Equifax Data Breach: The Product

Featured guests include:

Beverly Harzog
Harzog is a nationally-recognized credit card expert, consumer advocate, and debt coach. Her book Confessions of a Credit Junkie, is an Amazon #1 Best Seller in three categories: Personal Money Management, Budgeting, and Finance. Twitter: @BeverlyHarzog

Ron Leiber
Leiber is a New York Times finance columnist and author of the forthcoming book “What to Pay For College.” He has previously written for The Wall Street Journal, Fortune, and Fast Company. Twitter: @ronlieber

Mike Litt
Litt is the Director of Consumer Campaigns at U.S. PIRG and has worked extensively for stronger privacy protections and corporate accountability in the wake of the Equifax data breach. Twitter: @MikeLittUSA

Daniel Solove
Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. He is also the founder of TeachPrivacy, a privacy and cybersecurity training company. Twitter: @DanielSolove

John Ulzheimer
Ulzheimer is a nationally recognized expert on credit reporting, credit scoring and identity theft. He is the current President of The Ulzheimer Group and has formerly worked for FICO, Equifax and Credit.com. Twitter: @johnulzheimer

BREACH - SEASON 2 - EPISODE 2
Introducing Equifax

Montage

ALIA: Bob, let me put you in my shoes the day I found out about the Equifax breach -

BOB: Ok

ALIA: Mmkay. It was September 7, 2017. *inhale* Uh, you know what, I’m going to have to pull up my calendar.

BOB: So, you don’t actually remember exactly where you were.

ALIA: No. Do you?

BOB: Uh, yes I do. I was at a happy hour. It was 4:30 in the afternoon and I started getting these text messages, the kind reporters hate to get. I’m already having fun, and like, ah, this news happened, I don’t really need to--I can deal with this in the morning. Nah, it’s not--okay maybe it’s a medium sized deal I can do some--no no no. I gotta go. I gotta go. Drop everything. And then I worked on it for the next 4 weeks.

ALIA: Okay so like my experience was the opposite of that. So it looks like I was in New York um, with my business partner that day and we had meetings back to back to back. So we were like running around New York. He has really long legs so I was running, he was walking. And in the midst of all these meetings I remember getting a push notification from like my New York Times app or something, that said something about Equifax getting breached. And I remember thinking, Oh shit, uhhh….and then like ignoring it and moving on, right? And if I’m being honest the most pressing question wasn’t, “Oh no will I get hacked?” What I was wondering was, “Wait, but who actually is Equifax?” I have heard the name Equifax before, but like, I couldn’t explain to you what they do. They’re related to credit, but what do they do exactly with credit? Unclear.

BOB: This is a huge point. A lot of people’s first time hearing about Equifax was when they were told that their data had been breached, and they find out, “wait Equifax has all this data on me?” But also, and I think most critically, for a lot of people this was the first time they really thought about their credit: why it’s important, and how it works.

ALIA: Before we get into the what and how of the Equifax breach, I want to get into the “who.” Who is this company that lost our incredibly valuable data? Who are you, Equifax? And how come we’ve never met? And what were you doing with all of this info of mine that you lost?

ALIA: I’m Alia Tavakolian - podcast maker, meeting jogger, push-otification ignorer.

BOB: And I’m Bob Sullivan - tech journalist and firm believer happy hour starts at 4:30ish.

ALIA: Last week we talked about why this Equifax breach matters, and next week we’ll get into the incredible details of how exactly this breach went down. This week: we’re getting into Equifax themselves, who they are, how their business works, and how they got our data to begin with. It’s not pretty, but it tells us a lot about why our info might have been left so breachable. Welcome back to Breach, brought to you by Carbonite, how businesses protect their data.

ALIA: Now, I wasn’t someone who hadn’t thought much about credit or how it can screw with your life. I have a crazy 10-year-long battle with credit because my identity was stolen as a teenager, and even in all those battles and all those phone calls, I still don’t actually get this universe!

BOB: Which I think really says something! I’ve been writing about this for 20 years, and I don’t really get this universe.

ALIA: It’s one of the first questions we asked our friend Ron Lieber from the Times -

ALIA: So like I'm going to ask you the really dumb question. Ron, what's Equifax?

RON LIEBER: First we need to rid you of the phrase “dumb question.” It does not belong in anybody's vocabulary and in particular it does not belong in anybody's category who is asking about personal finance.

