WEBVTT

00:00:00.000 --> 00:00:04.179
Welcome back to the Deep Dive. Today we are peeling

00:00:04.179 --> 00:00:06.759
back the layers on a company that is, for most

00:00:06.759 --> 00:00:09.839
of us, almost completely invisible. Yet it holds

00:00:09.839 --> 00:00:12.939
the digital keys to, well, to our entire financial

00:00:12.939 --> 00:00:16.079
lives. We're talking about Equifax Inc. It's

00:00:16.079 --> 00:00:17.500
one of those giants, you know, you only really

00:00:17.500 --> 00:00:19.199
think about it when you're applying for a mortgage

00:00:19.199 --> 00:00:22.320
or maybe worse, when you get that dreaded security

00:00:22.320 --> 00:00:25.370
breach notification in the mail. Right. And Equifax

00:00:25.370 --> 00:00:27.170
isn't just a player in the game. It's one of

00:00:27.170 --> 00:00:29.910
the big three. It's right up there with Experian

00:00:29.910 --> 00:00:32.570
and TransUnion on that global stage. Yeah, absolutely.

00:00:32.890 --> 00:00:35.810
And the scale, the sheer scale of their operations

00:00:35.810 --> 00:00:38.429
is, it's just hard to wrap your head around.

00:00:38.530 --> 00:00:40.590
The source material we looked at says Equifax

00:00:40.590 --> 00:00:43.049
collects and aggregates information on over 800

00:00:43.049 --> 00:00:46.969
million individual consumers worldwide. 800 million.

00:00:47.049 --> 00:00:48.750
I mean, let that number sink in for a second.

00:00:48.810 --> 00:00:51.310
That's getting close to 10 % of the entire world's

00:00:51.310 --> 00:00:53.310
population. And that's just the individuals they're

00:00:53.310 --> 00:00:55.469
tracking. Their reach goes way into the corporate

00:00:55.469 --> 00:00:58.130
world, too, with data on more than 88 million

00:00:58.130 --> 00:01:00.789
businesses across the globe. So what you're describing

00:01:00.789 --> 00:01:02.909
isn't just a company. It's more like a foundational

00:01:02.909 --> 00:01:06.030
utility, an information utility. It is. It's

00:01:06.030 --> 00:01:08.849
a centralized database that modern finance lending,

00:01:09.030 --> 00:01:12.450
employment, even insurance. It just can't function

00:01:12.450 --> 00:01:14.569
without it. Okay, so our mission today is to

00:01:14.569 --> 00:01:17.390
really trace the lineage of this behemoth. How

00:01:17.390 --> 00:01:21.549
does a company that's now 126 years old, headquartered

00:01:21.549 --> 00:01:24.290
in Atlanta, Georgia, pulling in nearly $5 .7

00:01:24.290 --> 00:01:28.810
billion a year, how did it get this kind of irreplaceable

00:01:28.810 --> 00:01:32.280
power? And more importantly... Why is that power

00:01:32.280 --> 00:01:34.819
so controversial? Why is its history just littered

00:01:34.819 --> 00:01:37.659
with these extraordinary security failures, with

00:01:37.659 --> 00:01:40.780
insider trading, with legal battles that go back

00:01:40.780 --> 00:01:42.480
decades? That's what we're going to get into.

00:01:42.560 --> 00:01:44.159
We're going to do a deep dive into the documents

00:01:44.159 --> 00:01:46.319
to trace its journey from what was essentially

00:01:46.319 --> 00:01:49.780
a local rumor mill operating on gossip and innuendo

00:01:49.780 --> 00:01:53.239
to this multinational data giant that was responsible

00:01:53.239 --> 00:01:55.260
for one of the biggest data breaches in history.

00:01:55.480 --> 00:01:57.579
We really need to understand the systemic failure

00:01:57.579 --> 00:02:00.239
here. What happens when the very custodian of

00:02:00.239 --> 00:02:02.340
your most sensitive financial identity proves

00:02:02.340 --> 00:02:05.560
time and time again to be just consistently negligent?

