The Indicator from Planet Money

Episode•October 7, 2025•9 min

What’s supercharging data breaches?

It may seem like data breaches have gotten a heck of a lot more common. Well, there’s something to that. The bad guys are getting badder faster than the good guys are getting better. This week, we’re bringing you five episodes on the evolving business of crime. Today on the show, we look at why the evolution of data breaches has been supercharged and why you don’t have to be a hacker to get into the game. Related episodes: Are data breaches putting patients at risk? (https://www.npr.org/2024/03/13/1197962967/are-data-breaches-putting-patients-at-risk) So your data was stolen in a data breach (https://www.npr.org/2024/10/30/1211165444/ticketmaster-snowflake-data-breach-hack) For sponsor-free episodes of The Indicator from Planet Money, subscribe to Planet Money+ via Apple Podcasts or at plus.npr.org (http://plus.npr.org/). Fact-checking by Sierra Juarez (https://www.npr.org/people/1268825622/sierra-juarez) and Tyler Jones. Music by Drop Electric (https://dropelectric.bandcamp.com/). Find us: TikTok (https://www.tiktok.com/@planetmoney), Instagram (https://www.instagram.com/planetmoney/), Facebook (https://www.facebook.com/planetmoney), Newsletter (https://www.npr.org/newsletter/money). To manage podcast ad preferences, review the links below: See pcm.adswizz.com (https://pcm.adswizz.com) for information about our collection and use of personal data for sponsorship and to manage your podcast sponsorship preferences. Learn more about sponsor message choices: podcastchoices.com/adchoices (https://podcastchoices.com/adchoices) NPR Privacy Policy (https://www.npr.org/about-npr/179878450/privacy-policy)

Apple Podcasts Overcast

Transcript

0:01

Npr.

0:11

This is the Indicator from Planet Money. I'm Waylon Wong.

0:14

And I'm Cooper Katz McKim, a producer on the show. Okay, Waylon, we've talked about the Dark Web before.

0:20

Yes. It's part of the Internet, where people go to do all kinds of illegal business.

0:25

So it sounds scary, but, you know, I wanted to actually see what it looks like. Is it all just, like a black background with red text kind of thing? So I checked in with Michele Campobasso, a cybersecurity expert in Italy, and he actually took me there specifically to this ransomware site.

0:40

What they do is that they have this kind of blog where they post notices for their victims with a countdown of, if you don't pay us by the end of the countdown, we are going to release data.

0:54

And what he showed me were these caches of data of high schools, of hospitals, of entire cities that have lost their data because they didn't pay some ransom.

1:02

This is one example of how data is breached. There's also malware, deepfake fraud, the big corporate breaches you hear about in the news, and all of it is happening for the purpose of extracting value from your information.

1:14

It's a very flourishing market. It works. It just works.

1:20

This week on the Indicator, we're bringing you a special series on the evolving business of crime. When it comes to data breaches, that evolution has been supercharged. So today on the show, we look at how that's happening and why you don't have to be a hacker anymore to get into the game. Okay, Waylon, picture this. You're in your kitchen, morning light beaming through the window, plants getting fed. You open a newspaper, and there's a big headline. Data breach AT&T sees phone records of nearly all customers stolen. And you're wondering, am I a part of that?

1:59

Well, I'm an ATT subscriber, so probably. And if you want to know for certain if your data was gobbled up, Troy Hunt may be able to help you.

2:08

I started the data breach search service. Have I been pwned?

2:12

He said pwned. Okay. I've always wanted to know how that was pronounced, because I only ever saw it spelled P W, N, E, D. Right?

2:21

Yeah, it looks kind of like gibberish. It actually is gibberish because it comes from a misspelling of the word owned from the video game world.

2:30

So when someone's data has been stolen, they've been owned, I guess. Or pwned.

2:34

Right. So Troy's company is based in Australia. It's actually a free service that he offers to anyone around the world. Whenever there's a breach, Troy finds the public information and indexes it on his website to let people know if they've had their data stolen. This unfortunately happens a lot, because data breaches happen a lot.

2:51

Well, look, I'm receiving data every single day. On average, I would receive multiple data breaches a day. It's a little bit of one of those tip of the iceberg sort of scenarios. We've got 15 billion breached records, and have I been pwned? And I'm quite sure that that would be somewhere in the order of 10% of the total number that have occurred over the course of time.

3:10

One in five people living in the US have been targeted with malware that steals their information. According to one estimate, in an eight month period, cybercriminals made $140 million in revenue from selling stolen data products alone. So, yeah, cybercriminals clearly value your information and are getting it.

3:26

Okay, Cooper, I'm going to put my personal email into have I been pwned? To see. To see if I'm one of those? One in five.

3:35

I'm curious. Yeah, let's find out.

3:37

Okay, here I go. Oh, 26 data breaches.

3:42

Okay.

3:43

It says, oh, no. Pwned. This email address has been found in multiple data breaches. So I scroll down. Oh, Neiman Marcus. When was the last time I shouted Neiman Marcus?