ALIA: This episode’s theme: no dumb questions about credit. Let’s get into it:

ALIA: Ron, here's my very serious question. That is not at all dumb. What the fuck is Equifax?

RON LIEBER: Equifax is a massive container of information that various companies access to check up on you when they're deciding whether or not to do business with you. And it turns out that all of the companies that you've done business with, especially ones that you've paid money to say on a regular monthly basis, they all report in every month. And so all of that stuff gets recorded in these giant databases, and then they get organized and regurgitate it in various ways for other companies who want to check up on you. The technical term for what they do is that they’re Credit Reporting Agencies, credit bureaus.

ALIA: And Credit Reporting Agencies have a particular clientele whose money and trust they want to keep.

RON LIEBER: One of the biggest problems here is that Equifax’s customer is not me and it's not the two of you. Their customer is American Express. Their customer is Bank of America. Their customer is Verizon, right? The people who are paying Equifax money are the people who want the credit data. So they had no particular interest in satisfying our concerns after the breach. They weren't going to lose a bunch of money from us. In fact, they were going to make money because some of us were paying money for credit freezes.

ALIA: So that’s Credit Reporting Agencies - what Equifax is - but the credit industry is a lot bigger than just CRAs. There are all these other players you’ve probably heard of more than Equifax.

BOB: [Singing] Freecreditreport.com, They should have seen it coming at them like an atom bomb.

[Credit monitoring song] They monitor your credit and send you email alerts, so you don’t end up selling fish to tourists in T-Shirts.

ALIA: Or maybe you looked into your credit via CreditKarma, or VantageScore. Those companies offer credit scores, which aren’t credit reports. I get that they’re different things, but how are they different things? Not-dumb-question: What do credit reports and credit scores do differently?

JOHN ULZHEIMER: So it's interesting that you ask that because a lot of people mistake those two things as if they were one in the same and they use the two terms interchangeably.

BOB: This is my long-time friend and source John Ulzheimer. He’s an expert in all things credit score.

JOHN ULZHEIMER: And so my professional background consists of 28 years of consumer credit experience with time spent at both Equifax and Fico.

ALIA: Okay well I want to introduce you to my brand new friend who I met on the internet, Beverly Harzog

BEVERLY HARZOG: I'm Beverly Harzog and I'm a consumer finance analyst and credit card expert for US news and World Report.

ALIA: While John knows credit from working in the industry, Beverly became an expert a different way. She was a CPA in her twenties and racked up a ton of credit card debt.

BEVERLY HARZOG: Back then credit was really easy to get. I mean, if you could breathe, you could get a credit card. [laughs] And I got seven cards and maxed them all out.

ALIA: Then lost all access to credit.

BEVERLY HARZOG: You know, here I am, successful at work and a disaster in uh money management for myself, very embarrassing.

BOB: You know how many therapists became therapists and their interest in psychology comes from the fact that they were struggling themselves? Credit is exactly the same way.

BEVERLY HARZOG: 'm very passionate about educating consumers, because I know what it feels like to be in debt. I really do.

ALIA: So now we’ve got two stellar credit experts here to educate us, and we can tag team them in. Our question: what’s the difference between credit scores and credit reports?

BEVERLY HARZOG: Okay, that is a great question because most people think that their credit score is going to be on their credit report and it isn't. These are two completely different things.

JOHN ULZHEIMER: And the best way to answer that question is with an analogy or a comparison. So your credit report is like the test you took. Your credit score is the grade you got on the test. So think of it that way.

BEVERLY HARZOG: Yeah. I love that. It's kind of like a report card, uh, so you can get an idea of how your credit health looks and that's very important.

ALIA: If you want to take a look at your credit-report-card, you can get…

BEVERLY HARZOG: One from each bureau for free every 12 months from AnnualCreditReport.com. That is the federally authorized official place to get your free credit report

ALIA: Your credit score is seperate.

BEVERLY HARZOG: So the score is based on whatever is in your credit report at that moment when they pull the score. So that's how they're connected.

BOB: There’s two main entities calculating your credit score.

ALIA: FICO and VantageScore

JOHN ULZHEIMER: Collectively, those two companies, um, have almost 100 percent of the credit score market in the United States.

ALIA: So two new characters enter the credit world, they’re credit scoring companies: FICO and VantageScore. And in order to calculate my score, they need a bunch of my info, so they read through the report pulled from a Credit Reporting Agency.

