Planet Money - How useful, really, are the steps you can take after a data breach?
Episode Date: December 2, 2024The dreaded data breach notification... It tells you your personal data's been compromised and suggests steps you can take to minimize the potential harm. On today's episode, Kenny Malone pulls out a ...data breach letter he received and goes over what it recommends with Amanda Aronczyk. Amanda recently did a show about the legal and illegal markets for data and tells us how useful these steps actually are. It's news you can use to protect yourself, whether or not you've been part of a data breach.This normally would be a bonus episode just for Planet Money+ listeners. Today, during this season of giving, we're sharing it with everyone! To hear more episodes like this sponsor-free and support NPR, sign up for Planet Money+ at plus.npr.org. Related links:Data Breach Response: A Guide for Business (FTC)Have you been affected by a data breach? (FTC)Your Technology Is Tracking You. Take These Steps For Better Online Privacy (Life Kit)What happens after you get scammed? Can you get your money back? (Planet Money)Firewalls Don't Stop Dragons (cybersecurity and privacy podcast) Experian (credit bureau)TransUnion (credit bureau) Equifax (credit bureau) Always free at these links: Apple Podcasts, Spotify, the NPR app or anywhere you get podcasts.Find more Planet Money: Facebook / Instagram / TikTok / Our weekly Newsletter.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
This is Planet Money from NPR.
Hello, I am Kenny Malone.
And I'm Amanda Oranjic.
And we are here because, of course, the season of giving is upon us.
The spirit of giving.
And in that spirit, Amanda, we at Planet Money would like to share with everyone
a sample of what our bonus content sounds like.
So usually what you're about to hear,
it's just for our Planet Money Plus supporters,
but today we're making this bonus episode
available to everyone, to all.
Yes, these episodes come out every two weeks.
You know, basically our bonus episodes,
they might be extended cuts of interviews,
they might be interviews that come from our newsletter,
we might talk about how an episode was made. Occasionally we do a
movie club where we talk about economics in a film. Kenny, I understand that you
are going to do that again soon. Love it. Oh yeah, Christmas at the alpaca farm. Is
that really the movie? Yeah, there is a lot of economics in this. The economics
of how Christmas rom-coms get made,
the economics of the fiber markets.
And the more I say it, I know the more it sounds like it is a joke.
It is not a joke.
Sounds delightful and seasonal, honestly.
Anyway, sometimes we watch movies and we talk about them on the bonus feed.
But then sometimes we're also just working on an episode of the show
and there's extra material that didn't fit in,
and we want to share it, and that is what we are here to do today in this bonus episode.
So, Amanda.
Yes.
You recently did an episode, a whole episode,
on what happens when your personal data gets stolen,
and you had a bunch of extra reporting on it
that I have been begging you to tell me about personally.
Yes, that's true, and for the season of giving,
I come bearing news you can use.
It's whatever, it fits in a stocking. Yeah, we come bearing, news you can use.
It's whatever, it fits in a stocking.
Yeah, we wrap it up, you like put that under the tree,
put it in the stocking.
This is advice on what you can do
to protect your personal information
if you've been part of a data breach.
Even if you have not been part of a data breach,
some of this will be news that you can use.
I will tell you that part of the genesis of this episode
was while I was making the data breach episode,
I would like lie there at night and be like, oh my god,
I gotta go change my bank password.
And then like I'd wake up and then I'd be like, oh my god,
I gotta go set up two-step authentication.
I would have all of these like, ah.
So over the course of making the episode,
I learned a lot about how to protect your data, my data,
and now I'm going to share that
Okay
So if you would like to hear more bonus content like what you're about to hear you can sign up for planet money plus at
Plus dot NPR dot o RG that is plus dot NPR dot o RG
There are other perks as well including our regular episodes sponsor free And if you are a part of Planet Money Plus already, then thank you.
Thank you for supporting us.
Genuinely, this keeps our work and the work of NPR going.
It really does.
