How useful, really, are the steps you can take after a data breach?

This message comes from Fidelity Wealth Management, where a dedicated advisor will work with you to help grow and protect your wealth. Fidelity.com slash wealth.
Investment minimums apply. Fidelity Brokerage Services, LLC.
Member NYSE SIPC. This is Planet Money from NPR.
Hello, I am Kenny Malone. And I'm Amanda Aronchik.
And we are here because, of course, the season of giving is upon us, the spirit of giving. And in that spirit, Amanda, we at Planet Money would like to share with everyone a sample of what our bonus content sounds like.
So usually what you're about to hear, it's just for our Planet Money Plus supporters. But today we're making this bonus episode available to everyone, to all.
Yes, these episodes come out every two weeks. You know, basically our bonus episodes, they might be extended cuts of interviews.
They might be interviews that come from our newsletter. We might talk about how an episode was made.
Occasionally we do a movie club where we talk about economics in a film. Kenny, I understand that you are going to do that again soon.
Love it. Oh yeah.
Christmas at the alpaca farm. Is that really the movie? Yeah.
There is a lot of economics in this. The economics of how Christmas rom-coms get made.
The economics of the fiber markets. And the more I say it, I know the more it sounds like it is a joke.
It is not a joke. Sounds delightful and seasonal, honestly.
Anyway, sometimes we watch movies and we talk about them on the bonus feed. But then sometimes we're also just working on an episode of the show and there's extra material that didn't fit in and we want to share it.
And that is what we're here to do today in this bonus episode. So Amanda.
Yes. You recently did an episode, a whole episode on what happens when your personal data gets stolen.
And you had a bunch of extra reporting on it that I have been begging you to tell me about personally. Yes, that's true.
And for the season of giving, I come bearing news you can use. It fits in a stocking.
Yeah. We wrap it up, you like put that under the tree, put it in the stocking.
This is advice on what you can do to protect your personal information if you've been part of a data breach. Even if you have not been part of a data breach, some of this will be news that you can use.
I will tell you that part of the genesis of this episode was while I was making the data breach episode, I would like lie there at night and be like, oh my God, I got go change my bank password. And then like, I'd wake up and then I'd like, oh my God, I gotta go set up two-step authentication.
I would have all of these like, so over the course of making the episode, I learned a lot about how to protect your data, my data. And now I'm going to share that.
Okay. So if you would like to hear more bonus content,

like what you're about to hear, you can sign up for Planet Money Plus at plus.npr.org. That is

plus.npr.org. There are other perks as well, including our regular episodes sponsor free.

And if you are a part of Planet Money Plus already, then thank you. Thank you for supporting us.

Genuinely, this keeps our work and the work of NPR going.

It really is. And if you are a part of Planet Money Plus already, then thank you.
Thank you for supporting us.

Genuinely, this keeps our work and the work of NPR going.

It really does. This is super helpful.
We're very grateful when you subscribe. And with that, we hope you enjoy this conversation.
We will be back with a regular episode for you later this week. Support comes from our 20...
Thank you. accelerates your journey.
With smart business buying, get everything you need to grow in one familiar place. From office supplies to IT essentials and maintenance tools, Amazon Business takes the familiar Amazon buying experience and adds tools that help you save costs and make inside space decisions.
Ready to bring your visions to life? Learn how at amazonbusiness.com. This message comes from Fidelity Wealth Management, where a dedicated advisor gets to know you and your goals to build a comprehensive plan to help grow and protect your wealth.
Backed by a team of specialists, they can analyze all your accounts to stay on top of taxes and provide proactive portfolio insights that can help you unlock your wealth's full potential. Learn more at fidelity.com slash wealth.
Investment minimums apply. Fidelity Brokerage Services, LLC.
Member NYSE SIPC. And we're back.
Okay, we're going to start this. Ready? Classic, classic radio.
Oh, yeah. Kenny, you just love to shuffle a little piece of paper.
It's what we do.

It's what we do.

That is a rather voluminous letter I received.

In fact, everyone in my family received one of these, telling us that we were all part of a substantial hack.

Yeah.

Let me get a little sound of that again.

So that letter, just FYI, that is required, I believe, by all, that they send you a letter saying, hey, sorry, my bad. We got hacked.
And this one in particular is like not the company I was doing business with. They apparently were managing data on behalf of the company I was doing business with.
So it's, this letter in particular is funny because it's like, hey. You've never heard of us.

You've never heard of us.

But one thing you should know about us is we know a lot about you.

And it does seem like those are prime targets, these companies that are like central warehouses for data.

Hackers are identifying places that have a ton of data on hand as opposed to like, oh, I'm just going to go hack you, Kenny.

What's the point when I could go get hundreds of millions of data about all sorts of different people?