BOB: From one or more of the Big 3 Credit Reporting Agencies: Experian, TransUnion, and our favorite, Equifax.

ALIA: How do FICO or VantageScore calculate my score?

BOB: Well It’s still kind of a mystery.

ALIA: Really?

BOB: Yeah. Each agency’s algorithm is proprietary information. They don’t have to share it.

ALIA: Then how do we know they’re not just randomly generating numbers?

BOB: Well, that’s a very good question, and we don’t know. Um, they give us these vague ideas on how it’s done, and you know, basically if you pay your bills on time your score is good, but really the secret sauce that goes into calculating that number that’s so important to you? It’s the secret sauce.

ALIA: That seems wildly unfair. But okay, sure, I’m tracking.

BOB: Say someone applies for a loan from a bank for a house.

BEVERLY HARZOG: 90 percent of lenders uh will pull a fico score when they need your credit score. So they're, you know, they're the big guys in all this.

BOB: The bank wants Roger’s credit score. FICO needs to calculate his score, and makes a request for his credit report, let’s say from Equifax.

ALIA: Okay I’ll play the role of FICO. Producer Jan, can you be Equifax?

JAN: I love a good morally complicated character. I will gladly play the role of Equifax.

ALIA: Bless you.

BOB: And I’ll be the bank.

Phone Rings

BOB: Hey, should I give Roger a loan for a house? Is he trustworthy? FICO, what’s his score?

ALIA: Hey bank, I’m FICO and I’ll get you that score ASAP. Hold, please. Hey Equifax, you have a juicy credit report I can read and calculate a score from using algorithms I won’t disclose?

JAN: Yeah, absolutely. I got this whole credit report on Roger Golightly. I know everything about him, and I don’t feel weird about it cause I’m a Credit Reporting Agency, and that is my job.

BOB: Then your info is shared -

ALIA: Did Roger default on his credit card payment?

JAN: Yes.

ALIA: How’s that car loan going?

JAN: Pretty good, except for this one month.

ALIA: How’s he doing on his student loans?

JAN: Oh. It’s really bad. Look at all this.

ALIA: Yikes, I just dropped 120 points just looking at that.

BOB: FICO runs its algorithm -

ALIA: [Sings The William Tell Overture]

BOB: FICO quantifies all this data about your life and financial choices and reduces it to one score, three digits.

ALIA: Ta-da. We’ve got ourselves a 590.

BOB: They hand that to the lender, that’s me. And I would say, “Ah. 590. Roger, you’re going to be renting for a while.

BEVERLY HARZOG: And that’s going to give you one score. If they pulled a VantageScore, you'd have a different score based on those numbers because the algorithms are a little bit different.

CAROLINE: Hey I’m VantageScore - and I actually think Roger has more like a 610.

BEVERLY HARZOG: What comes to mind is like, you know, FICO is kind of like the sun.

ALIA: So are-could we, could we say, could we, could this metaphor be that fico is the sun and the three big credit bureaus, um, are sort of like planets.

BEVERLY HARZOG: Yes. Now we're getting a couple of smaller suns too, like VantageScore.

ALIA: Right!

BEVERLY HARZOG: The orbit keeps getting bigger and bigger. But uh, Equifax definitely is a major, major planet.

ALIA: Bob are you proud of me, I metaphor’d.

BOB: [laughs] Very proud.

ALIA: In a little bit, we’ll get into how Equifax’s day-to-day data-collecting is super sketchy, even when they’re not being breached. But first, I need a brain break.

ALIA: Now that we better understand the relationship between credit scores and credit reports, and the big 3 planets (Equifax, Experian and TransUnion) - let’s take a brain break and see how Kelly’s doing, she’s on the quest to find *ALL* the credit reports that exist on my buddy Scott Mosher. To do that, she’s trying to track down the tons of other, specialty credit reporting agencies that have data on us. I guess they’re smaller planets orbiting around the Big 3. Moons, maybe? Tons of asteroids? These specialty reporting agencies are a lot harder to pin down.

KELLY: Kelly here, checking back in on our credit reporting exercise. As a reminder - we’re on a quest to find ALL the credit reports that exist on one person. We want these reports because, if big companies can access information on me, shouldn’t I be able to check if it’s even accurate? In order to find all the reports, I called credit-lawyer Joel Winston to find out just how many we’re talking about.

