BREACH - SEASON 2 - EPISODE 1
ALIA: When you make a podcast about history's most notorious data breaches, one of the terrifying realities is that there is an abundance of options to choose from.
BOB: A disillusioning embarrassment of riches.
ALIA: There are the breaches that have massive global political impact.
BOB: Breaches that intimately affect our bodies and our health records.
ALIA: Breaches that feel especially intimate in other ways.
BOB: History is being written right now with each new push notification.
ALIA: And with each new breach, a different facet of our digital identities is made vulnerable.
BOB: But what about a breach where the data lost was so valuable, so inherent to our personal wellbeing, that many consider it the worst breach ever?
RON LIEBER: We'd all always wonder, sometimes over drinks or just in idle moments, what would happen if there was a breach at one of these places? It would be the mother lode.
ALIA: What if the best, most useful information about you was taken? What if what was at stake was your name, your identity, you?
JAN: Hey, Bob. Hey Alia.
JAN: Welcome back in the saddle, season two!
BOB: Season two!
ALIA: Glad to be here. This is our producer, Janielle Kastner, aka Producer Jan.
JAN: And before you guys dive into it and tell us about the worst breach ever, first I'd like to tell you two a story. It will help, I promise.
BOB: I love stories.
ALIA: Yeah, I'm here for this.
JAN: It's a beautiful story about the birth of a magical something I just started learning about called credit.
ALIA: Oh dear God.
JAN: Long ago in a faraway land - America as early as, like, the 1800s - all kinds of people were doing business: farmers, and merchants, and other people, I assume, but I'm mostly thinking about the farmers and the merchants. Now imagine one of these farmers goes into a shop and needs to buy something. Bob, I want you to play the farmer. Pick something old timey sounding.
BOB: Two skeins of yarn, please.
ALIA: Sure thing, yeah. That'll be, uh, 55 pence.
JAN: But this farmer's grain, let's say he's a grain farmer, hasn't grown in yet. He needs a few weeks to harvest it all and sell it in order to get the...50 pence?
ALIA: 55 pence.
JAN: 55 pence. But the merchants says, “You know, no problem. I want to bolster my business and sell you things, too. So, why don't I give you your yarn now, and you can pay me back later when the harvest comes in?” And suddenly this useful new space opens up where both people can economically succeed. They call it, Credit.
ALIA: Pretty easy-breezy.
BOB: Not so easy, or breezy.
JAN: ‘Cause then, over time, banks began overextending credit like crazy, which in part leads to the panic of 1837.
JAN: That's how I imagine economic panics.
BOB: Spot on.
JAN: Thank you.
ALIA: Nice. Nice work.
JAN: And you know who also panicked? All these merchants. They realize after that that they need a way better guarantee they'll get paid back when they extend credit to people. So from then on, when someone asks for credit, merchants start asking around about that customer, consulting that customer’s friends and fellow townspeople about their reputation to determine how much, and for how long, credit should be given. A report, if you will, of a person's credit.
ALIA: So it's sort of like they're asking for a reference.
JAN: Exactly. And it feels kind of quaint, right?
JAN: A bunch of neighbors, people who live by you, who are raising kids by you, holding each other accountable to be their best selves, and being rewarded for being upstanding and trustworthy, and having personal integrity. But, when you actually dig into these early credit reports, they were essentially a collection of rumors about customers’ reputations, stories about customers’ relationships, their sexual deviances, and, quote, “trustworthiness,” which of course is measured by really racist assumptions and completely subjective rulers.
ALIA: That feels awful.
BOB: And, awfully human.
JAN: Yeah, it's humans up and down this whole thing. Like most useful new things (I’m thinking of Prometheus giving humans fire), credit reporting becomes corrupted by gossip, and classism, and racism, and sexism, and homophobia….
ALIA: Quote, “Peter Mullen has done business in the same store for the last 35 years and made some money; owns a lot in Chicago, heavily mortgaged; is the oldest of two children; has lately married his second wife; is professionally a Methodist; and enjoys a general reputation for honesty,” end quote.
BOB: This sounds like things you would say about somebody at a bar next to you.
ALIA: “A general reputation for honesty.”