3:54

That was something Troy was saying, actually was that sometimes it just shows up in random things because other data breaches lead to other data breaches.

4:01

Ugh. This is all very demoralizing.

4:03

I know. We're learning a lot of value. It's like. It's almost like this information shouldn't be made public.

4:08

Ugh. Okay, so like, one of my credentials that has been compromised is for my fitness pal, which I don't even remember the last time I logged in or used it or anything. And I don't think that's necessarily that valuable. But it's like cybercriminals just want a bazillion passwords and then hope one of them leads to something of value. That password is one key in a metaphorical pile of keys. Criminals don't know where they lead, but they're willing to try every house and car in the neighborhood until they find something that works. For instance, maybe my MyFitnessPal password is the same as my bank password.

4:42

Yes. Hopefully not.

4:43

Nope, it's not. Don't even try it.

4:45

Do not try it. But look, this market is growing. The US Is already on track for a record year in data breaches in 2025. So it's not actually easy to quantify just how many data breaches there are because they're often not reported. But experts agree they've gone up. Between 2023 and 2024, the cost in the US of a data breach has actually increased nearly 10%.

5:06

The reason this market is moving like a freight train is because it's hard to protect against bad actors are adjusting very quickly. Stuart Mandik is a professor at the MIT Sloan School of Management and the founding director of cybersecurity there.

5:20

I often say the good guys are getting better, but the bad guys are getting badder even faster.

5:25

So how are they doing this? Stewart says one way that cybercriminals are staying ahead of the curve is AI.

5:31

We've seen several examples of how cyber attacks have been greatly accelerated due to AI tools.

5:38

A study by IBM found 16% of data breaches now involve AI. Another found that 80% of all ransomware attacks have been accelerated because of it. Stewart tells us it changes every aspect of cybercrime because data collection tasks just become easier.

5:53

And you might think this is just for bulk breaches like recently we saw Ticketmaster or TransUnion. But AI can even help with higher effort. Individual crimes. Take spear phishing. This is a kind of hyper focused cybercrime where you learn as much as you can about someone and then you pretend online to be their trusted colleague or boss or partner and you impersonate that person and you ask for your login info or to transfer some money.

6:19

That takes time and effort. Guess what? AI systems can do that splendidly. Much faster and in many case higher quality.

6:28

And not only that, he says AI offers another franchising hackers are finding what works and then just selling it to other people.

6:36

Once I built the tool to do that, it's kind of easy to say for $10,000 or 50% of the gain here, I will give you this tool. So there's a multiplying effect going on on the bad guy world.

6:48

Yeah. While once upon a time the darknet was just full of products like credit card and Social Security numbers, there are now more services for sale. It's allowing cybercriminals without a technical background to get into the game too. Anyone can, for example, pay a subscription to license a top notch malware service.

7:06

Franchising also helps criminals because it means they're actually sharing knowledge and collectively learning from it, which they are distinctly better at than their victims.

7:15

Cybercriminals are learning faster and adjusting faster. Big companies could certainly learn from other data breaches. But oftentimes they're not desperate to share that they've been hacked.

7:26

It's bad for publicity. It raises all kinds of legal issues. It encourages copycats.

7:31

Meanwhile, cybercriminals benefit from sharing that information.

7:35

The bad guys have huge egos. And number two, they sell the information so I can say, hey, I'm the one who shut down Capital one. And for $10,000, I'll tell you how you can do it to another bank.

7:46

Stuart, what are you admitting to us

7:48

calls coming from inside the house.

7:51

Stuart's been to a lot of conferences lately, and he keeps asking rooms full of people if they think the cybersecurity situation will be better, worse or the same in 10 years. 90% say it'll be worse than today.

8:03

Doesn't mean we're not going to try to hold back the tide. But the tide is rising against us.

8:09

There are plenty of ways to protect yourself. Keep your systems updated, use two factor authentication, and don't repeat passwords.

8:16

You know, but ultimately, experts tell us it's unrealistic to expect individuals to be the ones to go up themselves against these cybercrime syndicates. I mean, it's not reasonable. Governments, businesses and academics, in some experts opinion, they need to come together to create a more robust solution here.

8:32

So stay wary if your boss suddenly asks you to send over ten grand. Maybe. Double check.

8:41

Tomorrow we're bringing you another episode of the Vice series. This one details how the drug trade is wreaking havoc on the environment. This episode was produced by Corey Bridges with engineering by Sina Lofredo. It was fact checked by Sierra Juarez Cagan Cannon edits our show and the indicators of production of NPR. Yeah, speaking of, Waylon, could you send me 10 grand? This is not a. Oh, yeah, sure.

9:03

What's your Venmo?

9:04

Oh, perfect. Okay, it works.

What’s supercharging data breaches?

0:00

0:00

Related Episodes

Vice Series: The evolving business of crime

Vice Series: The evolving business of crime

Oct 5, 20251 min

DeepfakesAI BotsData Breaches

Could Meta do more to protect us from cyber scams?

Could Meta do more to protect us from cyber scams?

Jul 10, 20259 min

Facebook ScamMetaCybersecurity