JOEL WINSTON: That is a good question that I’m not sure anybody quite knows the answer to. There are an estimated 4-to-500 of these specialty credit reporting bureaus on the low end. We have a list maybe of upwards of 75 or so. Um…

KELLY: These are specialty credit reporting agencies. They collect info for more specific industries.

JOEL WINSTON: ...medical records or payments, residential or tenant history, check writing history, employment history, insurance claims.

KELLY: Under the FCRA, these specialty credit agencies aren’t as heavily regulated as the Big 3. Joel told me a lot of these places only provide a voicemail box where consumers are asked to leave...

JOEL WINSTON: Your name, SSN, date of birth, address, and other identifying information, all on what they call a secure voicemail line.

KELLY: Oh my goodness.

KELLY: Nope. That’s shady. I wouldn’t call a random voicemail box and leave my social security number, so I’m definitely not going to do that with Scott’s. Plus, apparently they just call you back after that voicemail and tell you to submit a form anyway. So to get all of Scott’s credit reports, I’m just going to skip that voicemail step, fill out forms for each of these specialty credit reporting agencies, and mail them.

JOEL WINSTON: So they are required to respond within fifteen days.

KELLY: The question is: will they respond by actually sending us Scott’s report. They might. Or, Joel says, they might respond and say, “We don’t have his report.” Now sometimes they actually don’t have a report, but other times...

JOEL WINSTON: Other times, they do have-the information is at their fingertips, and within two tenths of a millisecond they can access it in their computer databases.

KELLY: Like, they have all your credit report info in their system, they just haven’t been paid by any company to hit pdf. and print yet. That’s what they mean when they say they don’t have a report.

JOEL WINSTON: They’re preventing these people from seeing their reports until somebody else pays them for it, even though they have the information on hand or on access.

KELLY: Of the maybe 500 specialty reporting agencies that could have reports, printed or not, Joel honed in the 45 most relevant ones for Scott’s life. He emailed us those forms, Scott filled them out, and so my next step is the post office.

ALIA: Welcome back! We’ve been learning about Credit Reporting Agencies, and how Equifax functions as a major player in this world. And now, their creepy business model. It has a lot to tell us about how they treat our data.

BOB: This is former Equifax CEO Rick Smith speaking at UGA’s Business School.

RICK SMITH: I should have told you something like that I think is pretty interesting. It's unlike any business model I've ever seen. If you're interested in business models and I know this is a business group here, is: you think about our business, our cost of goods sold, is our data right? Our data's free. There's some instances where it's not free, but by and large it's free. We take those PHDs I talked about. We take the technology platforms, AI and others, we create value. We sell back to those who gave us the data for a gross margin of about 90 percent. That's a pretty unique model. [laughs]

ALIA: That speech was given…

BOB: August 7th, 2017. You know, reports say the Equifax C-suite was all notified of the breach by the end of July. (UPDATE 3/13/2019 - Bob should have said Aug. 17, 2017, and should have said some, not all, of the Equifax C-Suite notified by the end of July. We regret the error.*)

ALIA: So he already knew about the breach when he gave this business-school talk, but hadn’t announced it yet. That’s gross.

BOB: That’s their business model. They view all of us as a resource to be mined, that they then churn up and sell for money, but remember the resource, our data, is free to them. And if you get something for free you certainly don’t take very great care of it. The business model of Credit Reporting Agencies really doesn’t apply any need for security.

ALIA: Well, great, I love being a product.

ALIA: People have felt weird about this set up in the past. Or, rather, the law has intervened when Equifax hasn’t treated its products (us) very fairly. There’s the Fair Credit Reporting Act of 1970 - which many feel was passed in direct response to Equifax “going digital with records in the 1960s.” They went by RCC and then changed their name. This act did things like: open these credit reports to the public so we could see what was on them, make Credit Reporting Agencies get rid of that gross information on race, sexuality and disability, and more.
Fast-forward to 1995 - the Federal Trade Commission investigates Equifax for violating the FCRA. They got in trouble for keeping tons of inaccuracies on people’s reports, even after people successfully disputed those inaccuracies. And grossest of all, to me: giving away our credit reports to those who didn’t have a “permissible purpose” for them under the Fair Credit Reporting Act.

BOB: They were investigated by Federal Trade Commision for basically not doing all the things that the law in 1970 said they had to do.

ALIA: And most recently in 2013, a woman named Julie Miller sues Equifax when she’s denied two requests for credit, because Equifax kept mixing her credit report with another Julie Miller’s. She wins eighteen-million dollars, maybe the biggest win against a credit bureau, ever.