00:02:05.620 --> 00:02:07.579
All right. Let's start at the beginning to really

00:02:07.579 --> 00:02:09.960
understand the culture and the problems that

00:02:09.960 --> 00:02:14.219
Equifax has today. You have to go way, way back,

00:02:14.379 --> 00:02:18.360
back to 1899, which is, you know, a surprisingly

00:02:18.360 --> 00:02:20.879
long history for a company whose current issues

00:02:20.879 --> 00:02:24.300
are so digital. It is. It started as the retail

00:02:24.300 --> 00:02:27.539
credit company or RCC. RCC. Right. And it was

00:02:27.539 --> 00:02:30.159
founded by two brothers, Cater and Guy Wolford,

00:02:30.240 --> 00:02:32.539
down in Atlanta, Georgia. And you have to understand

00:02:32.539 --> 00:02:35.259
the context here. This wasn't about FICO scores

00:02:35.259 --> 00:02:37.319
or anything like that. This was an era where

00:02:37.319 --> 00:02:39.520
the only way a shopkeeper or a lender could know

00:02:39.520 --> 00:02:42.379
if you were trustworthy was by asking around

00:02:42.379 --> 00:02:44.719
town, personal references. So the Wolford brothers,

00:02:44.879 --> 00:02:47.740
they just formalized that. They built a paid

00:02:47.740 --> 00:02:50.180
reference service. Precisely. They created a

00:02:50.180 --> 00:02:52.379
business out of checking trustworthiness. And

00:02:52.379 --> 00:02:56.180
it worked. By 1920, the RCC model was so successful

00:02:56.180 --> 00:02:57.800
they had offices all across the United States

00:02:57.800 --> 00:03:00.219
and Canada. They built this massive interconnected

00:03:00.219 --> 00:03:02.719
system for gathering information. But the business

00:03:02.719 --> 00:03:05.099
model then was much bigger than just checking

00:03:05.099 --> 00:03:08.550
if you'd pay back a loan, right? By the 1960s,

00:03:08.550 --> 00:03:11.530
RCC was obviously a huge credit bureau with files

00:03:11.530 --> 00:03:14.210
on millions of people. But most of its money,

00:03:14.310 --> 00:03:16.590
most of its work, was actually coming from reports

00:03:16.590 --> 00:03:19.110
for insurance companies. Yes, and for employment

00:03:19.110 --> 00:03:21.469
screening. That's a really crucial distinction.

00:03:21.930 --> 00:03:23.729
When an insurance company was trying to decide

00:03:23.729 --> 00:03:25.770
whether to give you a life insurance policy or

00:03:25.770 --> 00:03:28.229
car insurance, they wanted to know a lot more

00:03:28.229 --> 00:03:30.229
than just your debt. They'd commission the RCC

00:03:30.229 --> 00:03:32.490
to build a whole report on your life. And this

00:03:32.490 --> 00:03:35.479
is where it gets... Well, this is where the sinister

00:03:35.479 --> 00:03:37.860
side of the retail credit company really starts

00:03:37.860 --> 00:03:40.000
to show. It goes from a reference checker to

00:03:40.000 --> 00:03:42.919
something more like a surveillance machine. The

00:03:42.919 --> 00:03:45.560
source material from that time, it documents

00:03:45.560 --> 00:03:48.020
its intense criticism. There were allegations

00:03:48.020 --> 00:03:50.300
that the company collected, and I'm quoting here,

00:03:50.400 --> 00:03:53.620
facts, statistics, inaccuracies, and rumors about

00:03:53.620 --> 00:03:56.379
virtually every phase of a person's life. And

00:03:56.379 --> 00:03:58.479
the level of personal intrusion that they monetize

00:03:58.479 --> 00:04:01.770
is just genuinely... shocking to a modern sensibility.

