Planet Money - So your data was stolen in a data breach
Episode Date: October 31, 2024If you... exist in the world, it's likely that you have gotten a letter or email at some point informing you that your data was stolen. This happened recently to potentially hundreds of millions of pe...ople in a hack that targeted companies like Ticketmaster, AT&T, Advance Auto Parts and others that use the data cloud company Snowflake.On today's show, we try to figure out where that stolen data ended up, how worried we should be about it, and what we're supposed to do when bad actors take our personal and private information. And: How our information is being bought, sold, and stolen.This episode was hosted by Amanda Aronczyk and Keith Romer. It was produced by Sam Yellowhorse Kesler and edited by Meg Cramer. It was engineered by Ko Takasugi-Czernowin with an assist from Kwesi Lee, and fact-checked by Dania Suleman. Alex Goldmark is Planet Money's executive producer.Help support Planet Money and hear our bonus episodes by subscribing to Planet Money+ in Apple Podcasts or at plus.npr.org/planetmoney.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
Who's claiming power this election? What's happening in battleground states? And why do
we still have the electoral college? All this month, the Throughline Podcast is asking big
questions about our democracy and going back in time to answer them. Listen now to the
Throughline Podcast from NPR.
Hey, it's Keith Romer.
Real quick before the show today, it's election season.
NPR has you covered with three podcasts that we are making for you every day.
Number one, the NPR Morning News podcast up first.
That one comes out 7 a.m. Eastern every weekday.
Later on in the day, we have the NPR Politics podcast.
Whenever there is big news going down, a few we have the NPR Politics Podcast. Whenever there is big news
going down, a few hours later, NPR Politics Podcast will be out with a show breaking it
down. Finally, there is Consider This. This is the one where NPR covers one big story
in depth every weekday evening. So, up first in the morning, Consider This in the evening,
and the NPR Politics Podcast anytime important
developments go down. It's like an around-the-clock election news survival kit from NPR podcasts.
Okay, thanks for listening. Here's the show. This is Planet Money from NPR.
I recently got a letter in the mail, and it's pretty likely that you got one of these too.
It is the special kind of letter that sometimes gets turned into a Planet Money episode.
And that is because this letter is just the tip of an iceberg, and beneath the water is
a profoundly deep mass of bought, sold, and stolen personal data.
My data, and maybe your data too. I took this letter to Jim Francis.
Okay, so I got, where is it? I got a letter from Ticketmaster. It says here, yeah, it says-
What's the date?
The date on it, July 17th, 2024. Did you get one of these?
Okay. I did not get one. I'm not a Ticketmaster customer, but my clients got that letter.
Jim has clients because he is a lawyer at Francis Mailman Sumilis.
He focuses on consumer protection and class actions.
And he knows all about why Ticketmaster sent these letters.
Now, it has nothing to do with my last purchase, tickets to see Future and Metro Boomin, because
that's how I roll,
but everything to do with a data security incident. Ticketmaster was hacked, and Jim,
he is suing them on behalf of some disgruntled customers.
I mean, who among us is not a disgruntled Ticketmaster customer?
So many reasons to be disgruntled with Ticketmaster. Now, Ticketmaster says they
are investigating what happened.
It is possible some bad actors took my personal data.
Ticketmaster sent me this letter as a warning.
Did Ticketmaster do this out of the kindness of their heart?
Did they just feel bad that they lost my data?
Why did they send this?
They would tell you they did it out of the kindness
of their heart and their concern for their customers.
The reality is some, if not all, states have a data breach notification law requiring the company to notify consumers
the minute they find out that there's a breach.
So sure, I was curious about the breach and how it happened.
But I confess to Jim, I wasn't actually worried.
I mean, how bad is it that my data is out there?
Like I'm a little bit like, yeah, this is not my first data breach rodeo.
This happens all the time.
Why should I even bother caring?
Well, one of the things that varies among data breaches is
the nature of the information.
If somebody has all of your information, your name, your date of birth, your social security number,
your address, your personal habits, things like that,
that is significant and that is serious.
And you do have to be vigilant probably for forever
because of that.
Now, if it was something just-
Forever.
Forever, if it was just your zip code, for example.
Right.
Okay, but what we understand to be the case here forever if it was just your zip code, for example. Right. Okay.
But what we understand to be the case here is this is a wide variety and a wide net of
PII.
Amanda, they've maybe got your PII, your personally identifiable information.