BOB: Yeah, like, “Hey, Alia - I think she just got married to her second husband, and she mostly pays her bills, but there was that one time...eh, people say...I don't know. Anyway….”
ALIA: Quote, “Prudence in large transactions with all Jews should be used,” end quote. Oh my God. Okay, here's another one: quote, “Honest and likely man, but not attentive to his business; is a singer, which takes up too much of his time; should be watched a little.” This sounds like you, Bob.
BOB: You know it's probably right.
ALIA: Quote, “Rich in property, much in debt; a good fellow, poor manager; fast liver, slow pay,” end quote.
BOB: “Fast liver, slow pay.”
ALIA: What does “fast liver” mean?
BOB: I think I can guess.
ALIA: Does he have a fast liver or does he live fast? Quote, “Matters seemed to have turned out well; there was a report of his doing badly,” end quote. What does that mean? Does that mean he, he did something, like, committed a crime?
JAN: I don’t know, but here's how the sentences, uh, updated later in his little credit report:
ALIA: Quote, “Hung himself, cause unknown; many think embarrassed circumstances,” end quote.
JAN: So yeah, it's all really personal, and some of it very gross.
ALIA: And people feel weird about that, right?
JAN: Yes, there is some outcry and justifiably so. And also concerns are raised because, even if they're collecting inoffensive things about you in this credit report, it's still essentially spying.
How can collecting information on a consumer's private identity, especially without their knowledge, be conscionable?
ALIA: Or credible.
JAN: Right. But at least you could sleep well at night, Alia and Bob, knowing that this collection of your deeply personal information, this credit report, is safe - as long as at least one person is keeping a close eye on the one big ledger book in which it is written. There were rules about what you would have to do if you wanted to access that book as a, you know, lender. The subscriber to your credit would show up at the office in person or through a confidential clerk, and submit a ticket to see the book.
BOB: That book could be set down, quote, “on the inside of a raised desk at an angle of about 40 or 45 degrees, so that the person on the outside is not in a position where he can read from it.” An employee would then read the relevant ledger entry aloud, allowing the subscriber to take notes. But this is an amazing level of security. They sound like they treated this ledger book with great care.
ALIA: And they had a single person who would read from it. I'm just baffled by that.
BOB: That prevented people from copying it.
ALIA: Yeah, I see. I see. Yeah, so it had a guard, essentially.
BOB: And an elaborate process to protect it.
JAN: Yeah. Until the 1960s when a company called the Retail Credit Company announces that they're going digital. So all of a sudden, all of this very personal information is going to be on computers. And there was again a public outcry that many people think directly led to Congress stepping in and creating the Fair Credit Reporting Act to outlaw all of these really unsafe and unfair practices that Retail Credit Company, RCC, was using with consumer information. So then, Retail Credit Company changes their name - trying to distance themselves, I assume, from the image after the FCRA is passed that they are, you know, unsafe, untrusty keepers of our private information. So they instead decided to go by...Equifax. And that's where you two come in.
BOB: I'm Bob Sullivan, your veteran tech journalist.
ALIA: And I'm Alia Tavakolian, your podcast making tech civilian, former Yahoo hacking victim, and new data privacy enthusiast.
BOB: Welcome back to season two of Breach, the podcast where we explore history's most notorious data breaches. Brought to you by Carbonite - how businesses protect your data.
ALIA: Season two. You asked for it and we eventually listened. Equifax: the breach we didn't want to explore because we thought it wasn't interesting enough.
BOB: And, boy, were you right, and were we wrong.
ALIA: So Bob, the Equifax breach was announced on September 7th, 2017, and at that point we'd already begun working on season one of the show. So here's why I didn't think we should do Equifax for season two: I just thought, you know, it was this big, scary event that didn't really have a great story behind it and thus didn't have really good juicy characters like Russian FSB agents, et cetera, et cetera. So like, why would we do it?
BOB: Millions of social security numbers were released, like, The End, right? What else is there to say? And, plus, I thought people might have moved on. I mean, there had been so many hacks since then, everyone seemed to know everything there was to know about Equifax
- how were we going to fill up six episodes with this story?
ALIA: Equifax: the breach that might change everything.
BOB: Equifax: the breach that made everybody angry, but didn't accomplish anything.
ALIA: So the big question is, “why Equifax?”