Yes, and this is particularly frustrating to me, I will say before we get into this, because I'm very careful about my passwords. I change my passwords all the time.
I use very complex passwords that I can't remember. I use a password manager to keep track of them.
I use two-factor authentication. It doesn't matter in this case because they didn't hack me personally.
They hacked this big company that had all of my data. Yeah.
I'm so sorry, Kenny. That's the worst.
Yeah. So anyway, I have a very basic question.
Yeah. I got this letter and there are all these suggestions about what I could do in this letter.
Can you help me understand what I am supposed to do? Yes, I will do my best. Okay.
Letter noise, letter noise, letter noise. There are, I think, about five or six suggestions in here that I would love to just go through with you.
And you can tell me, are these useful? Are they BS? Or are they somewhere in between? Shall we? Yeah. Here we go.
Thing it suggests, number one, order my free credit report. So what this means is that, you know, there are companies, Experian, TransUnion, what are the, what's the other major one? Equifax.
Equifax, I always forget. Those are the three big ones.
These are the major credit bureaus. They keep track of tons of our information to tell someone else how likely it is that we are to pay back a loan.
I mean, that is their very basic function in society. Yes.
Are you credit worthy? Is it worth lending you some money? Can you pay it back? Have you historically paid it back? Correct. All of that stuff.
Okay. So you can order a credit report from one of these companies if you've never done it about yourself.
And so here I am being told that this could maybe help me in some way now that I've been hacked. Should I do that? Is it helpful? Yes.
That one is helpful. It is always helpful to get your credit report, take a look, have a sense of like what they're keeping track of.
And a big reason to do this is because the time between the hack and when you get that letter, it's not supposed to be very long, but sometimes it takes months. So it is very possible that something bad and suspicious happened in that time period.
So that's going to be backwards looking. I think the credit reports will often say like, hey, remember when you asked to take out this line of credit? And I'll be like, no, I didn't ask to take out this line of credit.
Yeah. Okay.
So this is a check-in. I mean, this is something that people should just do regularly anyway.
This is a helpful thing. Make sure that you know, you know, has your credit been impacted by the hack? And maybe even you'll just see some other things that have nothing to do with the hack that you should just be aware of.
Okay. That doesn't sound fun, but I will look that up and read that.
And this is very easy to do, by the way. We're going to say this over and over again, but we will put links in our show notes.
So if we mention anything here in this episode, we are going to put links in our show notes. You can go find those.
Okay. So not BS, get your free credit report.
Great. Thing number two, enroll in credit and identity monitoring services.
Okay. So I've never done this before, but presumably this is a service that just, that I guess this,

this company that got hacked.

Mm-hmm. I've never done this before, but presumably this is a service that just – that I guess this company that got hacked is now providing me for free to just like keep an eye on whether someone is going – is taking out like a line of credit in my name or something like that.
Yeah, this is a funny one. Some states actually require that they offer you free credit monitoring if you've been involved in a data breach.
But again, it depends on the state and also the personal data involved. There is actually an academic paper from 2012 that says if they offer you this service, this free credit monitoring, it's going to reduce the likelihood that you sue them by a lot.
Oh, interesting.

What will often happen is you'll get this letter and it'll say in there that they've

made some sort of arrangement with another company and that company will offer you free

credit monitoring, which is basically a report.

It's not your credit report.

It's like a report that comes to your inbox or you can have it mailed to you.

And it's going to say like, hey, you know, we were watching this.

We saw some suspicious activity here.

We saw this email used here.

Somebody pinged us about this.

I have been doing it for years with Experian, and that one's actually pretty detailed.

Was that after the hack you did it?

Yeah.

And I will admit that like I've gotten this offer so many times.

I don't pay that close attention to it.

Maybe to like the emails they send you or whatever. To the emails that they send me.
It's not, not useful. Okay.
Not, not useful. We put it, we should have put that in on the, on our, on our rubric.
Well, I do have a question that I don't, I don't know if you know the answer to, but if I enroll in one of these credit monitoring services or I request my free credit report, do any of these affect my credit score? Do they affect my credit? Because I think the more people run... No.
Okay. Yeah.
That'd be messed up. Yeah.
So here's the trick with these things. Yeah.
So let's say you were offered credit monitoring from one of the big three credit bureaus. This is where you want to be a little bit careful as you sign up.
It is very possible that as you go in, and this is what happened to me, that as you go to sign up, you will be asked to waive your right to legal action. You will not be able to sue the credit bureau.
Yeah. So helpful to join the credit monitoring.
However, read the fine print. Read the fine print.
Read the fine print. Because you may be waiving your right to be part of some large litigation or something.

Right.

So not BS, a little asterisk, but okay.

Yeah, take a look.

I mean, always take a look at the fine print, but like the whole internet is based on us not looking on the fine print.

But if you can do it, try.

Sometimes it's well written.

Suggestion number three.