So things like your social security number, your cell phone number, PII is kind of the
jackpot of data.
Yeah. your cell phone number, PII is kind of the jackpot of data. Yeah, Jim says that could make me a victim of identity fraud, a target for phone scams.
Someone could try to get a new credit card in my name.
That would be bad.
And whatever was leaked in the Ticketmaster breach, that is just some of the data about
me that exists online.
One of the things that I have just learned over the years, almost 25 years of doing this, is
that the amount of consumer data that's collected
is just mind boggling.
It's your voting affiliation, your religious affiliation,
your addresses, what type of clothes you buy,
your keystrokes, your fingerprints,
your shopping habits, your everything, right?
You leave a trail and a footprint wherever you go
and whatever you log into.
Of course, this isn't just about my trail and my footprint.
Yeah, Jim says that the Ticketmaster breach
was part of an even bigger hack,
impacting the customers of lots of companies.
So this is like potentially hundreds and hundreds of millions of people.
Yeah, that's huge.
A lot of these data breaches are huge.
This one's particularly large.
Oh, God.
Ha ha ha ha.
Amanda, it sounds like Jim is maybe starting to stress you out a little bit there.
I don't know why you think that.
Ha ha ha ha. [♪ Music playing. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And so it goes. And I don't know why you think that. Hello and welcome to Planet Money.
I'm Keith Romer.
Amanda, we have to keep making the show.
I just need a second.
You go on ahead.
I'll catch up.
Okay.
And that's Amanda Aronchik.
Today on the show, the Ticketmaster data breach.
We are going to follow this all the way to find out where did my data go, how scared
should I be, and what am I supposed to do about it?
And how the personal and private information for all of us is being bought, sold, and stolen.
This message comes from Wwise, the app for doing things in other currencies.
Send, spend, or receive money internationally and always get the real-time mid-market exchange
rate with no hidden fees.
Download the WISE app today or visit wise.com, T's and C's apply.
Support for this podcast and the following message come from Dignity Memorial.
When your celebration of life is prepaid today, your family is protected tomorrow.
Planning ahead is truly one of the best gifts you can give your family.
For additional information, visit DignityMemorial.com.
If you enjoy Planet Money, you should try out NPR+.
With Planet Money+, you get sponsor-free listening and exclusive bonus episodes from
just this show, but you can upgrade to the NPR Plus bundle and access perks from over
20 of NPR's most popular podcasts and more. Give a little, get a lot in return. Visit
plus.npr.org. Amanda, your growing paranoia is basically right.
Yeah, I figured.
Our data is being compromised more and more often.
The number of data breaches has been steadily ticking upwards for two decades, and 2023
was, I guess, a banner year for data breaches.
Yay.
It's a little too soon to say, but 2024 could set a new, new record.
So where did my stolen Ticketmaster data go?
And what exactly was taken?
The letter from Ticketmaster says it's just my name, my basic contact info, payment card
info, which is bad.
Which is bad.
That's bad.
But Jim, the lawyer, suggested the people who stole it might have had much
more than that.
Jim Collison We sent what we knew about the breach to friend
of the show, Skyler Duveen. He is the former director of technology at WNYC, the NPR station
here in New York. He agreed to help us try to track down your data, Amanda, find out
where it went.
Amanda Maté Okay, so Skyler, you and I are setting up our
computers.
Maybe I should make a Zoom link?
Yeah, why don't you send me that by email, I guess.
Okay.
Apparently, after failing to get ransom money
from Ticketmaster, a hacker group called Shiny Hunters
posted the data for sale for half a million dollars
on a dark website called Breach Forums.
So, Skyler and I decided to log on called Breach Forums. So, Skylar and I decided to log onto Breach Forums
and see if we could find the data ourselves.
I don't think you're gonna want to click on any media
on the site.
Okay.
Even if there is some.
So this is not a place where we just freely click?
Um, if you've heard of places like 4chan...
Yeah.
You know, there's to be a lot of racial
slurs and horrible language.
Horrible people hang out there.
Obviously, we want to be careful here and we do not advise you to do this at home, dear
listener.
Skyler has created an anonymous account for us.
He set up a private window that makes us hard to track.
Skyler is a low-key IT guy.
He's unfazed, but he is still prepared for anything.
Now, I'll admit I was expecting something different.
We would download a special browser,
and we'd be visiting, like, the infamous Silk Road,
which was, apparently, the best place online for fireworks,
cocaine, porn, Social Security numbers.