BOB: Well, for one thing, more information has come to light, including this incredibly detailed report from Congress that we can really sink our teeth into, which lays out all of the dozens of mistakes that Equifax made along the way. But, “why Equifax” in general is a really profound question.
ALIA: Okay, so why Equifax?
BOB: For starters, for a lot of people in the credit, finance, and journalism worlds, the Equifax breach was the most important day probably of their careers. Many of us have been talking about what would happen if one of these big three credit reporting agencies who keep all this credit information on us, what would happen if it was breached?
ALIA: One of these people whose careers were defined by the Equifax breach is Ron Lieber.
RON LIEBER: I write the “Your Money” column for The New York Times.
ALIA: You heard him earlier in the intro. In his opinion, a breach at a credit reporting agency has always been the mother lode.
RON: Someone gets into one of the big three credit reporting agencies - Equifax, Experian or Transunion - and gets all the good stuff, the social security numbers with matching data that can be used to create new identities, at 143 million or whatever it ends up being.
ALIA: And he vividly remembers the day the Equifax breach was announced.
RON: And just to give you a sense of how frazzled I already was at that point, my father is dying of ALS and there was a giant hurricane bearing down on Florida at that point. It was the big one that hit back then, and my siblings and I were in the middle of trying to get him out of there, like literally rolled his wheelchair up the interstate. We were, you know, trying to get him up to Orlando with his aide. And the last flight from Chicago, where I'd been for a work trip, had just been, um, canceled, so I wasn't going to be able to get down there. We're trying to figure out who's going to drive him where, and where we're all going to meet up in central Florida, and just as I get off the phone, this email arrives. Right? And so I write back and I said, “This is potentially the mother lode, the big one that we've always feared.”
ALIA: See, the Equifax breach isn't about the size or amount of what was stolen.
MIKE LITT: It's not the largest, it's the worst.
ALIA: This is Mike Litt, the Consumer Campaign Director of U.S. PIRG in D.C.
MIKE: So U.S. PIRG stands for the U.S. Public Interest Research Group.
ALIA: We sat down with Mike, who's on the consumer advocacy side of things. He's someone shouting throughout D.C. that this one’s a game changer.
MIKE: So it's not the largest, I mean, the largest is the one that y'all already covered in season one, which is the Yahoo! breach. But it's the worst because of the type of information that was stolen in this breach. It's the worst because social security numbers are really the keys to identity theft and other types of fraud.
BOB: If we’re asking, “why Equifax - why it matters?” this is it. Your social security number. There was far more outrage right after the Equifax breach than for the myriad other breaches before it or after it. Certainly more than Yahoo!, ‘cause your social security number is one of the worst things to lose. So if someone steals your credit card number, or your username, or your password, that's like they stole the key to the front door of your house. It's a pain, but you just change the lock and you're fine. Someone steals your social security number, that's like stealing every key that's ever been made for every lock today or in the future, forever. So it literally means locks don't work anymore. That's why stealing a social security number is monumentally bigger than stealing any other kind of piece of information
ALIA: And it leaves you powerless.
BOB: It means we have to change the entire concept of locks.
ALIA: Right. You can't change the master key to everything. A lot of us were angry about someone losing our social security number, but there's even more to be angry about. Because in some instances, hackers didn't just grab your social security number, they also grabbed a handful of your PII - Personal Identifiable Information, all the tons of little personal details that add up to make your credit report.
BOB: According to the report from Congress, in some cases, Equifax also lost details like driver's license numbers, full names, birthdays, addresses, passport photos.
ALIA: So let's say in addition to your social security number, a hacker also got a piece of PII as simple as your name.
MIKE: ...with that, an identity thief can open a new account in your name. They can try to open a credit account in your name, or a loan, or utilities, or a cell phone.
ALIA: Or, let's say a hacker gets your social security number, plus your name, plus your date of birth.
MIKE: ...so that could be tax refund fraud. They could try to collect your social security benefits. They could try to collect your medical services or benefits.
BOB: This is the worst math ever, isn't it?
ALIA: It gets worse. Let's say they get your social security number, plus name, plus date of birth, plus driver's license number. That could be…
MIKE: ...turned into a fake ID...