This is super helpful.
We're very grateful when you subscribe.
And with that, we hope you enjoy this conversation.
We will be back with a regular episode for you later this week.
And we're back. Okay, we're gonna start this. Ready? Classic, classic radio.
Oh, yeah. Kenny, you just love to shuffle a little piece of paper, don't you?
It's what we do. It's what we do. That is a rather voluminous letter I received.
In fact, everyone in my family received one of these,
telling us that we were all part of a substantial hack.
Yeah.
Let me get a little sound of that again.
So that letter, just FYI, that is required,
I believe by all states, that they send you a letter saying,
hey, sorry, my bad.
We got hacked.
And this one in particular is like not the company
I was doing business with.
They apparently were managing data on behalf of the company
I was doing business with.
So it's, this letter in particular is funny
because it's like, hey.
You've never heard of us.
You've never heard of us.
But one thing you should know about us
is we know a lot about you.
And it does seem like those are prime targets,
these companies that are like central warehouses for data.
Yep.
Like hackers are identifying places
that have a ton of data on hand as opposed to like,
oh, I'm just going to go hack you, Kenny.
What's the point when I could go get hundreds of millions of data
about all sorts of different people?
Yes.
And this is particularly frustrating to me,
I will say, before we get into this, because I'm
very careful about my passwords.
I change my passwords all the time.
I use very complex passwords that I can't remember.
I use a password manager to keep track of them.
I use two-factor authentication.
It doesn't matter in this case, because they didn't hack me personally.
They hacked this big company that had all of my data.
Yeah. I'm so sorry, Kenny. That's the worst.
Yeah. So anyway, I have a very basic question.
Yeah.
I got this letter and there are all these suggestions about what I could do in this
letter. Can you help me understand what I am supposed to do?
Yes. I will do my best.
Okay. Letter noise, letter noise, letter noise. Understand what I am supposed to do. Yes, I will do my best Okay
Let her noise let her noise let her noise
There are I think about five or six suggestions in here that I would love to just go through with you and you can
Tell me are these useful are they BS or are they somewhere in between shall we yeah here we go
Thing it suggests
number one,
order my free credit report.
So what this means is that there are companies,
Experian, TransUnion, what's the other major one?
Equifax.
Equifax, I always forget.
Those are the three big ones, yeah.
These are the major credit bureaus.
They keep track of tons of our information
to tell someone else how likely it is that we are to pay back alone
I mean that is their very basic function in society. Yes. Are you credit worthy? Is it worth lending you some money?
Can you pay it back? Will you have you historically paid it back? Correct all of that stuff
Okay, so you can order a credit report from one of these companies if you've never done it about yourself
Mm-hmm. And so here I am being told that this could maybe
help me in some way now that I've been hacked.
Should I do that?
Is it helpful?
Yes.
That one is helpful.
It is always helpful to get your credit report, take a look,
have a sense of what they're keeping track of.
And a big reason to do this is because the time
between the hack and when you get that letter,
it's not supposed to be very long,
but sometimes it takes months.
So it is very possible that something bad and suspicious
happened in that time period.
So that's going to be backwards looking.
I think the credit reports will often say,
hey, remember when you asked to take out this line of credit?
And I'll be like, no, I didn't ask
to take out this line of credit.
So this is a check-in.
I mean, this is something that people should just
do regularly anyway.
This is a helpful thing.
Make sure that you know, you know,
has your credit been impacted by the hack?
And maybe even you'll just see some other things
that have nothing to do with the hack
that you should just be aware of.
Okay.
That doesn't sound fun,
but I will look that up and read that.
And this is very easy to do, by the way.
We're gonna say this over and over again,
but we will put links in our show notes.
So if we mention anything here in this episode,
we are gonna put links in our show notes.
You can go find those.
Okay, so not BS, get your free credit report, great.
Thing number two.
Yeah.
Enroll in credit and identity monitoring services.