I swear I wouldn't know.
No, no, why would you know?
I don't know. No, no. Why would you know?
I don't know.
This is a web forum.
It is dedicated to the buying and selling of stolen data.
Looks a little bit like Reddit, but the background is all black.
Can we find the Ticketmaster data here?
Oh, probably not anymore.
I think this is a very ephemeral chat system.
So we just poke around.
The forum is actually somewhat gamified, reminds me a little bit of Duolingo.
Keep your stolen data streak alive.
Exactly.
There is this ranking system.
You can be a VIP data seller or an MVP or top level, an actual god at selling stolen data.
Yesterday, Skyler says he saw posts offering more than 57,000 lines of data from BCP, the
largest bank in Peru, and close to 155,000 lines of data from Banco Fala Bella in Chile.
Today there is some juicy US data.
This appears to be somebody selling social security numbers.
Can we look at that?
Yeah, so let's take a look.
So up at the top, they give a list of the fields that they're providing.
First name, last name, email, mailing address, your phone numbers, social security number,
date of birth, driver's license.
Skyler explains that this is the hackers posting
a summary of the data fields they have.
Then below that, there's a little sampler,
maybe the details they have for five or 10 different people.
Now, you usually only have one social security number.
You only get one date of birth,
and once someone has those details about you,
it's not like you can ever get them back.
Yeah, these are incredibly valuable pieces of personally identifying information.
They are really helpful if somebody wants to steal your identity.
But we were not here to just look at any old data breach.
We were looking for my data, specifically, that Ticketmaster data.
Can you scroll up for a second?
Yeah.
Then as we start to poke around the message boards,
can we look for Shiny Hunters?
Is there a way to search this?
Let's see.
The Shiny Hunters.
Banned.
Banned. Their name is crossed out.
We have no clue why.
We figure we have reached a dead end.
But we continue to search the word Ticketmaster.
And then we notice something a little odd.
A post from a user with an avatar like Shiny Hunters.
The avatar is from Pokemon, but it is a different username.
Spider Hunters.
And apparently they are an MVP at selling stolen data.
The post has a big Ticketmaster logo right at the top.
Ticketmaster will not respond to requests to buy data from us.
They care not for the privacy of 680 million customers, so give you the first million users
free.
What do you make of this?
I mean, it certainly looks related, right?
And the timing somewhat matches?
Skylar, I think you found the Ticketmaster data leak.
It certainly looks like it could be.
Now, my data is not part of the tiny sample that is posted here,
but if someone bought my Ticketmaster data,
they would presumably have a lot on me.
And they could combine it with data
that was compromised in some other data breach. And they could combine it with data that was compromised
in some other data breach.
Maybe they could get into my phone or my iCloud
or my bank account.
The only way we could know for sure
is if we went and bought that data.
But as much as we at Planet Money
like to get our hands dirty learning about the economy,
we did not get permission to buy stolen data on the dark web.
But we have learned a lot about this market. It is brazen, it is bustling, and it is organized.
Skyler does point out that we shouldn't necessarily take all of this at face value.
Some of the people on this forum might actually work on the security side of things.
The FBI has actually shut down the site multiple times. It's even possible the entire site is a honeypot,
just a way to monitor and trap hackers.
Still, just in case this is a real post,
Amanda, you went ahead and sent a message to Spider Hunters
to ask if they wanted to, you know, discuss your data.
Spider Hunters, by the way, is not spelled
the way you might expect.
It's SP1D3R.
You don't have to worry about that part.
Oh, I just feel like it's respectful.
It's more respectful.
Yeah.
Here we go.
Okay.
Hello, Spider Hunters.
I'm one of the hosts of the NPR show Planet Money.
We're a popular NPR podcast that covers business, finance and economics.
Is this too much?
Does this seem like I'm just asking for them to donate as a listener?
We finished the email. I had one of those emojis with the tongue out because we're fun
like that. Also an email address they can reach us at and we hit send. I do not leave
my own personal contact info though because hey, they already have it.
So while we wait to see if we get a response from spider hunters, we decide that the next
thing we need to do is figure out how Amanda's data was stolen.
What exactly happened?
And this leads us to an equally unsettling market for our data, the legal market, where
our personal information is bought and sold every day.
That's after the break.