ALIA: ...which means…
MIKE: ...they could commit crimes in your name. They could apply for jobs in your name, places to live. So that's why it's the worst.
ALIA: Okay, I need to take a brain break. We don't have to do ads ‘cause we're sponsored by Carbonite, but we can take a break when we need one to do whatever we want. And here's what I want to try - learning about Equifax and the world of credit reporting agencies unearthed this whole larger credit ecosystem that I hadn't known anything about. There are tons of other specialty credit reporting companies gathering, and sharing, and feeding off our data, not just Equifax, and Experian, and Transunion. I barely understand how those three work, and then there's a whole bunch of other characters? So I started wondering over drinks, “Wait, then how many credit reports are there on one person in the world? And how would that one person find them all? Could we get them all in one room?” I brought this up to my friend Scott, and he agreed to be our guinea pig and actually find out. Our Production Assistant, Kelly, agreed to spearhead this, “Get All Your Credit Reports In One Room” experiment. So we'll hear from her throughout the season.
SCOTT MOSHER: Hi, I'm Scott Mosher. Um, I work in HR.
KELLY: And I'm Kelly. I'll be the one handling all this credit stuff. So, Scott agreed to participate in this credit experiment to find out just how many credit reports do exist on him. And are they accurate? And if we ask for them, will these specialty credit agencies even call us back? Before taking a deep dive into all of Scott's credit reports, I wanted to find out how much Scott knew about his credit.
SCOTT: So I bought a house in March of 2018, and that was one of the first times that I had actually even looked at my credit or taken much of an interest in it because you kind of need that to buy a house. So when they ran my credit, it was lower than I expected.
KELLY: So he looks into his credit for the first time to see what went wrong.
SCOTT: Apparently there was an issue with, um, when I leased my car, and I moved from one lease to another, and the dealership was supposed to, um, stop payments on the old lease and things like that, and they didn't. But I never got any notices in the mail or anything like that about it.
KELLY: So time goes by, and he has no idea that there's another car lease that he's not paying.
SCOTT: Until I finally checked it, and noticed that there was this major issue and that it wasn't my fault.
KELLY: Um, so those are your credit questions in the past. So what credit questions do you have now? Like why would you want to look into all of your reports now?
SCOTT: Well, I want to look into my reports because, um, you know, I may buy a car, which I believe they run your credit for that instead of leasing. Um, and now that I've seen that there have been errors with my credit, um, if I ever find something I want to know ahead of time. Because it did delay my h-- my process of buying the house. Um, and I also just want to know because, um, from my understanding of what you guys have told me, there's more than just the three credit agencies out there, and I'm really curious to know what they are, what they will have that may not be associated with me, um, or that may be incorrect.
KELLY: Yeah. So how many credit reports do you think you have out there?
SCOTT: I mean, I would have honestly said three. And I'm wondering who uses this information, right? I don't have access to it right now, um, which worries me because obviously they're there for a reason. If no one was asking these other credit agencies for information, then they wouldn't be in business.
KELLY: The next step is to find every credit reporting agency that has a report on Scott, besides the big three. I have no idea how many agencies that is, or where to start, but I found someone who does.
JOEL WINSTON: Hi, this is Joel.
KELLY: Joel Winston, credit lawyer and I would like to say my newfound friend, agreed to help me figure out how the eff to do this. And luckily, he's super into this stuff.
JOEL: So this is kind of like a weird personal passion project that I've been pursuing for a long time, so...
KELLY: And, spoiler: he told me there could be hundreds of credit reports for Scott out there, so we'll see how this is going to go. Stay tuned, on the next episode of Breach.
BOB: So, yes, the Equifax breach is particularly scary in terms of the quality of data stolen.
ALIA: Uh, yes.
BOB: But the Equifax breach is also interesting because of how they were breached, the series of errors they made as an organization.
ALIA: So many bungles.
BOB: And how few penalties they faced.
ALIA: How Equifax lost our data in the arguably worst breach ever is crucial. If history is being written right now via push notifications, Equifax may well be the first example all history books point to in a chapter called, “Early 21st Century: The Straight-Up End Of Privacy.” Luckily, we were able to sit down with the guys who went to Equifax and wrote the detailed report on what exactly went wrong. I'll let those experts, and other voices you'll hear more from this season, help us (and future historians) with an overview. The Equifax breach is a masterclass in how the worst breaches begin with small fixable technical problems. Like how earlier in 2017…
MIKE: ...there was a warning that went out by Apache Struts, which was this open source software.