00:04:01.990 --> 00:04:05.169
These files, these dossiers, they included incredibly

00:04:05.169 --> 00:04:08.789
sensitive non -financial information. Like what

00:04:08.789 --> 00:04:10.750
are we talking about here? We're talking about

00:04:10.750 --> 00:04:14.169
details on your marriage, any marital problems,

00:04:14.310 --> 00:04:16.569
your school history, even your childhood, your

00:04:16.569 --> 00:04:19.050
sex life, how much you drank, what your political

00:04:19.050 --> 00:04:21.569
activities were. It was this huge decentralized

00:04:21.569 --> 00:04:25.290
collection of intensely personal, often third

00:04:25.290 --> 00:04:27.689
-hand, and completely unverified information

00:04:27.689 --> 00:04:30.149
about you. And what the documents show is that

00:04:30.149 --> 00:04:33.110
this wasn't even neutral data collection. The

00:04:33.110 --> 00:04:36.110
criticism in the 60s and 70s was that RCC employees

00:04:36.110 --> 00:04:38.550
were actually rewarded. They were financially

00:04:38.550 --> 00:04:41.569
incentivized to collect derogatory information.

00:04:41.850 --> 00:04:43.589
Right. They weren't just passively accepting

00:04:43.589 --> 00:04:45.709
negative info. They were actively looking for

00:04:45.709 --> 00:04:48.689
the dirt. That incentive structure is just, it's

00:04:48.689 --> 00:04:51.009
profound, isn't it? Socially, legally. It is.

00:04:51.089 --> 00:04:53.149
When you pay people to find negative information,

00:04:53.329 --> 00:04:55.649
you create a system that's just ripe for bias

00:04:55.649 --> 00:04:58.769
and for discrimination. The sources detail how

00:04:58.769 --> 00:05:00.810
these bias reports were used to block people

00:05:00.810 --> 00:05:04.730
from getting jobs or housing or insurance. And

00:05:04.730 --> 00:05:06.649
it was particularly used to discriminate against

00:05:06.649 --> 00:05:09.529
marginalized groups like queer people and people

00:05:09.529 --> 00:05:12.110
of color. So if an RCC agent wrote down that

00:05:12.110 --> 00:05:15.069
a person was, say, politically active in a way

00:05:15.069 --> 00:05:17.610
the client didn't like. that person could lose

00:05:17.610 --> 00:05:20.709
their job or be denied a policy, and they'd have

00:05:20.709 --> 00:05:23.870
no idea why. No recourse. Zero transparency.

00:05:24.449 --> 00:05:26.670
So yeah, the retail credit company wasn't just

00:05:26.670 --> 00:05:29.189
some quiet office. It was acting as this major

00:05:29.189 --> 00:05:31.790
national gatekeeper, a barrier to opportunity,

00:05:31.990 --> 00:05:35.490
all fueled by unverified gossip and a really

00:05:35.490 --> 00:05:38.170
perverse financial incentive. A scandal was definitely

00:05:38.170 --> 00:05:40.629
brewing, but it was the technology that really

00:05:40.629 --> 00:05:42.569
pushed it over the edge. That's the catalyst.

00:05:42.829 --> 00:05:45.129
As the company started computerizing its records

00:05:45.129 --> 00:05:47.850
in the late 60s, and early 70s, the idea that

00:05:47.850 --> 00:05:50.910
all this deeply personal, unverified data could

00:05:50.910 --> 00:05:53.129
suddenly be shared instantly across the country,

00:05:53.290 --> 00:05:55.670
that became a huge public concern. Which brings

00:05:55.670 --> 00:05:57.449
us to a really pivotal moment, congressional

00:05:57.449 --> 00:06:00.509
intervention. Exactly. All those alarm bells

00:06:00.509 --> 00:06:03.569
led directly to the U .S. Congress holding these

00:06:03.569 --> 00:06:06.889
critical hearings in 1970. They were looking

00:06:06.889 --> 00:06:08.870
into the practices of the retail credit company

00:06:08.870 --> 00:06:11.250
and other credit bureaus, and the seriousness

00:06:11.250 --> 00:06:14.459
was clear. Private companies were compiling and

00:06:14.459 --> 00:06:17.540
selling this highly invasive data that was directly