Read about the impact of women in music with NPR's new book, How Women Made Music, a revolutionary
history from NPR Music. This stunning anthology offers original writing and illustrations,
interviews and photos. And the audiobook includes 52 years worth of interview excerpts with
more than 60 legendary artists.
Visit npr.org slash how women made music to order now.
From poll numbers to talking points to all the drama, we get it.
Election season can be a lot.
That's why here at NPR's Pop Culture Happy Hour podcast, we're in the business of providing
a little release from the squeeze of the political season.
Try out any of our shows on the latest in TV, movies, and music to keep you grounded and bring you back to
earth. New episodes every week on Pop Culture Happy Hour, only from NPR.
This message comes from Wondery and T-Boy. The Best Idea Yet is a new podcast about the
untold origin stories of the products you're obsessed with and the people who made them
go viral. Listen to The Best idea yet wherever you get your podcasts.
For a while now, you've probably been hearing about book bands, how they're gaining momentum
everywhere in Texas, in Missouri, Florida, and Pennsylvania. On the Code Switch podcast,
we're taking a look at why. Why are so many books suddenly considered so dangerous to kids?
Listen to our new series on the CodeSwitch Podcast from NPR.
In my letter from Ticketmaster, they say that my data was stolen from an unnamed data services
provider. Turns out this is a tech company called Snowflake. Snowflake does data storage and analysis.
Basically, if you are a company that
needs to keep a lot of data somewhere, Snowflake could be like your warehouse for it. That's what
they are for Ticketmaster, for at least some of their user data. By the way, we did write to
Ticketmaster and to Snowflake, but they didn't get back to us in time for this episode. Now,
one thing that is not spelled out in Amanda's original data breach letter is how
her data was stolen.
But here's what we found out.
Back in April, a cybersecurity company started noticing something suspicious.
Some bad actor or bad actors was targeting Snowflake and some of the companies that use
Snowflake.
Companies like AT&T, Advanced Auto Parts, Neiman Marcus, Cricket Wireless,
these cybersecurity researchers figured out that hackers had stolen a bunch of Snowflake customer
logins. These were the logins that Dick and Master or AT&T would use to access their data on
Snowflake. So obviously somebody should have changed their password. People change your passwords.
These accounts were also not set up with two-step authentication, you know, where you're logging
in and then you get asked for your password and then you also get your cell phone pinged
for another code.
Two steps to confirm that it is actually you trying to access your sensitive and valuable
data.
People, turn on two-step authentication.
Yeah, Ticketmaster and Snowflake did not require users to use two-step authentication.
So it was like there was a little window that was easy to pry open and the bad actor went
right through that window and stole the data of millions of people.
Including probably my data.
Did you get one of these?
I did get one of these as a fellow Ticketmaster user.
Okay.
Justin Sherman thinks his most recent Ticketmaster purchase was tickets to SZA.
Aside from loving contemporary R&B, Justin also founded a company called Global Cyber
Strategies in DC, and he's the go-to guy for all things cybersecurity, data privacy,
AI.
Justin says that Snowflake,
the company at the center of the breach,
their business isn't just about storing and analyzing data.
They also operate a data broker marketplace.
And it's like eBay for your data.
You type in health or location, you hit enter,
you add to cart and you check out.
This data marketplace is part of a multi-billion dollar industry that makes its money off
of the buying and selling of personal information.
A lot of personal information.
How many pieces of data about me do you think are out there?
I'm glad you asked this question.
So there are single companies that
sell 13 or 14,000 plus data points on one person.
Okay, so let me break this down for me.
So one data point is my first name,
one data point is my last name,
one data point is my date of birth.
What are the other 12,997 other data points?
Let's put it this way.
If you think of every single moment of your life that can be tracked,
those are the kinds of data points that can be bought and sold.
Yeah, that's how a lot of the internet gets paid for.
We get to use websites for free, and those websites make money by collecting data about us
and selling that data on to whoever will pay for it.
And what has been happening over the last decade is some companies have collected a truly
astounding amount of data. Justin says they have become these giant centralized repositories for
all of our personal information.
We all know the saying, don't put all your eggs in one basket.
Yeah, my 13,000 eggs.
Exactly, when companies or government agencies take thousands of those eggs on
hundreds of millions of people and plop them in one place, you're building a
really attractive target where if someone gets in, all of this aggregated on hundreds of millions of people and plop them in one place, you're building a really
attractive target where if someone gets in, all of this aggregated commercial data is
sitting there ready for the taking.
