unfair. Tens c fair .

credit reporting act of one thousand nine hundred and seventy. It's been amended a few times since then. But basically, the law requires that credit bureaus make sure the information they have is accurate, make sure consumers can access these reports and that people can dispute anything that's not accurate.

And these credit bureaus can't just sell this data to anyone that wants IT. IT is for potential employers or potential lenders or potential ensures that kind of thing. That is how our data is supposed to be managed.

But when we actually look at today's economy, we see a lot of other companies who are essentially doing the same exact thing, selling our .

background information, digg up dot on us for companies that want to sell things to us using targeted marketing. And these data brokers, they don't usually consider themselves covered by this law. They say they're not treated burs even though they might be selling things like info about our salaries.

So we are developing rules that will bring some sanity into how our personal data is handled and in many cases, on whether I should be traffic at all.

The idea is for these new rules to extend some of the protections that are in the fair credit reporting act to the other companies that have a lot of our data. The C, F, P, B says they're publishing these .

proposed rules soon, but for now, without more regulation. I guess this is on me. My is out there doing god, windows, what? And IT seems there's not much I can do about IT. The most obvious thing I can do is in the original letter from ticket master, they have offered me free credit monitoring. I ask him the layer to help me decide whether or not I should take him.

You will have access to one or more credit modeling services through one of the big three credit, eros trans union, equifax experience.

So basically, one of those big three credit bureaus will monitor my online info. In my case is going to be trans union.

Yeah, if spider hunters soldier data to do a bunch of scammers, they might try to get a credit card in your name, steal your identity tonos. And this monthly report will let you know if something like that actually happens.

By the way, spider unter never did message me back. I will probably never know where my data ended up. So maybe credit monitoring is a good option, jim and I look at the offer together.

OK have a code.

So should I not do this?

Or should I put IT in my activate and to see terms and conditions? Oh.

this is so great. To look at terms and conditions with a lawyer, very helpful. IT says right here, if you click on at the terms and conditions below containing arbitration agreement and a close action waver.

there you go. So you're out of the class and you can bring a class action against change. Junior.

so basically, if I take the free credit monitor service, I wave my right to sue. Then jim says, let us take a closer look at some of the other terms and conditions.

Oh, by the way, by access incredible view dashboard, you agree the trains union may use and share your information.

No.

yes. So the company that you're hiring to protect you is using this as a grab bag to sell your data.

Gym points to the very bottom of trans union website. In small fund, there are the world's privacy policy. You click that link, you will find pages and pages about all the ways in which they disregard your privacy.

So IT says, when you enroll trans on is collecting the usual my cell number, my data birth, my social security number. And this privacy policy is saying that they may also start collecting and selling more personal information, my ethnicity, moral status, where I work, where I am, what i've been putting into online forms, how long I took me to fill in those online forms, oh, and everything I buy everywhere I go and everything I do online.

So you click in is something as a result of a data bridge to use their credit monitoring service, and you've just agreed for them to share all of your data and use that basically.

however, they want really bad jam. It's so bad. It's so cynical. It's so bad. It's bad. It's bad.

We reached out to trans union.

A spokesman said that the arbitration waver, the part where a Manda had to wave her right to sue them that was posted in error, we checked and IT has now been removed. A spokesman also said when a man are logged in to get her credit monitoring, that SHE was using a product called my true identity, that the information trans union requests when consumers enroll in my tri dentist is, quote, essential for verifying their identities and providing the request in services, and that my true identity does not sell consumers personal information to any third party for any reason. Quote.

so trans union is saying that, no, they will not sell my usual, my cell number, my data birth, my social security number. They won't sell the information that I gave them to enroll in this program. But I definitely had to agree to the privacy policy, which states pretty clearly that they're going to collect other personal information and baby sell that. And who knows what if that data someday gets stolen in a data breach by a hacker.

which I mean, IT feels like we're back at the beginning .

of the episode of the yeah that as well .

started again little moba strip planet money.

There you go. We can just play IT over, over, over again. Endesa has IT starts.

IT starts like this. Okay, hold on way. Wait, what's this over here? Oh, it's my letter from ticketmaster. Did you get one of these?

Oh yeah.

I didn't get. No, you don't lie.

I didn't get.

Let me tell you what he says right here. Notes data breach IT is bad.

Today's s episode was produced by sam yellow horse castle and edited by mag cramer, engineered by co toka travon with an assist from lazy lee and fact checked by Daniel s. Outsmart is are exactly .

producer thanks this week to bring brasen at hyper sander, draw fish bine and true security and troy hunt.

I'm key .

thrower and i'm AManda iron chic. This is M. P. R. Thanks for listening.

Who's claiming power this election, what's happening in battleground states, and why do we still have the electoral college all this month? The throw line podcast is asking big questions about our democracy and going back in time to answer them. Listen now to the through line podcast for men P. R.

Studies have shown that elections can Spike feelings of stress and anxiety. That's why npr s pop culture, happy hours there to help you feel more grounded as we talk about the buzz est TV movies and music try to show on hbs industry or a round table on ROM comes to take a step back from the news of the day, at least before you plunge back in tomorrow new episodes every week on pop culture happy our from N P R.

Some of our favorite planets aren't even real, but could they be here on your wave? We journey to other planets, distant galaxies, in our universe and in our favorite works of science fiction. Listen now to the short of podcast from M P. R.