00:06:17.540 --> 00:06:20.100
affecting people's lives. And it was all happening

00:06:20.100 --> 00:06:22.540
without any consumer knowledge or control. The

00:06:22.540 --> 00:06:24.300
result of those hearings was the Fair Credit

00:06:24.300 --> 00:06:27.720
Reporting Act, the FCRA. This was a landmark

00:06:27.720 --> 00:06:30.040
piece of legislation. Oh, it was revolutionary

00:06:30.040 --> 00:06:33.430
for American consumer law. The FCRA didn't shut

00:06:33.430 --> 00:06:35.430
down the credit bureaus, but for the first time,

00:06:35.430 --> 00:06:37.449
it put them under strict federal regulation.

00:06:38.009 --> 00:06:40.529
And crucially, it gave consumers fundamental

00:06:40.529 --> 00:06:43.449
rights, the right to actually see your own file,

00:06:43.589 --> 00:06:45.730
the right to dispute things that were wrong,

00:06:45.810 --> 00:06:47.910
and it forced the bureaus to actually investigate

00:06:47.910 --> 00:06:50.750
those disputes. It forced transparency and accountability

00:06:50.750 --> 00:06:53.629
on what had been a really shadowy system. So

00:06:53.629 --> 00:06:55.389
what was the company's immediate response to

00:06:55.389 --> 00:06:57.670
all this? Well, the pressure from the hearings,

00:06:57.910 --> 00:07:00.910
which had exposed all their invasive and discriminatory

00:07:00.910 --> 00:07:04.310
practices, was just too much to ignore. The retail

00:07:04.310 --> 00:07:06.389
credit company realized its brand was toxic.

00:07:06.970 --> 00:07:10.889
So in 1975, they made a decision to shed that

00:07:10.889 --> 00:07:13.569
rumor mill baggage. They changed their name to

00:07:13.569 --> 00:07:16.629
Equifax. A calculated PR move. Absolutely. It

00:07:16.629 --> 00:07:19.589
was designed to project this new image of, you

00:07:19.589 --> 00:07:22.649
know, equity, facts, reliability, anything to

00:07:22.649 --> 00:07:24.569
distance themselves from that really controversial

00:07:24.569 --> 00:07:26.470
past. And I think it's so important for listeners

00:07:26.470 --> 00:07:29.589
to get that this foundational history is crucial.

00:07:29.689 --> 00:07:31.629
It sets a precedent, right? This is a company

00:07:31.629 --> 00:07:33.490
that was literally born out of a national scandal

00:07:33.490 --> 00:07:35.990
and was fundamentally shaped by being forced

00:07:35.990 --> 00:07:38.720
into... federal regulation. It's in its DNA.

00:07:38.899 --> 00:07:41.060
So Equifax emerges from the ashes of their retail

00:07:41.060 --> 00:07:43.660
credit company with this sleek, modern name.

00:07:43.779 --> 00:07:46.660
But the core business is still data. And that

00:07:46.660 --> 00:07:48.920
data has only become more valuable and you could

00:07:48.920 --> 00:07:51.439
argue more intrusive. So for that nearly six

00:07:51.439 --> 00:07:53.620
billion dollars in revenue, what does the modern

00:07:53.620 --> 00:07:56.680
Equifax actually do? At its heart, it's still

00:07:56.680 --> 00:07:59.199
a business to business powerhouse. They aren't

00:07:59.199 --> 00:08:01.439
primarily focused on selling you your credit

00:08:01.439 --> 00:08:04.139
score for 10 bucks a month. They're selling deep.

