What’s supercharging data breaches?

NPR.

This is the indicator from Planet Money.

I'm Waylon Wong.

And I'm Cooper Katz McKim, a producer on the show.

Okay, Waylon, we've talked about the dark web before.

Yes, it's part of the internet where people go to do all kinds of illegal business.

So it sounds scary, but you know, I wanted to actually see what it looks like.

Is it all just like a black background with red text kind of thing?

So I checked in with Michele Campobasso, a cybersecurity expert in Italy, and he actually took me there, specifically to this ransomware site.

What they do is that they have this kind of blog where they post notices for their victims with a countdown of if you don't pay us by the end of the countdown, we are going to release data.

And what he showed me were these caches of data of high schools, of hospitals, of entire cities that have lost their data because they didn't pay some ransom.

This is one example of how data is breached.

There's also malware, deep fake fraud, the big corporate breaches you hear about in the news, and all of it is happening for the purpose of extracting value from your information.

It's a very flourishing market.

It works.

It just works.

This week on The Indicator, we're bringing you a special series on the evolving business of crime.

When it comes to data breaches, that evolution has been supercharged.

So, today on the show, we look at how that's happening and why you don't have to be a hacker anymore to get into the game.

Support for NPR and the following message come from Indeed.

Just realizing your business needed to hire someone yesterday?

Speed up your hiring right now with Indeed.

Claim your $75 sponsored job credit now at Indeed.com/slash indicator.

Terms and conditions apply.

Support for NPR and the following message come from Edward Jones.

What does it mean to live a rich life?

Maybe it's full of brave first leaps, tearful goodbyes, and everything in between.

And with over 100 years of experience, your Edward Jones financial advisor can help.

Edward Jones, member SIPC.

This message comes from Schwab.

Everyone has moments when they could have done better.

Same goes for where you invest.

Level up and invest smarter with Schwab.

Get market market insights, education, and human help when you need it.

Okay, Waylon, picture this.

You're in your kitchen, morning light beaming through the window, plants getting fed.

You open a newspaper and there's a big headline, data breach.

ATT sees phone records of nearly all customers stolen.

And you're wondering, am I a part of that?

Well, I'm an ATT subscriber, so probably.

And if you want to know for certain if your data was gobbled up, Troy Hunt may be able to help you.

I started the data breach search service.

Have I been pwned?

He said pwned.

Okay, I've always wanted to know how that was pronounced because I only ever saw it spelled.

P-W-N-E-D, right?

Yeah, it looks kind of like gibberish.

And it actually is gibberish because it comes from a misspelling of the word owned from the video game world.

So when someone's data has been stolen, they've been owned, I guess, or pwned.

Right.

So Troy's company is based in Australia.

It's It's actually a free service that he offers to anyone around the world.

Whenever there's a breach, Troy finds the public information and indexes it on his website to let people know if they've had their data stolen.

This, unfortunately, happens a lot because data breaches happen a lot.

Well, look, I'm receiving data every single day.

On average, I would receive multiple data breaches a day.

It's a little bit of one of those tip of the iceberg sort of scenarios.

We've got 15 billion breached records in Havoban Pwn, and I'm quite sure that that would be somewhere in the order of 10% of the total number that have occurred over the course of time.

One in five people living in the U.S.

have been targeted with malware that steals their information.

According to one estimate, in an eight-month period, cyber criminals made $140 million in revenue from selling stolen data products alone.

So, yeah, cyber criminals clearly value your information and are getting it.

Okay, Cooper, I'm going to put my personal email into Have I Been Pwned to

see if I'm one of those one in five.

I'm curious.

Yeah, let's find out.

Okay, here I go.

Oh,

26 data breaches.

Okay.

It says, oh no, pwned.

This email address has been found in multiple data breaches.

So I scroll down.

Oh, Neiman Marcus.

That was the last time I shot to Neiman Marcus.

That was something Troy was saying, actually, was that sometimes it just shows up in random things because other data breaches lead to other data breaches.

Ugh, this is all very demoralizing.

I know we're learning a lot about you.

It's like, it's almost like this information shouldn't be made public.

Uh, okay.

So, like, one of my credentials that has been compromised is for MyFitnessPal, which I don't even remember the last time I logged in or used it or anything.

And I don't think that's necessarily that valuable, but it's like cyber criminals just want a bazillion passwords and then hope one of them leads to something of value.

That password is one key in a metaphorical pile of keys.

Criminals don't know where they lead, but they're willing to try every house and car in the neighborhood until they find something that works.

For For instance, maybe my MyFitnessMail password is the same as my bank password.