Yeah.

Contact the U.S. Federal Trade Commission.
You know who doesn't want to hear from you? The U.S. Federal Trade Commission.
No, that's not true. You can try.
I mean, the way the FTC is handling this is if they get a lot of complaints about something, they will go and act on that. Are they going to call you, Kenny, and be like, hey, Kenny, I'm going to help you out? We've been looking at your case, Kenny.
Yeah. Working overtime on it.
We've all talked to the FTC a couple times. They are trying with their limited resources to help people.
So you can send a complaint to them if you want. Uh-huh.
I mean, and to be fair, it seems that what it's actually telling me to do is like, go read whatever they've written about how to protect yourself from identity theft. That seems to really be what they want me to do is like go read whatever they've written about how to protect yourself from identity theft that seems to really be what they want me to do i actually do encourage you to do that it is very well written it's very straightforward they have uh guides for consumers and they also have guides for businesses like they have you know so you've been hacked what should you do uh for your customers and they're actually not bad uh they're not bad resources.
We'll provide links. Okay.
That one is very funny, though. Item number four, place a fraud alert on your credit file.
Yes. So if you, again, go to the big three, Experian, TransUnion, and Equifax, there are a bunch of things that you can do while you are there.
And one of them is place an alert on your credit file. What this is going to do is if somebody, like let's say you go to Macy's and you decide you're going to go get one of those like Macy's cards or something like that, and Macy's calls to see if Kenny is worth giving a Macy's card to, they're probably going to call you up.
They're going to contact you and be like, did you actually want this? Got it. So that's what that fraud alert does.
A kind of like second or third factor authentication on credit lines. Yeah, that one is not a bad idea.
Okay. Not bad, not bad.
Fraud alert. And do I do that with all three of the big credit bureaus? No, you do not.
If you place a fraud alert on your credit report with one of the credit bureaus, they say that they will notify the other two. Right.
Okay. All right.
So yet again, not a bad idea. Not a bad idea.
Okay. Final recommended step.
This is a big one, and it's one that I actually have thought about a lot. This is a recommended security freeze.
I guess I should say it's not recommending it. It's saying, quote, you have the right to request a credit freeze from a consumer reporting agency, which is another name for the credit bureaus.
So that functionally locks down your ability to take out a loan. So, you know, get a new line of credit, maybe extend an existing line of credit.
It locks that ability down unless you preemptively like open it up because you know you're about to request a new line yes this does appear to be the kind of gold star of what you can do to protect yourself which is you are going to freeze your credit which means that uh as you said you are no longer able to get a loan for anything but it's not isn't actually – I was a little bit surprised when I started to dig into it a little bit more. It doesn't stop all sorts of other processes.
Like people can still – like if you were trying to get a job, somebody can still call up Experian and be like, can I look at the report? And the answer is probably yes. Okay, sure.
You're not trying to like open a new line of credit. That makes sense.
So most things still happen. But your credit is frozen.
And so nobody can get a loan in your name. Yeah.
The big three make this quite easy. You just go online and unlock.
Yeah, to freeze and thaw. Freeze and thaw.
Is that the terminology? Yeah, that is the parlance. Yeah.
It seems obvious to me that a security freeze is useful. It is an armor plate against someone doing one of the worst things they can do when they steal your identity, which is tank your credit by taking out a giant line of credit in your name.
Right. This is this is the medicine I was kind of dreading.
I would you would need to take in a situation like this because it seems it definitely seems inconvenient, but but obviously helpful. So yeah, and it will not take you very long.
Okay. Okay.
I will do that, especially before this episode runs, telling everyone that I've been part of a giant hack. Yes, not a bad idea.
So that's all that's in this list, basically. Is there anything else I should be doing? Yeah, we at NPR have a service called Delete Me, which is like a privacy service that helps scrape you off of the internet, your name, your phone number, your address.
It's basically like – The image that you've like landed flat on the internet and they're like peeling you off. Yeah, they're trying to peel some of your information off of the internet so you're harder to find your address, your email, your cell phone number.
Harder to find. And it's – honestly,'s been effective.
Okay, pretty helpful. All right.
Anything else that one should do after they've learned that they're part of a gigantic hack? Yeah. I mean, you should look on your credit card.
You should look on your bank statement. Yes.
I can't believe we didn't even say that. I can't believe we didn't say that.
Go look and see if there's any weird charges that you don't recognize. Do you know the one that kept happening to me? What's that? is like tiktok purchases not on this one but like when someone got a hold of a credit card number they just kept buying crap through tiktok like on people's tiktok stores no not okay i guess it's connected to your credit card like you probably like or maybe not showed up as tiktok purchases and it was like obviously i didn't make this purchase this is outrageous your your credit card is your friend in fraud.
Like they do not want you defrauded. It is up as TikTok purchases and it was like, obviously, I didn't make this purchase.
This is outrageous. Your credit card is your friend in fraud.