So in many ways, the illegal market depends on the legal market, on all of these companies
collecting all of our information.
Now Justin isn't just worried about hackers stealing our data.
He is also really troubled by this fundamental invasion of our privacy online, how these
companies buy and sell our personal information on the legal market.
So the next thing he wants to show me is part of that legal marketplace.
It's a website that sells lists of senior citizens. So what we're looking at here is a database that it says, quote, gives you access to seniors
who are currently being cared for by an adult child or family member, unquote.
So this is people who require pretty extensive care, seniors who require care.
These are people who require extensive care.
There are over 20 million people in this database.
It is for sale.
And you'll see here that it includes ways you can contact these people, their postal
information, their email, and much more.
And this isn't like skirting around the law, like this is legal legal?
This is driving down the highway, mine's in my own business legal.
This site says it is a direct marketing company.
Their business is selling lists of people who fit certain demographics.
What's really horrible is there's a phrase, suckers lists.
And this refers to exactly what we're looking at on the screen. It refers to databases about people that companies have determined are gullible.
This is often elderly people and often includes diminished cognitive capacity, so suffering
from Alzheimer's or dementia.
And the reason they're called suckers lists is scammers love these lists of people.
It is creepy enough when I imagine a bunch of cyber criminals buying and selling my data.
But it's even creepier when it is happening in the legal market.
So, what are the rules governing that giant basket of my 13,000 eggs?
To find out, we called up a regulator, not just any regulator, but the
director of the Consumer Financial Protection Bureau, Rohit Chopra. Of
course, the first thing I do is show him my letter from Ticketmaster. Did you get
one of these? Oh, the breach notification letter. Yeah, I got that. Look, I get these
things on an almost monthly basis. CFPB directors, they're just like us.
For Director Chopra, his downfall was buying tickets for the Eagles, the football team, not the band.
Go, Birds!
Yay! Very authentic.
Thank you.
So, back to the reason I reached out to Director Chopra, the rules.
Now, there is, of course, HIPAA, which prevents your doctor from selling your private health information.
There's also a law protecting students.
Some states have their own privacy laws, too.
Really though, Director Chopra says there is not much more than that.
In the U.S., we don't have that many laws that put restrictions on the type of data
you can harvest on people, except really for one,
the Fair Credit Reporting Act of 1970.
Before 1970, all kinds of businesses in the U.S.
kept track of all sorts of personal information.
We've had a long history in our country
of companies digging up dirt on all of us.
Did we pay our bills on time? Who are we associating
ourselves with? Are we cheating on our spouse? Companies would sell reports about
us, about our character, about who's a good one and who's late on their bills.
Director Chopra is talking about credit reporting and the companies that determine what today
we call your credit score.
Isn't this sort of a service?
Like this is how commerce works.
You need to know if somebody is worthy of credit,
worthy of loans.
Maybe it's a very reasonable thing to do.
Well, I think where the concerns were
was the consumer never really consented to any of this.
The reports that were about them could have been totally inaccurate or just full of rumors.
And I think there was a sense in the Congress that there needs to be some limits on this
because it isn't just creepy, it really felt unfair.
Hence, the Fair Credit Reporting Act of 1970.
It's been amended a few times since then, but basically the law requires that credit
bureaus make sure the information they have is accurate, make sure consumers can access
these reports, and that people can dispute anything that's not accurate.
And these credit bureaus can't just sell this data to anyone that wants it.
It is for potential employers or potential lenders or potential insurers, that kind of
thing.
That is how our data is supposed to be managed.
But when we actually look at today's economy, we see a lot of other companies who are essentially doing the same exact thing.
Selling our background information, digging up dirt on us for companies that want to sell things to us using targeted marketing.
And these data brokers, they don't usually consider themselves covered by this law.
They say they're not credit bureaus, even though they might be selling things like
info about our salaries.
So we are developing rules that will bring some sanity into how our personal data is
handled and in many cases on whether it should be trafficked at all.
The idea is for these new rules
to extend some of the protections
that are in the Fair Credit Reporting Act
to the other companies that have a lot of our data.
The CFPB says they're publishing these proposed rules soon.
But for now, without more regulation,
I guess this is on me.
My data is out there doing God only knows what,
and it seems there's not
much I can do about it. The most obvious thing I can do is in that original
letter from Ticketmaster. They have offered me free credit monitoring. I asked
Jim, the lawyer, to help me decide whether or not I should take it.