Yes, hopefully not.

Nope, it's not.

Don't even try it.

Do not try it.

But look, this market is growing.

The U.S.

is already on track for a record year in data breaches in 2025.

So it's not actually easy to quantify just how many data breaches there are because they're often not reported.

But experts agree they've gone up.

Between 2023 and 2024, the cost in the U.S.

of a data breach has actually increased nearly 10%.

The reason this market is moving like a freight train is because it's hard to protect against.

Bad actors are adjusting very quickly.

Stuart Mandick is a professor at the MIT Sloan School of Management and the founding director of cybersecurity there.

I often say the good guys are getting better, but the bad guys are getting badder even faster.

So how are they doing this?

Stuart says one way that cyber criminals are staying ahead of the curve is AI.

We've seen several examples of how cyber attacks have been greatly accelerated due to AI tools.

A study by IBM found 16% of data breaches now involve AI.

Another found that 80% of all ransomware attacks have been accelerated because of it.

Stewart tells us it changes every aspect of cybercrime because data collection tasks just become easier.

And you might think this is just for bulk breaches.

Like recently, we saw Ticketmaster or TransUnion, but AI can even help with higher effort individual crimes.

Take spearfishing.

This is a kind of hyper-focused cybercrime where you learn as much as you can about someone and then you pretend online to be their trusted colleague or boss or partner and you impersonate that person and you ask for your login info or to transfer some money.

That takes time and effort.

Guess what?

AI systems can do that splendidly, much faster and in many cases, higher quality.

And not only that, he says AI offers another advantage, franchising.

Hackers are finding what works and then just selling it to other people.

Once I built the tool to do that,

it's kind of easy to say for $10,000 or 50% of the gain, here, I will give you this tool.

So there's a multiplying effect going on on the bad guy world.

Yeah, well, once upon a time the dark net was just full of products like credit card and social security numbers, there are now more services for sale.

It's allowing cyber criminals without a technical background to get into the game too.

Anyone can, for example, pay a subscription to license a top-notch malware service.

Franchising also helps criminals because it means they're actually sharing knowledge and collectively learning from it, which they are distinctly better at than their victims.

Cyber criminals are learning faster and adjusting faster.

Big companies could certainly learn from other data breaches, but oftentimes they're not desperate to share that they've been hacked.

It's bad for publicity.

It raises all kinds of legal issues.

It encourages copycats.

Meanwhile, cyber criminals benefit from sharing that information.

The bad guys have huge egos, and number two, they sell the information.

So I can say, hey, I'm the one who shut down Capital One, and for $10,000, I'll tell you how you can do it to another bank.

Stuart, what are you admitting to us?

Calls coming from inside the house.

Stuart's been to a lot of conferences lately, and he keeps asking rooms full of people if they think the cybersecurity situation will be better, worse, or the same in 10 years.

90% say it'll be worse than today.

Doesn't mean we're not going to try to hold back the tide,

but the tide is rising against us.

There are plenty of ways to protect yourself.

Keep your systems updated, use two-factor authentication, and don't repeat passwords.

You know, but ultimately, experts tell us it's unrealistic to expect individuals to be the ones to go up themselves against these cybercrime syndicates.

I mean, it's not reasonable.

Governments, businesses, and academics, in some experts' opinion, they need to come together to create a more robust solution here.

So stay wary.

If your boss suddenly asks you to send over 10 grand, maybe double check.

Tomorrow, we're bringing you another episode of the Vice series.

This one details how the drug trade is wreaking havoc on the environment.

This episode was produced by Corey Bridges with Engineering by Sina Lafredo.

It was fact-checked by Sierra Juarez.

Keikin Cannon edits our show and the indicators of production of NPR.

Yes, speaking of Wayland, could you send me 10 grand?

This is not a deal.

Oh, yeah, sure.

What's your Venmo?

Oh, perfect.

Okay, it works.

This message comes from NPR sponsor Pete and Jerry's Eggs, inviting you to tag along with one of their organic, pasture-raised hens as she heads out for her day in the pasture.

She and her friends start to roam and forage, hunting for tasty organic snacks.

And with 108 square feet per hen, there's plenty of space for everyone.

Under the open sky, they can hear songbirds nesting in the trees.

They bask in the sounds of nature as they prepare to lay their rich, delicious eggs.

And when the sun starts to set, the crickets begin to sing.

Time to catch one last squiggly snack before bedtime.

To learn more about Pete and Jerry's organic pasture-raised eggs and the certified humane farms where their hens roam, visit peteandjerry's.com.