00:08:04.589 --> 00:08:07.430
deep analytical capabilities, demographic data,

00:08:07.649 --> 00:08:10.750
consumer credit and insurance reports, and entire

00:08:10.750 --> 00:08:14.449
software platforms to massive clients, banks,

00:08:14.589 --> 00:08:17.389
retailers, you name it. Right. So banks, credit

00:08:17.389 --> 00:08:20.550
unions, car lenders, big retailers, utility companies,

00:08:20.790 --> 00:08:23.589
even health care systems. If you're doing any

00:08:23.589 --> 00:08:26.110
kind of transaction that requires checking someone's

00:08:26.110 --> 00:08:28.829
financial stability, Equifax is that invisible

00:08:28.829 --> 00:08:31.040
third party in the room. And this is where we

00:08:31.040 --> 00:08:33.200
need to slow down a bit, because their data collection

00:08:33.200 --> 00:08:35.559
goes so far beyond just your credit card payments

00:08:35.559 --> 00:08:38.580
and your loans. Equifax has built these non -credit

00:08:38.580 --> 00:08:41.320
data streams that give them this incredibly detailed,

00:08:41.480 --> 00:08:43.700
almost three -dimensional profile of you. Okay,

00:08:43.759 --> 00:08:45.139
so let's break that down. Start with utilities.

00:08:45.259 --> 00:08:47.440
You mentioned them. They collect payment history

00:08:47.440 --> 00:08:49.860
for things like phone bills and power bills through

00:08:49.860 --> 00:08:53.940
a system called NCTUE. Yes, the National Consumer

00:08:53.940 --> 00:08:57.769
Telecom and Utilities Exchange. And the NCTUE

00:08:57.769 --> 00:08:59.990
is important because it captures behavior that

00:08:59.990 --> 00:09:02.669
the main bureaus often miss. It tells a potential

00:09:02.669 --> 00:09:04.750
lender if you're reliable in paying your other

00:09:04.750 --> 00:09:07.389
bills, your cable, your internet, your electricity.

00:09:07.929 --> 00:09:10.389
Being consistent there can be a big data point

00:09:10.389 --> 00:09:12.509
for risk, especially for people who don't have

00:09:12.509 --> 00:09:15.669
a lot of traditional credit. Equifax really pioneered

00:09:15.669 --> 00:09:18.570
gathering this data and centralizing it. But

00:09:18.570 --> 00:09:21.049
the real game changer, and maybe the most controversial

00:09:21.049 --> 00:09:24.049
part of modern Equifax, is their TELX division.

00:09:24.370 --> 00:09:27.679
And specifically... The work number. We cannot

00:09:27.679 --> 00:09:29.860
overstate the importance of this. The work number

00:09:29.860 --> 00:09:33.100
is, for tens of millions of Americans, the centralized

00:09:33.100 --> 00:09:35.639
way to verify your job and your income. Think

00:09:35.639 --> 00:09:37.519
about it. When you apply for a mortgage, the

00:09:37.519 --> 00:09:39.779
lender needs to verify your salary. In the old

00:09:39.779 --> 00:09:41.659
days, they'd have to call your HR department.

00:09:41.879 --> 00:09:44.200
But now, they don't have to do that. Now, they

00:09:44.200 --> 00:09:47.340
just query the work number. Equifax gets payroll

00:09:47.340 --> 00:09:50.360
data directly from tens of thousands of U .S.

00:09:50.379 --> 00:09:53.440
companies. We're talking huge corporations, government

00:09:53.440 --> 00:09:55.919
agencies, just about everyone. They hold your

00:09:55.919 --> 00:09:58.799
current and past salary history, your job titles,

00:09:58.940 --> 00:10:01.440
your employment deeds. So Equifax owns the very

00:10:01.440 --> 00:10:03.519
infrastructure that verifies whether you can

00:10:03.519 --> 00:10:06.100
afford the loan you're asking for. Wow. That's

00:10:06.100 --> 00:10:08.279
an almost complete financial identity. They have

00:10:08.279 --> 00:10:10.580
your credit history or utility payments and your

00:10:10.580 --> 00:10:13.639
definitive salary history. That raises huge questions

00:10:13.639 --> 00:10:16.639
about data concentration. Why is this one platform,

00:10:16.899 --> 00:10:20.200
the work number, so powerful that it's now facing

00:10:20.200 --> 00:10:22.779
an antitrust lawsuit? Its power comes from how

00:10:22.779 --> 00:10:24.899
it's basically non -optional. It's centralized.