ALIA: There was a vulnerability in some of Equifax’s software. A patch was issued, easy. Except, according to former Equifax CEO Rick Smith, there was a human error.
RICK SMITH: ...human error. It was the individual who was responsible for communicating in the organization to apply the patch, did not.
ALIA: Which doesn't exactly hold up if you consult any of these detailed reports, or the human error himself, which we did.
GRAEME PAYNE: The day before, I had been terminated from the company. So, I was able to put two and two together and work out that the person that he was talking about was me.
ALIA: But even if the patch wasn't applied, there are fail safes in place to notice when large traffic - that is, the data of 148 million individuals - leaves a server. But...
MIKE: ...but then also their backup, uh, their, their fail stop failed.
ALIA: The certificate had expired.
BOB: But while that certificate was not up to date, this traffic was not being inspected.
NICK MARINOS: That's right.
BOB: For a year.
ALIA: Equifax is also a story about how big companies can botch things even more after a breach.
MIKE: They find out about it in July, and then they wait at least six weeks to let the public know.
ALIA: And if you thought they'd use that six weeks to get their act together…
MIKE: They put up, you know, on their website they have a search tool that is giving faulty results on whether or not you are actually affected by the breach.
RON: Why should I trust these Bozos with my social security number if they've already proven that they can't handle people's information?
MIKE: They actually tweet out the wrong website.
ALIA: A wrong website built specifically to name and shame them.
NICK SWEETING: And I thought, “What the heck,” you know? I might as well do it myself and make a site to kind of make fun of them. And so I did that. I bought the domain, it cost me about 10 bucks, and I cloned the Equifax website in about 30 seconds.
ALIA: They were totally unprepared to answer people's questions.
MIKE: They understaff their call center.
RON: The website is frozen, or I put my information in and it quits halfway through, or it tells me I need to call, and then when I call I can't get ahold of anybody...
ALIA: And sure, they provided some free services in the wake of the breach.
JESSAMYN WEST: “You can apply for a year’s worth of free credit monitoring from basically us. I mean, you know, not us, but, like, a company, a company we own.” And I was like, no, no, no, you kind of, you kind of burned that bridge with me.
ALIA: But they didn't offer free credit freezes, one of the most helpful things you can do to protect your identity. In many states at the time, credit freezes came with a fee, which gave Equifax the opportunity to make money off of this breach.
MIKE: They exposed 148 million Americans to new account identity theft and all sorts of other fraud. And over a year later they still haven't been held accountable. They haven't paid a price, they haven't paid any kind of penalty, and they're making more money than they have before, and they're back to selling credit monitoring.
ALIA: That's what makes this so personal. Unlike Yahoo!, I didn't voluntarily sign up for an Equifax account.
BOB: Absolutely. I mean, Equifax has been collecting all your personal information with or without your consent. Then they lost it, putting you at risk. Then they offered these free services that didn't begin to adequately protect you from identity fraud, and in some cases the available solutions that could protect you just put money right back in Equifax's pocket. They could inadvertently profit from this breach.
ALIA: In hindsight, in the history books, how absurd will it seem that a company this big could have this much data, guard it so irresponsibly, ultimately lose the personal data of 148 million people, including 145 million people's social security numbers?
BOB: If this feels like a flagrant violation of you as a consumer, it's because you're not
Equifax’s consumer. You’re Equifax's product.
ALIA: When we ended season one, the Yahoo! breach, we discussed the idea of, “Caution: Falling Rocks.”
BOB: You know those signs on the highway that say, “Caution: Falling Rocks,” but don't say what to do? Like, what are you going to do, stop driving, turn off the cliff? It's like a warning with no useful information.
ALIA: This is the good news about Equifax. People are figuring out what to do about it. A lot of real people who've been hurt or affected by the Equifax breach are taking action and you can too.
CHRISTIAN HAIGH: These people are not too big that you can’t have justice. And so, what I wanted to do was to share my story and have my day in court, so that then I could share with other people how they could also have their day in court.