ALIA: So not only are they taking our credit info for free and making a profit on it. It sounds like they’re not even good at keeping it accurate. These are 3 legal battles not only about the creepiness of harvesting our info and sharing it, they’re also about just getting our information right.

BOB: This is a classic broken market just a fundamental problem with the business model. Barring government regulation, legislation, or a big lawsuit that costs them hundreds of millions of dollars, there is no incentive for them to fix any of this.

ALIA: I don’t like this!

BOB: Uh, nobody does, except maybe for Equifax shareholders.

ALIA: Why do we keep these companies around?

BOB: They do serve a really important function in the credit world. As we learned in the first episode, if there weren’t some way to background people before lending them a lot of money, banks would lose a lot of money, and the whole credit system would slow down.

ALIA: Weeks after the EFX breach, our friend from the Times, Ron Lieber was hearing from readers who didn’t like this either. He was getting questions like…

RON LIEBER: How could I wreak the same havoc for them that they did for me? And I didn't have a good answer for them.

BOB: Other than…

RON LIEBER: They don’t like credit freezes. Freeze your credit no matter how hard you need to try, because that just makes them mad. Right.

ALIA: Real quick. A credit freeze makes it so no one can access your credit report. Not a bank. Not a criminal. Not even you, until you unfreeze it. It requires a whole process.

BOB: But suggesting a credit freeze, that was really the best Ron could do.

RON LIEBER: But then I had an idea. I happened to be surfing through my old pal Bob Sullivan's blog posts on the matter and he had a post about something called the work number. So it turns out that Equifax is also in the business of keeping track of your employment data and even your salary. And the use case for this is as follows, right? You have a full time day job and you're applying for a mortgage

BOB: And the mortgage company wants to call your employer and confirm that the information you provided isn’t falsified. Stuff like: you do in fact have a job there, your pay stub is accurate. And so someone had the bright idea of automating this process, started a company called “The Work Number.” And the HR teams at large companies were more than happy to no longer have to field all these calls. And then this company got big enough that Equifax bought them. Tons of large companies use this Equifax Work Number service.

RON LIEBER: And so I looked at that and I thought, wait a second. I'll bet that most of the employees at these large companies have no idea that their employer is sending their salary data every single freaking week to the very company that just screwed the pooch! What’s going on here? This is crazy! And I thought at my highest and best use to the world, I'm not just the personal finance columnist, I'm a personal finance performance artist. I'm a stuntman. Right? I was like, huh, I'm going to call my HR office and demand that they fire Equifax. I’m pretty sure I sent them an email at first and I said, you know, as you know, there's been this terrible breach. The, the company has performed very poorly in the wake of the breach. It's pretty clear now that these people are not to be trusted and yet you all are sending our salary information and our employment information to them on a regular basis. Um, I don't think we should be doing that anymore. They have proven themselves not to be trustworthy and I'd like you to fire them. And they did. I'd like to say that it led to, you know, half of the fortune 500 getting rid of the equifax work number product. I don't think that's what ended up happening, but it still felt like a victory to me.

ALIA: So we’re stuck with Equifax in many ways. We can’t fire them personally, or take our records back from them. Ron looked into that for readers.

RON LIEBER: Turns out you can't quit. Right? You can't wipe your file clean. They won't let you do it.

ALIA: But big companies, their real customers, could make them pay by firing them or refusing to do business with them. Ron checked in with financial services companies in the weeks after the breach.

RON LIEBER: Are you tempted to just stop doing business with them? Just like stop reporting monthly payment data to them? And nobody would talk about it on the record. Um, but it was pretty obvious that they didn't feel like they had any choice either.

ALIA: Because each of these Big 3 reporting agencies are so riddled with errors, a lender might need all three reports - Experian, TransUnion, and Equifax - to even get an accurate read on one of us.

RON LIEBER: So not only are we stuck with Equifax, but all of the financial services companies are too.

BOB: There’s a third kind of service Equifax offers other than one, credit reporting and two, tons of other services for big businesses, and that’s, ironically, information protection.
Something they offered to consumers after the breach.