00:10:25.220 --> 00:10:27.919
Because Equifax got exclusive deals with so many

00:10:27.919 --> 00:10:30.279
huge employers, they became the single source

00:10:30.279 --> 00:10:32.179
of truth for automated employment verification.

00:10:32.580 --> 00:10:35.620
So lenders who want speed and efficiency are

00:10:35.620 --> 00:10:38.539
heavily pushed or pretty much forced to use the

00:10:38.539 --> 00:10:41.159
work number because it's instant. HR departments

00:10:41.159 --> 00:10:43.340
can't match that speed. So if a lender wants

00:10:43.340 --> 00:10:45.740
to process loans quickly for a huge number of

00:10:45.740 --> 00:10:48.279
applicants, they have to pay Equifax. Exactly.

00:10:48.460 --> 00:10:50.860
And the source material for the lawsuit argues

00:10:50.860 --> 00:10:53.779
this creates a powerful feedback loop. Equifax

00:10:53.779 --> 00:10:56.919
uses its dominance in credit data to push lenders

00:10:56.919 --> 00:10:59.639
toward its verification services. And the lenders

00:10:59.639 --> 00:11:02.379
argue in this new antitrust suit that this lack

00:11:02.379 --> 00:11:05.379
of competition lets Equifax charge crazy high

00:11:05.379 --> 00:11:07.919
prices for what is now an essential service.

00:11:08.350 --> 00:11:11.370
It's an alleged monopoly over the critical step

00:11:11.370 --> 00:11:14.110
of confirming your income which is arguably even

00:11:14.110 --> 00:11:16.539
more sensitive than your credit history. I would

00:11:16.539 --> 00:11:19.899
say so. OK, so despite this huge B2B focus, they

00:11:19.899 --> 00:11:22.519
do have some direct to consumer offerings, right?

00:11:22.580 --> 00:11:25.639
B2C. Yeah. Since 1999, they've sold things like

00:11:25.639 --> 00:11:27.460
fraud prevention, identity theft protection,

00:11:27.679 --> 00:11:30.220
credit monitoring services. And of course, they

00:11:30.220 --> 00:11:32.620
have to provide that legally mandated free annual

00:11:32.620 --> 00:11:34.879
credit report, which all of us are entitled to

00:11:34.879 --> 00:11:37.320
under the very same FCRA law that forced their

00:11:37.320 --> 00:11:39.519
rebranding all those years ago. And beyond just

00:11:39.519 --> 00:11:41.899
dominating in the U .S., Equifax has been aggressively

00:11:41.899 --> 00:11:44.120
expanding across the globe through some major

00:11:44.120 --> 00:11:46.940
acquisitions. Yeah, their global reach is really

00:11:46.940 --> 00:11:50.220
key to their strategy. In 2016, Equifax bought

00:11:50.220 --> 00:11:53.419
VEDA, which is the biggest credit agency in Australia

00:11:53.419 --> 00:11:55.500
and New Zealand. So that immediately gave them

00:11:55.500 --> 00:11:58.559
millions of non -U .S. consumer files. Then in

00:11:58.559 --> 00:12:01.539
2023, they moved into South America, buying Boa

00:12:01.539 --> 00:12:04.360
Vista Servizos, a major Brazilian credit bureau.

00:12:04.679 --> 00:12:06.559
And they also expanded into commercial data,

00:12:06.679 --> 00:12:08.960
which is businesses checking on other businesses.

00:12:09.279 --> 00:12:12.000
Yes. In 2020, they bought a company called Ansonia

00:12:12.000 --> 00:12:14.899
Credit Data. Ansonia is a specialist in commercial

00:12:14.899 --> 00:12:17.100
credit, especially in logistics like shipping

00:12:17.100 --> 00:12:20.500
and freight companies. So that move helps Equifax

00:12:20.500 --> 00:12:23.340
track the financial health, not just of people,

00:12:23.460 --> 00:12:25.980
but of the entire supply chains that run the

00:12:25.980 --> 00:12:27.889
global economy. They're trying to become the

00:12:27.889 --> 00:12:30.129
world's verification utility, period. Which leads

00:12:30.129 --> 00:12:32.649
us right to the enormous risk, the inherent liability,

00:12:32.870 --> 00:12:35.070
that comes with being an indispensable global

00:12:35.070 --> 00:12:38.090
data utility, especially when that utility seems

00:12:38.090 --> 00:12:40.629
to consistently neglect its own security. Yeah.