ALIA: And even though a year later Equifax has faced little to no real repercussions, that could change. In the wake of Equifax, the worst breach ever, maybe enough of us are finally fed up.
JESSAMYN: I don't mind being a vehicle for helping tell a story that I think is important if I don't think there are other people who are going to get out in front of a story and do something that is a little stunt-ish in order to raise awareness about this. So, as far I'm concerned, so worth it.
ALIA: So that's, “why Equifax.” And there's way more to get into. This is just the beginning.
BOB: And the story is very much unfinished. As we're all already acknowledging, not much has happened to Equifax, and it seems like maybe nothing has changed, or nothing will change.
And we might look back 50 years from now and just say, “What a missed opportunity. We could have done something and we didn't.” So that's why this is so important to do right now.
ALIA: Yeah, I mean, I can't imagine putting this many people at risk and then now, a little more than a year later, facing so few repercussions. I mean, it makes me want to riot, Bob. Equifax: The Breach That Makes Me Want To Riot
BOB: Equifax: The Breach That's Dirtier Than We Thought.
ALIA: Equifax: This Time, It's Personal. I mean literally it's personal identifiable information, and your social security number. We’ll be workshopping this all season. Equifax: The Breach That…? Because The Worst Breach Ever happened a little more than a year ago, and it's not too late to change history for the better. So maybe we can have a future where stuff this bad doesn't happen again. Otherwise…
ALIA: So is it like Equifax: The Hack That Should Have Changed Everything, But Didn't Change A Damn Thing?
RON: Equifax: The Hack That Will Happen Again Before Too Long, But We Just Can't Predict Where.
BOB: It would be easy to feel like with this breach, your data is officially no longer yours. ALIA: I feel like my data has been straight-up murdered.
BOB: I think that's really fair. This is a great murder mystery, and then it gets way more complicated the more you dig. Your data's been murdered. No, your privacy has been murdered. Equifax has blood on its hands. But who's really responsible for killing it?
ALIA: This season on Breach, we’ll dig into who or what killed your privacy, and so much more. Like, who the eff should be responsible for keeping my social security number safe, and why is it so important and dangerous?
BOB: Who do we hold responsible, and how do we even begin to fix this?
ALIA: What really went wrong at Equifax? It's not nearly as simple as one human error. That's too easy.
BOB: Oh definitely.
ALIA: And how many times can you laugh out loud and then get an anxiety attack during a series of congressional hearings? Rick Smith versus bipartisanly pissed off politicians equals the most bananas testimony maybe ever.
JOHN KENNEDY: You realize to many Americans right now that looks like, uh, we're giving Lindsay Lohan the keys to the minibar.
BOB: I was in the room in the gallery. It was nuts.
ALIA: I'm so glad we're back at it, Bob.
BOB: Me, too.
ALIA: Thanks for joining us, too. Buckle up for season two of Breach: The Equifax Story. Breach is a branded podcast brought to you by Carbonite in partnership with Midroll and Spoke Media. You can find transcripts and show notes at carbonite.com/breach. If cybersecurity reporting were tidying up, Bob Sullivan would be Marie Kondo, and I would be a spark of joy. If we've sparked any joy for you, head to Apple Podcasts and rate and review our show. We totally read those and it helps people find us. Our show is executive produced by me, Alia Tavakolian, and produced and written by Janielle Kastner, aka Producer Jan, with Associate Producer Caroline Hamilton and Production Assistant Kelly Kolff. Research and co-writing from Haley Nelson. When Bob and I are in the studio, we’re recorded by Casey Holford and Jared O'Connell. Today's episode was mixed and sound designed by Evan Arnett, with production help from Spoke Media. Our Head of Post Production is Will Short. The songs you hear come from APM music. Our Executive Producer is Keith Reynolds, whose credit score plummeted when he started a podcast company, but he swears it's worth it. Special thanks to the folks you heard today who are just a few of the excellent voices you'll hear more of the season: Ron Lieber, Mike Litt, Graeme Payne, Nick Sweeting, Jessamyn West, and Christian Haigh. And thanks to our valiant credit report volunteer, Scott Mosher, and Joel Winston, the military advisor to our credit report battle.