Okay, so I've never done this before,
but presumably this is a service that just,
that I guess this company that got hacked
is now providing me for free
to just like keep an eye on whether someone is going,
is taking out like a line of credit in my name
or something like that.
Yeah, this is a funny one.
Some states actually require
that they offer you free credit monitoring
if you've been involved in a data breach.
But again, it depends on the state and also the personal data involved.
There is actually a academic paper from 2012 that says, if they offer you this service,
this free credit monitoring, it's going to reduce the likelihood that you sue them by
a lot.
Oh, interesting.
Yeah.
What will often happen is you'll get this letter
and it'll say in there that they've made
some sort of arrangement with another company
and that company will offer you free credit monitoring,
which is basically a report.
It's not your credit report.
It's like a report that comes to your inbox
or you can have it mailed to you.
And it's going to say like, hey, you know,
we were watching this.
We saw some suspicious activity here,
we saw this email used here,
somebody pinged us about this.
I have been doing it for years with Experian,
and that one's actually pretty detailed.
Was that after the hack you did it?
Yeah, and I will admit that like,
I've gotten this offer so many times,
I don't pay that close attention to it, maybe.
To like the emails they send you or whatever.
To the emails that they send me.
It's not not useful.
Okay, not not useful.
We put it, we should have put that in on the on our rubric.
Well, I do have a question that I don't know if you know the answer to,
but if I enroll in one of these credit monitoring services
or I request my free credit report,
do any of these affect my credit score?
Do they affect my credit?
Because I think the more people run.
No.
Okay, yeah, I'd be messed up.
Yeah, so here's the trick with these things.
Yeah, so let's say you were offered credit monitoring
from one of the big three credit bureaus.
This is where you wanna be a little bit careful
as you sign up.
It is very possible that as you go in,
and this is what happened to me,
that as you go to sign up, you will be asked to waive your right to legal action.
You will not be able to sue the credit bureau.
Yeah.
So helpful to join the credit monitoring, however, read the fine print.
Read the fine print.
Read the fine print.
Because you may be waiving your right to be part of some large litigation or something.
Right.
So not BS, a little asterisk, but okay.
Yeah, take a look.
I mean, always take a look at the fine print,
but like the whole internet is based on us
not looking on the fine print.
But if you can do it, try.
Sometimes it's well written.
Suggestion number three.
Yeah.
Contact the US Federal Trade Commission.
Oh, you know who doesn't want to hear from you?
The US Federal Trade Commission.
No, that's not true.
You can try.
I mean, the way the FTC is handling this is if they get a lot of complaints about something,
they will go and act on that.
Are they going to call you, Kenny, and be like, hey, Kenny, I'm going to help you out?
We've been looking at your case, Kenny,
working overtime on it.
We've all talked to the FTC a couple times.
They are trying with their limited resources
to help people.
So you can send a complaint to them if you want.
Uh-huh.
I mean, and to be fair, it seems what it's actually
telling me to do is like, go read whatever they've written
about how to protect yourself from identity theft.
That seems to really be what they want me to do.
I actually do encourage you to do that.
It is very well written.
It's very straightforward.
They have guides for consumers
and they also have guides for businesses.
Like they have, you know, so you've been hacked.
What should you do for your customers?
And they're actually not bad.
They're not bad resources.
We'll provide links.
Okay, that one is very funny though.
Item number four, place a fraud alert on your credit file.
Yes.
So if you again, go to the big three, Experian, TransUnion, and Equifax, there are a bunch of things that you can do
while you were there.
And one of them is place an alert on your credit file.
What this is going to do is if somebody like, let's say you go to.
Macy's and you decide you're going to go get one of those like Macy's cards
or something like that and Macy's calls to see if Kenny is worth giving a Macy's
card to, they're probably going to call you up.
They're going to contact you and be like, did you actually want this?
Got it.
So that's what that, that fraud alert does.
Yeah.
Kind of like second or third factor authentication
on credit lines or something like that.
Yeah, that one is not a bad idea.