00:12:40.690 --> 00:12:43.110
The history of Equifax seems to have this rhythm

00:12:43.110 --> 00:12:45.570
to it. They expand, they centralize more and

00:12:45.570 --> 00:12:48.210
more power, and then... There's a massive failure.

00:12:48.490 --> 00:12:51.789
And that 2016 to 2017 period is probably the

00:12:51.789 --> 00:12:54.009
most disastrous failure in the company's entire

00:12:54.009 --> 00:12:58.129
126 year history. It just revealed security standards

00:12:58.129 --> 00:13:00.549
that were completely incompatible with the data

00:13:00.549 --> 00:13:02.690
they held. And what makes this whole saga so

00:13:02.690 --> 00:13:05.580
damning is the timeline. The sources we have,

00:13:05.639 --> 00:13:07.679
especially that big motherboard report from October

00:13:07.679 --> 00:13:10.820
2017, show that security lapses were known about

00:13:10.820 --> 00:13:13.360
internally for months before the huge breach

00:13:13.360 --> 00:13:15.659
was even found. OK, let's start with that first

00:13:15.659 --> 00:13:18.799
warning sign from late 2016. What did that security

00:13:18.799 --> 00:13:22.159
researcher find? So around December 2016, a researcher

00:13:22.159 --> 00:13:24.120
finds a portal that was only supposed to be for

00:13:24.120 --> 00:13:26.679
Equifax employees. But it was completely open

00:13:26.679 --> 00:13:28.679
to the public Internet. It was vulnerable because

00:13:28.679 --> 00:13:30.799
of a really basic bug called a forced browsing

00:13:30.799 --> 00:13:33.750
bug. This is Web Security 101. It means if you

00:13:33.750 --> 00:13:35.909
just knew the right URL, you could get to it

00:13:35.909 --> 00:13:37.990
without any login. So no fancy hacking tools

00:13:37.990 --> 00:13:41.110
needed, just a web browser? That's it. The researchers

00:13:41.110 --> 00:13:42.970
said, quote, they didn't have to do anything

00:13:42.970 --> 00:13:45.789
fancy. By just playing with the web application,

00:13:46.049 --> 00:13:48.110
they claim they could pull millions of customer

00:13:48.110 --> 00:13:50.990
records names, social security numbers, dates

00:13:50.990 --> 00:13:54.509
of birth in clear text. Clear text, meaning unencrypted.

00:13:54.909 --> 00:13:57.029
Unencrypted. They estimated they could have downloaded

00:13:57.029 --> 00:14:00.350
all of Equifax's customer data in maybe 10 minutes.

00:14:00.590 --> 00:14:02.769
Okay, now here's the part that is just shocking

00:14:02.769 --> 00:14:05.269
corporate negligence. The reporting indicates

00:14:05.269 --> 00:14:08.070
that even though Equifax got this alert, that

00:14:08.070 --> 00:14:10.710
vulnerable portal wasn't actually closed until

00:14:10.710 --> 00:14:14.870
June of 2017. That six -month delay is. It's

00:14:14.870 --> 00:14:17.669
just critical evidence of a deep... systemic

00:14:17.669 --> 00:14:20.370
security problem. It suggests there was no clear

00:14:20.370 --> 00:14:23.049
process for fixing things or failure to prioritize

00:14:23.049 --> 00:14:25.850
security or just a total breakdown in communication.

00:14:26.190 --> 00:14:28.129
That vulnerability was just sitting there for

00:14:28.129 --> 00:14:30.250
months, right up to and maybe even during the

00:14:30.250 --> 00:14:32.629
time the mega breach was happening. And it's

00:14:32.629 --> 00:14:34.570
important to remember that the huge breach wasn't

00:14:34.570 --> 00:14:37.169
the only one. There was another separate major

00:14:37.169 --> 00:14:40.009
breach in March of 2017 that Equifax only told

00:14:40.009 --> 00:14:42.570
a few banking customers about privately. Right.