Like, they do not want you defrauded.

It is very expensive for them.

They have very good mechanisms set up to, like, find fraud.

So you should be watching your credit card and you should be calling them up if you see charges that you don't recognize.

Same with your bank.

This is something that I learned also doing research here was, like, I think that feeling of, like, oh, my gosh, I've got to change my passwords constantly feels very overwhelming because you have so many passwords. So one thing you can do is just make sure you do the big ones.
You do your email. Change that all the time.
You do your bank. You do your credit card.
You do the things that have access to your financial and personal, like most sensitive information.

Right, right.

Or your email is like,

unfortunately, the key to everything.

Right.

So you want to protect that. Yes, you definitely want to be protecting your email

because yes, because chances are too,

at some point you email the password to somebody

and it's sitting there in your email.

It's a lot of personal information in your email.

And the password manager thing,

I have very mixed feelings about.

I'm using Google Chrome password manager

Thank you. And it's sitting there in your email.
It's a lot of personal information in your email. And the password manager thing, I have very mixed feelings about.
I'm using Google Chrome password manager. It's fine.
It's sort of out of laziness. I have not done the best and brightest research on this.
I have not done a ton of research on this. But we are offered a password manager at work.
I have not taken it partly because I think of password managers as centralized repositories of data. And they get hacked too.
It is a centralized repository of all your passwords. They get hacked too.
So they are being extra super duper careful. Theoretically, your passwords are encrypted in some way.
Yeah, but being all in one place makes me nervous. But I think for the most part, people in this field or in this area will say to you, yeah, that's a good idea because it'll help you have strong passwords.
What's clear is you're choosing which risk you want to take here. That is all that exists in this horrible dystopia that we've created for ourselves in the data world.
Yeah, this is how we get the internet for free is we give up our data. Have I learned everything? I don't know.
Oh, yeah, I was just going to say, also just for basic password manager, if you have an account that offers two-step authentication, do it, use it. That seems to be how people hack very easily is setups where they didn't do two-step or multi-factor authentication is the other term for you.
I just want to say, I know it's a little annoying to have multiple steps, but may I suggest a reframing in your head?

Think of it not as an annoying sort of extra hurdle.

Think of it as a fun little scavenger hunt that you get to play where it's like you get, ooh, now I'm going over here to my phone.

And ooh, now I'm going over here to my email.

I'm going to type it in.

It's like an escape room, really.

It's like an escape room of your own life.

Yeah, that's fun. See? Reframe it.
That's fun. And then multi-factor authentication rules.
So, I mean, the sad part for me in all of this, though, is how much is put on you, Kenny? How much was put on me? I think this is some real BS. I don't think we should have to spend all of our time.
And money. We've reached BS category.
And money. Like, there is an industry of the – there is an industry of identity protection.
I'm paying a lot for a password manager. Yes, that's right.
And a lot of these protections are so that you're not the lowest hanging fruit, right? So that you're actually kind of a pain to hack. That's what you're doing here is trying to make you a less obvious target.
I see. You don't have to outrun the bear.
You just have to outrun someone else. Because there are people outrunning the bear.
Outrunning the bear. That's right.
Oh, exactly. When you put it like that.
True. That is true.
All right. This is exactly what I wanted.
Good. Just going to go lock and unlock my credit.
Yeah, that's right. There you go.
Beautiful. Well, Kenny, thank you.
This has been fun. Thank you, Amanda.
No problem. Happy to share all this.
So listen, we're going to put links to the resources and websites that we talked about, or that Amanda talked about. She's going to do all of that work.
I don't know why I'm saying we. It's going to be you, Amanda.
You got all the work to do. I'm going to do that.
That's going to be in the show notes. And we're also going to link to Amanda's original episode, which is great and about kind of more of the system here that allows this kind of hack to happen.
Yes, it's about the illegal and legal markets for our data. Amanda goes on the dark web.
We go on the dark web. It's fun.
Once again, we make bonus content like this one every other week for our Planet Money Plus supporters. So if you want more Planet Money in your life and you want to help keep our work and the work of NPR going, you can sign up for Planet Money Plus.

That is at plus.npr.org.

Plus.npr.org.

I'm Kenny Malone.

And I'm Amanda Aronchik.

This is Planet Money from NPR. Thank you.
courses like BattleBots, AI, coding, game design, and more. Visit IDTech.com and use code IDTech to save $150.
This message comes from Capella University. At Capella, you can earn your degree with support from people who care about your success.
A different future is closer than you think with Capella University. Learn more at capella.edu.
This message comes from Discover,

accepted at 99% of places that take credit cards nationwide. If you don't think so,

maybe it's time to face facts. You're stuck in the past.
Based on the February 2024 Nielsen report,