Not bad, not bad.
Fraud alert.
And do I do that with all three of the big credit bureaus?
No, you do not.
If you place a fraud alert on your credit report
with one of the credit bureaus, they
say that they will notify the other two.
Right.
OK, all right.
So yet again, not a bad idea.
Not a bad idea.
Okay, final recommended step.
This is a big one, and it's one that I actually
have thought about a lot.
This is a recommended security freeze.
I guess I should say it's not recommending it,
it's saying, quote, you have the right
to request a credit freeze from a consumer reporting agency,
which is another name for the credit bureaus.
So that functionally locks down your ability to take out a loan, so get a new line of credit,
maybe extend an existing line of credit.
It locks that ability down unless you preemptively open it up because you know you're about to
request a new line?
Yes, this does appear to be the kind of gold star of what you can do to protect yourself,
which is you are going to freeze your credit, which means that as you said, you are no longer
able to get a loan for anything.
But it's not, it isn't actually, I was a little bit surprised when I started
to dig into it a little bit more.
It doesn't stop all sorts of other processes.
Like people can still, like if you were trying to get a job,
somebody can still call up Experian and be like,
can I look at the report?
And the answer is probably yes.
Okay, sure.
You're not trying to like open a new line of credit.
That makes sense.
So most things still happen,
but your credit is frozen.
And so nobody can get a loan in your name.
Yeah.
The big three make this quite easy.
You just go online and unlock it to freeze and thaw.
Freeze and thaw.
Is that the term?
Yeah, that is the parlance.
Yeah.
It seems obvious to me that a security freeze is useful.
It is, it is an armor plate against someone doing one of the worst things they can do
when they steal your identity,
which is tank your credit by taking out
a giant line of credit in your name.
Right.
This is the medicine I was kind of dreading
you would need to take in a situation like this.
Because it definitely seems inconvenient,
but obviously helpful.
Yeah, and it will not take you very long.
Okay, okay.
I will do that, especially before this episode runs, telling everyone
that I've been part of a giant hack. Yes, not a bad idea. So that's all that's in this
list. Basically, is there anything else I should be doing? Yeah, we at NPR have a service
called delete me, which is like a privacy service that helps scrape you off of the internet, your name, your phone number,
your address.
It's basically like-
The image that you've like landed flat on the internet
and they're like peeling you off.
Yeah, they're trying to peel some of your information
off of the internet so you're harder to find your address,
your email, your cell phone number, harder to find.
And it's honestly, it's been effective.
Okay, pretty helpful.
All right, anything else that one should do
after they've learned that they're part of a gigantic hack?
Yeah, I mean, you should look on your credit card.
You should look on your bank statements.
Yes, I can't believe we didn't even say that.
I can't believe we didn't say that.
Go look and see if there's any weird charges
that you don't recognize.
Do you know the one that kept happening to me
is like TikTok purchases, not on this one,
but like when someone got a hold of a credit card number,
they just kept buying crap through TikTok, like on people's TikTok stores.
No, not okay.
I guess it's connected to your credit card.
Like you probably like, or maybe not.
I don't know.
It showed up as TikTok purchases and it was like, obviously I didn't make this
purchase. This is outrageous.
Your credit card is your friend in fraud.
Like they do not want you defrauded.
It is very expensive for them.
They have very good mechanisms set up to like find fraud.
So you should be watching your credit card
and you should be calling them up if you see charges
that you don't recognize.
Same with your bank.
This is something that I learned also doing research here
was like, I think that feeling of like,
oh my gosh, I've got to change my passwords constantly
feels very overwhelming because you have so many passwords.
So one thing you can do is just make sure
you do the big ones.
You do your email, change that all the time.
You do your bank, you do your credit card.
You do the things that have access to your financial
and personal most sensitive information.
Right, right.
Or your email is like, unfortunately,
the key to everything.
Right.
So you wanna protect that.
Yes, you definitely wanna be protecting your email.