ALIA: Equifax offered a handful of services after the breach, but none of them good enough according to our friend Mike Litt and his colleagues over at US PIRG. They offered stuff like free credit monitoring for all three bureaus for a year and a service to scan your Social Security Number on suspicious websites. Which sounds good, but that stuff just lets you know after someone does something fraudulent. A credit freeze would prevent someone from doing fraudulent stuff to begin with. Equifax got called out for not offering good enough stuff, so they came up with something called a “Credit Lock.” It would give consumers the ability to lock and unlock their credit. Which sounds just like a credit freeze. Guess what, it totally isn’t. A “credit lock” is an agreement between you and the company. It’s not regulated by the government the same way. There can be fine print that let’s a company like Equifax off the hook. And, something that drove Mike from US PIRG crazy...

● MIKE LITT: They one, don't explain that if you get a lock or a freeze with your equifax report, you need it with the other two bureaus, because basically getting it on just one has like locking your front door but then leaving your garage and back doors wide open.

ALIA: So they offer stuff that sounds nice but is not as effective as a credit freeze. Then they offer something that sounds like a credit freeze but isn’t as good as a credit freeze. So if you really wanted to protect yourself, you had to buy a credit freeze. That’s right: buy. In most states at the time of the breach, it was legal to charge us a fee if we wanted to get a credit freeze.
Which means, Equifax had the opportunity to make money off of their own breach. Thanks to the work of folks like Mike’s colleagues at PIRG, and people pissed off at Equifax for these shenanigans, a lot of momentum leads to a federal law mandating free credit freezes several months after the breach. But in the meantime, when we were most vulnerable… damn. That’s shady, Equifax.

BOB: Now for those who didn’t trust Equifax or want any of their services after the breach, that wasn’t via Equifax, there were a lot of companies offering these consumer security services. But LifeLock specifically marketed hard in response to the Equifax breach. But LifeLock used Equifax credit reporting as part of their monitoring. So in other words, Equifax screws the pooch, you turn to LifeLock, you pay them good money to protect you. But then Lifelock uses Equifax to give you that protection. Round the rosy we go.

MIKE LITT: So when I think about, you know the fact that they failed to provide clear information to people, and that they're now making money off of being unclear about the information that they didn't provide the tools needed, that there hasn't been you know, meaningful action, it all makes me angry and I think people should be angry.

ALIA: Let’s take another quick brain break, see what Kelly’s up to.

KELLY: Kelly, here! After consulting with my BFF Joel, our initial quest to get all the credit reports that exist on one person, Scott, has turned into a quest to get about 45 credit reports on Scott. That’s a lot more mail than I’m used to dealing with, so I enlisted the help of Associate Producer Caroline, made copies of Scott’s most valuable info, and then went to the post office.

CAROLINE: I’ve never held anything more than I’m holding these papers.

KELLY: Like, I can hear like, Final Destination music in my head as I’m in this three minute walk to the post office.

KELLY: We used priority mail and certified mail, because I didn’t want to pull an Equifax and lose Scott’s most important information. I wanted to track it! And we got to work hand-writing the addresses of each of these agencies on a huge pile of envelopes.

CAROLINE: Is your hand tired, yet?

KELLY: Yeah

CAROLINE: 643

KELLY: We started this as a quest for all of Scott’s credit reports. Now we’re down to 45 of them, but in 15 days, hopefully we’ll at least get a peek behind the curtain of these shady-only-have-a-voicemail-box specialty credit reporting agencies. And now: we wait.

ALIA: Hey Bob

BOB: Hey Alia

BOB: This is Breach.

ALIA: Okay the next question I want us to look at. The most valuable information Equifax had on me: my Social Security Number. Why does it matter that they lost it? Like, I know I should care about not giving away my Social Security Number, but… why? My Social Security Number is a secret, until I have to do anything -- fill out any form, apply for any job or any school, or do any financial transaction, or go to the doctor. It’s a big secret that I’m supposed to put everywhere?!

BOB: You are onto something -

DANIEL SOLOVE: The social security number is the worst password ever created.

BOB: This is Daniel Solove, who I call the father of digital privacy law.

DANIEL SOLOVE: I'm a law professor at the George Washington University Law School and I teach and specialize in privacy and security law.

BOB: And in terms of privacy and security, Social Security Numbers fail.

DANIEL SOLOVE: It's bad because first of all, it doesn't even qualify under the, requirements of a decent password. It's just a set of numbers. Most passwords have to have a mixture of numbers and letters and special characters. Um, also, what makes it particularly bad is it's not a secret. In fact, everybody knows it. You can buy someone's security number, um, from companies. It's not illegal to sell them.

BOB: This little string of numbers was never intended to be a secret password.

