NPR’s Ailsa Chang talks with MIT professor Stuart Madnick about the frequency of data breaches, and what people should do if their personal information is compromised in one.
AILSA CHANG, HOST:
If you’ve recently received a letter saying your data has been compromised in a breach, well, you are not alone. So far, for the first half of 2024, we are on track for more data breaches than last year. And last year experienced a 72% jump over the previous year. And we’re talking about really sensitive personal information. The background check company National Public Data just confirmed it suffered a breach earlier this year that involved the Social Security numbers of millions of Americans.
So how much should we all be freaking out about this? Well, to help us answer that question, we’re joined now by Stuart Madnick. He’s the founding director of cybersecurity at MIT Sloan research consortium. Welcome.
STUART MADNICK: Glad to be joining you.
CHANG: All right. So I guess my first question is, how concerned should we be about these climbing numbers of data breaches?
MADNICK: Well, freaking out probably isn’t a particularly helpful thing to do.
CHANG: (Laughter) In general, yes.
MADNICK: But it is helpful to understand what’s going on and then understand what you can do about it.
CHANG: Yeah, so why are data breaches getting more common recently?
MADNICK: Basically, the bad guys are getting badder (ph) faster than the good guys are getting better. And so there’s more…
CHANG: OK.
MADNICK: …And more techniques that the bad guys are able to use to get into critical systems and steal the data. And although a lot of efforts are being made by the companies, by the government, by research organizations, it is a arms war, which the bad guys seem to still be getting ahead of us.
CHANG: OK, so then who are the good guys? Like, who’s in charge of protecting Americans from data breaches? Is there a government agency that handles this?
MADNICK: Well, that’s a great subject. What I often use as an example – if there were enemy aircraft flying over NPR, dropping bombs on your studio, you expect the U.S. Army Missile Command or the U.S. Air Force to shoot them down.
CHANG: You would think.
MADNICK: Yeah. When cyberattackers are basically doing the same things, really, you’re largely on your own.
CHANG: Wow. Wait. Why is that? Why isn’t the government on this?
MADNICK: Well, several reasons. First thing, of course, most of the systems we’re talking about are owned and run by private organizations, whether they be health care systems, whether it be energy systems, whether it be your banks and so on. Don’t get me wrong, the government does try to help in many ways, but there’s not a lot they can do in advance.
CHANG: Right. Right, right, right. What about when you receive a data breach notice from a company that you didn’t even know had your data? Like, someone on our staff just received two data breach notices in one week from companies she didn’t even know she had relationships with – Ticketmaster and Change Healthcare. What does that tell you?
MADNICK: Well, first thing, it’s very important – to your point you made, so many of us are dependent upon organizations we never heard of. I think Change Healthcare is a great example because the thing you’re focused on is largely the issue of – I’ll call it – identity theft; someone’s stealing your Social Security number, stealing your password, and that’s obviously a concern. But often, these things have disruptions to your life.
In the case of Change Healthcare, they’re an intermediary between the pharmacies and the insurance companies. So when you go into a pharmacy to have your prescription renewed, they type on their computer, and it says, fine. This drug is normally $150, but you only pay $15 ’cause it’s been approved – they don’t tell you – by Change Healthcare. Change Healthcare goes offline, and you don’t get that approval.
CHANG: Wow. All right. Well, then what should you do when you get one of these notices, because they usually come in the form of a multipage letter listing a gazillion possible steps you might take. And it just leaves me wondering, is this just the company that suffered the breach? Is it just them being overcautious about their liabilities so they’re giving you all the steps that you could possibly imagine that you could take?
MADNICK: Well, as you pointed out, there are certain responsibilities companies have, particularly with the disclosure of private information. And many of them are obviously following what the regulations require them to do. Now, the key thing most of them try to do is tell you to monitor your accounts carefully, check your credit agencies and so on, which is clearly a helpful thing to do and probably something you should do in general. But unfortunately, that doesn’t often stop them having done some damage already. So you have to realize there are risks and behave as cautiously and fruitfully as you can.
CHANG: That is MIT professor Stuart Madnick. Thank you very much.
MADNICK: Thank you much – glad to talk with you.
Copyright © 2024 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