You will have access to one or more credit monitoring services through one of the
big three credit bureaus,
TransUnion, Equifax, or Experian.
So basically, one of those big three credit bureaus
will monitor my online info.
In my case, it's going to be TransUnion.
Yeah, if Spider Hunters sold your data to a bunch of scammers,
they might try to get a credit card in your name,
steal your identity, who knows?
And this monthly report will let you know
if something like that actually happens.
By the way, Spider Hunters never did message me back. I will probably never know where my data ended up.
So maybe credit monitoring is a good option. Jim and I look at the offer together. Okay, and I have a code.
Be careful.
So yeah, so should I not do this or should I put in my activate now?
Well, let's see. Hang on a second. Let me just look here to see terms and conditions.
Oh, this is so great to look at terms and conditions with a lawyer.
Very helpful.
It says right here, if you click on it, the terms and conditions below contain an arbitration
agreement and a class action waiver.
There you go.
So you're out of the class and you can't bring a class action against TransUnion.
So, basically, if I take the free credit monitoring service, I waive my right to sue.
Then, Jim says, let us take a closer look at some of the other terms and conditions.
Oh, by the way, by accessing CreditView Dashboard, you agree that TransUnion may use and share
your information.
No. Yes.
So the company that you're hiring to protect you is using this as a grab bag to sell your
data.
Jim points to the very bottom of TransUnion's website.
In small font, there are the words privacy policy.
If you click that link, you will find pages and pages about all the ways in which they
disregard your privacy. So it says when you enroll, TransUnion about all the ways in which they disregard your privacy.
So it says when you enroll,
TransUnion is collecting the usuals,
my cell number, my date of birth,
my social security number,
and this privacy policy is saying
that they may also start collecting
and selling more personal information,
my ethnicity, marital status,
where I work, where I am,
what I've been putting into online forms,
how long it took me to fill in those online forms,
oh, and everything I buy, everywhere I go,
and everything I do online.
So you clicked in as something,
as a result of a data breach,
to use their credit monitoring service,
and you've just agreed for them to share all of your data
and use it basically however they want.
Oh, it's really bad, Jim. It's so bad. It's so cynical. It's so bad.
It's bad. It's bad.
We reached out to TransUnion. A spokesman said that the arbitration waiver, the part where Amanda
had to waive her right to sue them, that was posted in error, we checked, and
it has now been removed.
A spokesman also said when Amanda logged in to get her credit monitoring that she was
using a product called My True Identity, and that the information TransUnion requests when
consumers enroll in My True Identity is, quote, essential for verifying their identities and
providing the requested services, and
that my true identity does not sell consumers personal information to any third party for
any reason, end quote.
So TransUnion is saying that no, they will not sell my usuals, my cell number, my date
of birth, my social security number.
They won't sell the information that I gave them to enroll in this program.
But I definitely had to agree to their privacy policy, which states pretty clearly that they're going to collect other personal information and maybe sell that. And who knows? What if that data
someday gets stolen in a data breach by a hacker? Which I mean, it feels like we're back at the
beginning of the episode, Amanda. Yeah, we might as well just start it again.
Little Mobius strip planet money.
There you go we could just play it over and over and over again endlessly.
How's it start?
It starts like this.
Okay hold on wait wait what's this over here?
Oh it's my letter from Ticketmaster.
Did you get one of these?
Oh yeah I did get one of those.
No you don't lie.
Oh I didn't get one Amanda.
Let me tell you what it says right here.
Notice of data breach.
Oh, that sounds bad.
It is bad.
I don't know.
Today's episode was produced by Sam Yellowhorse Kessler
and edited by Meg Kramer.
Engineered by Ko Takasugi Chernevin
with an assist from Quazy Lee
and fact-checked by Danya Sulema. Alex Goldmark is our executive producer.
Thanks this week to Brent Braceland at Piper Sandler, Joel Fishbein at Truist Securities,
and Troy Hunt.
I'm Keith Romer.
And I'm Amanda Oranjic. This is NPR. Thanks for listening. I tend to live more in this light. card are just some of the podcasts you can enjoy sponsor free with NPR Plus. Get all sorts of perks
across more than 20 podcasts with the bundle option. Learn more at plus.npr.org.
This October, heal your existential dread with shortwave. We're going to talk about the science
of why we die and come out the other side with answers to live better as we
live longer. Hear about the innovations when you subscribe now to Shortwave, the
Science Podcast from NPR.