DANIEL SOLOVE: Social Security Number was never designed to be used as an authenticator. It was basically designed as a differentiator. It was designed to separate out all the people with the same name.

BOB: That’s all it was supposed to do. There were two Bob Sullivans born this year, make sure you don’t mix up our Social Security accounts. Give each of us our own number.

DANIEL SOLOVE: And what makes them even, you know, absolutely ridiculously bad as a password is that they're very hard to change.

ALIA: The password you can never change, even after 145 million of them were hacked.

BOB: A password that was never even intended to be a password granting so much access to your identity.

ALIA: And of course it wasn’t just your Social Security Number that was lost. Here’s the Personal Identifiable Information Equifax has reported was stolen in the breach: All in all, about 148 million people have been screwed over including:

BOB: 146 million people’s full names and dates of birth

ALIA: 145 million people’s Social Security Numbers

BOB: 99 million people’s addresses

ALIA: More than 20 million people’s genders and phone numbers

BOB: 17 million drivers license numbers

ALIA: And 1.8 million email addresses. God that is so much.

BOB: That’s a lot of data.

ALIA: But like, okay, we haven’t even gotten into the way Equifax was breached. But, like, everything we’ve talked today about the credit world. Like, already on a normal Equifax business day I feel really uncomfortable with the way they’ve treated my data. Like, in terms of the murder mystery of our privacy, they were already stabbing the hell out of my privacy before the breach right? And then they let this happen?

RON LIEBER: I long ago stopped worrying much about my own privacy. I just assumed that somebody somewhere, at least once the Internet came into existence, you know, was always going to have more information on me than I thought. Now on a more micro level, in terms of talking about credit, I actually think that under the best of circumstances, this is a reasonably fair trade, right? You track me and I get instant access to credit.

ALIA: After a day of these interviews, learning how shady this all is and how I can’t quit even if I want to, I disagreed. The trade-off did not seem worthwhile. We got on the phone to debrief with our Producer Jan, and things took an angrier and I’ll admit it pettier turn then usual.

ALIA: I’m looking at a picture of Richard Smith, and I gotta point out - this guy - he looks like Lex Luther. He looks like a villain to me.

ALIA: Okay not my best, or most rational moment. We have tons of factual evidence pointing to why this system, and Equifax itself, is not set up to protect us. But it wasn’t about just that anymore. It was all just feeling super personal to me. And I felt like Equifax was a bunch of villains who didn’t care about me. And then Jan jumped in.

JAN: Is there a person who could come to a different conclusion other than Equifax actively hates their consumers, doesn't care about them at all, and is the villain? Is there a person who could logically come to a different conclusion?

ALIA: No. I don't know how you, how you come to a different conclusion other than they failed. Capital F failed. I can't see the other side of this where somebody thinks that they did a good job and they really clearly cared about consumers when all this went down.

BOB:
I mean, I think the other side of it systematically the fact that a stolen social security number is valuable at all, isn't Equifax's fault. That's--

ALIA:
That's true.

BOB:
--that's the fault of the entire way that we do things here in America. And that's what needs to change.

JAN: I think my point is, so hypothetically if I worked at a podcast company…

ALIA: Uh-huh.

JAN: … and I found out that my wonderful thoughtful boss who co-hosts a podcast was keeping my Social Security Numbers in a folder in Google suite, wouldn’t that demonstrate that this isn’t just an Equifax problem?

ALIA: Hypothetically yes.

JAN: So my boss who I work with in this company is a great person. But it’s a, it’s a company problem that you have to have these super valuable things at your fingertips, that you use them so often, right?

ALIA: Sure but you’re hypothetical sweet baby angel boss isn’t profiting off of that data.

JAN: That’s a wonderful point. That’s a wonderful point. But you said they don't care about us. That's different than they failed us. Companies fail us, and I don't think that they don't care about us.

ALIA: I think if Equifax really cared about consumers, they would introduce themselves. You know, like a polite person introduces themselves. Um, an impolite person does not introduce themselves but proceeds to take photos of you from across the room. And then you find out five years later, oh my god, they have all these photos of me. Oh my god, they have all this information about me. A polite person, or a polite business, in my opinion, would say, hey, we're going to take these photos of you and we're gonna gather all this information about you, but this is so that you can buy a house one day.