Because yes, because chances are too,
at some point you email the password to somebody
and it's sitting there in your email.
It's a lot of personal information in your email.
And the password manager thing,
I have very mixed feelings about I'm using a Google
Chrome password manager.
It's fine.
It's sort of out of laziness.
I have not done the like best and brightest research
on this.
I've not done a ton of research on this, but we
are offered a password manager at work.
I have not taken it partly because I think of
password managers as centralized repositories of
data and they get hacked too.
They get hacked too.
So they are being extra super duper careful. repositories of data and they get hacked too. It's a centralized repository of all your passwords.
They get hacked too. So they are being extra super duper careful.
Theoretically your passwords are encrypted in some way.
Yeah, but being all in one place makes me nervous.
But I think for the most part people in this field or in this area will say to you,
yeah, that's a good idea because it'll help you have strong passwords.
What's clear is you're choosing it'll help you have strong passwords.
What's clear is you're choosing which risk
you want to take here.
Yeah.
Like, that is all that exists in this horrible dystopia
that we've created for ourselves in the data world.
Yeah, this is how we get the internet for free,
is we give up our data.
Have I learned everything?
I don't know.
Oh, yeah, I was just going to say,
also just for basic password manager, if you have an account that offers
two step authentication, do it, use it.
That seems to be how people hack very easily
is setups where they didn't do two step
or multi-factor authentications the other term.
I just wanna say, I know it's a little annoying
to have multiple steps, but may I suggest
a reframing in your head.
Think of it not as an annoying sort of extra hurdle.
Think of it as a fun little scavenger hunt
that you get to play where it's like you get,
ooh, now I'm going over here to my phone
and ooh, now I'm going over here to my email
and I'm gonna type it in.
It's like an escape room, really.
It's like an escape room of your own life.
Yeah, that's fun.
See, reframe it and then multifactor authentication rules.
So, I mean, the sad part for me in all of this though
is how much is put on you, Kenny, how much was put on me.
I think this is some real BS.
I don't think we should have to spend all of our time
and money. There's the BS category.
And money, like there is an industry of identity
that protection, yes, you're paying.
I'm paying a lot for a password manager, yes, that's right. And a lot like this is the, there is an industry of identity theft protection. Yes, you're paying.
I'm paying a lot for password manager.
Yes, that's right.
And a lot of these protections are so that
you're not the lowest hanging fruit, right?
So that you're actually kind of a pain to hack.
That's what you're doing here is trying to make you
a less obvious target.
I see.
You don't have to outrun the bear.
You just have to outrun someone else.
Because there are people outrunning the bear.
Is outrunning the bear.
That's right.
Oh, exactly when you put it like that.
True.
That is true.
Okay.
All right.
This is exactly what I wanted.
Good.
Just going to go lock and unlock my credit.
Yeah, that's right.
There you go.
Beautiful.
Well, Kenny, thank you.
This has been fun.
Thank you, Amanda.
No problem.
Happy to share all this.
So listen, we're going to put links to the resources and websites that we talked about or that Amanda talked about. She's going to do all of that work. I don't know why I'm happy to share all this. So listen, we're going to put links to the resources and websites that we talked about,
or that Amanda talked about.
She's going to do all of that work.
I don't know why I'm saying we.
It's going to be you, Amanda.
You got all the work to do.
I'm going to do that.
That's going to be in the show notes.
And we're also going to link to Amanda's original episode,
which is great and about kind of more of the system
here that allows this kind of hack to happen.
Yes, it's about the illegal and legal markets for our data.
Amanda goes on the dark web.
We call it the dark web.
It's fun.
Once again, we make bonus content like this one
every other week for our Planet Money Plus supporters.
So if you want more Planet Money in your life
and you want to help keep our work and the work of NPR going,
you can sign up for Planet Money Plus that is at plus.npr.org. Plus.npr.org. I'm Kenny Malone.
And I'm Amanda Oronchik. This is Planet Money from NPR.