JAN: Alia, you expecting, demanding, or wanting a company to politely introduce itself to you before it mines you and takes its data from you is a really different expectation than what I heard from Alia who first got a goodbye from Yahoo voicemail and was like, well, there's nothing really that important in my Yahoo.

ALIA: Sure. I think now that I know the kind of data that companies have on me, I have higher expectations of them. Do I expect them to like break every single painstaking data point they have about me down and make it super plain and obvious? No. But I do, I do expect to at least know who they are. That's what I expect. And you know what? I didn't… in season one, I absolutely did not have that expectation, because I didn't know. I just didn't know.

ALIA: To add to our existential credit despair. If you’re like me and have ever experienced identity theft that affected your credit report, you know how much work it takes to prove you’re you. You have to upload buckets of PII to prove you are who you say you are, those debts aren’t yours, that you were the victim of identity theft. And there’s one spot where you do that: The Dispute Resolution Portal.

BOB: Very important, that’s the place where you get to demand your rights, demand fairness, you can fix a mistake, it’s required by law, passed by Congress. That’s where, if there’s any fairness at all in the credit reporting, that’s where it happens. The Dispute Resolution Portal.

ALIA: Turns out, that one government mandated spot of fairness on Equifax’s website? That was the open door hack rs used to get into Equifax, steal 145 million of our Social Security Numbers, and pull off the worst breach ever. Now that we’ve covered who Equifax is and what was stolen, next week: all the juicy details of exactly how hackers executed this breach. How they got in, what they found, how they went unnoticed.

BOB: We’re joined by the two guys who literally wrote the report on everything that went wrong at Equifax.

ALIA: And it’s just like a perfect storm of errors.

BOB: But while that certificate was not up to date, this traffic was not being inspected.

NICK: That's right.

BOB: For a year.

NICK: Yeah.

ALIA: We also talk to the one human error blamed for all this in the Congressional hearings.

GRAEME: I remember that date well, because it was my birthday.

ALIA: That’s next week on Breach, brought to you by Carbonite. Breach is a branded podcast brought to you by Carbonite in partnership with Midroll and Spoke Media. You can find transcripts and show notes at carbonite.com/breach. Follow along on twitter. We’re @breachpodcast.If Cyber Security reporting were solving crimes in Brooklyn’s 99th precinct, Bob Sullivan would be the diligent Captain Holt, and I would be the human form of the 100 emoji, Gina.If you think our show is 100, or even 9-9, consider taking our survey. We’d like to learn more about you, our Breach listeners, and what you’d like to hear about on future seasons of Breach. Please go to podcastsurvey.net to take a quick, anonymous survey that will help us understand what data security topics matter to you. Once you’ve completed the survey you can choose to enter for a chance to win a $100 Amazon gift card. Terms and Conditions apply. Once again that’s podcastsurvey.net. Thanks for your help. Our show is executive produced by me Alia Tavakolian and produced and written by Janielle Kastner aka “Producer Jan”. With Associate Producer Caroline Hamilton, and Production Assistant Kelly Kolff. Research by Haley Nelson. When Bob and I are in the studio we’re recorded by Casey Holford and Jared O’Connell. Today’s episode was mixed and sound designed by Evan Arnett. Our head of Post-Production is Will Short. The songs you hear come from APM Music and FirstComm. Our executive producer is Keith Reynolds, who wishes he was as badass as Rosa Diaz. Special thanks to the folks you heard today: John Olzheimer; Beverly Harzog; Mike Litt; Ron Lieber; Daniel Solove. And thanks to our valiant Credit Report Volunteer: Scott Mosher, and Joel Winston, the Best Credit Reporting Guide we could have asked for.

*CORRECTION: In the discussion of Rick Smith’s speech at UGA’s Business School, we incorrectly state the date of that speech as August 7, 2017. Smith’s speech was given on AUGUST 17, 2017. In that discussion we also incorrectly state that the Equifax C-Suite was all notified of the breach in late July. Some were notified - Chief executives Chief Security Officer Susan Mauldin, Chief Information Officer David Webb, and Chief Legal Officer John Kelley and Chief Executive Officer Rick Smith knew of the security incident in late July. (According to the
U.S. House of Representatives Committee on Oversight and Government Reform report of December 2018). The broader C-Suite was informed that consumer data had been compromised on August 17th, the same day of the UGA speech, when Smith held a senior leadership team meeting. On August 15, Smith states he was notified that PII had “likely” been taken. (According to Rick Smith’s written testimony for the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on October 3, 2017).