00:14:42.610 --> 00:14:44.830
So this paints a picture of a company that isn't

00:14:44.830 --> 00:14:47.149
just dealing with one unlucky attack. It's a

00:14:47.149 --> 00:14:49.149
company in an ongoing state of having multiple

00:14:49.149 --> 00:14:52.409
poorly defended doors and windows. The big public

00:14:52.409 --> 00:14:56.389
one, the May to July 2017 mega breach, was just

00:14:56.389 --> 00:14:58.990
the catastrophic finale to all of this neglect.

00:14:59.269 --> 00:15:01.690
Let's focus on that one. The pivotal event. This

00:15:01.690 --> 00:15:04.110
breach came from a specific known vulnerability

00:15:04.110 --> 00:15:06.409
that they just hadn't fixed. The vulnerability

00:15:06.409 --> 00:15:10.320
was known as CVE -2017 -5638. It was an exploit

00:15:10.320 --> 00:15:12.480
that targeted the Apache Struts web framework,

00:15:12.600 --> 00:15:14.919
which is super common in big companies. The vulnerability

00:15:14.919 --> 00:15:17.799
wasn't some secret zero day. It was known. And

00:15:17.799 --> 00:15:20.279
a patch, a fix for it, had been available since

00:15:20.279 --> 00:15:23.480
March 2017. Equifax just didn't apply the patch.

00:15:23.620 --> 00:15:25.799
They left a massive door wide open. And what

00:15:25.799 --> 00:15:27.720
does that vulnerability actually let a hacker

00:15:27.720 --> 00:15:30.960
do? It allows for what's called Remote Code Execution,

00:15:30.980 --> 00:15:34.500
or RCE. Basically, it let the attackers upload

00:15:34.500 --> 00:15:37.019
their own malicious files, called web shells,

00:15:37.340 --> 00:15:40.820
onto Equifax's servers. And once that shell is

00:15:40.820 --> 00:15:42.919
on the server, the attackers can send commands

00:15:42.919 --> 00:15:45.220
from anywhere in the world. They get access to

00:15:45.220 --> 00:15:48.330
the network, and then... to the databases. It's

00:15:48.330 --> 00:15:50.269
like leaving the front door key under the mat

00:15:50.269 --> 00:15:52.889
with a giant neon sign pointing to it. And once

00:15:52.889 --> 00:15:54.509
they were inside, how long did they have free

00:15:54.509 --> 00:15:56.870
reign before anyone noticed? The records show

00:15:56.870 --> 00:15:59.250
they were inside Equifax's systems, completely

00:15:59.250 --> 00:16:03.370
undetected, for about 134 days. 134 days. That's

00:16:03.370 --> 00:16:04.929
nearly four and a half months. Four and a half

00:16:04.929 --> 00:16:07.429
months that foreign actors had total access to

00:16:07.429 --> 00:16:09.269
one of the biggest databases of American financial

00:16:09.269 --> 00:16:12.049
identity, just mapping the network, pulling out

00:16:12.049 --> 00:16:14.529
data before the breach was finally found and

00:16:14.529 --> 00:16:18.360
shut down on July 20th. And the scale of what

00:16:18.360 --> 00:16:20.799
they stole is just staggering. It was devastating.

00:16:21.019 --> 00:16:24.799
The final numbers were 147 .9 million Americans

00:16:24.799 --> 00:16:27.399
affected. But it was a global breach. It also

00:16:27.399 --> 00:16:30.820
hit 15 .2 million U .K. residents and about 19

00:16:30.820 --> 00:16:33.500
,000 Canadians. And the data wasn't trivial.

00:16:33.659 --> 00:16:35.460
It was the building blocks of your identity.

00:16:35.919 --> 00:16:38.879
Full names, social security numbers, birth dates,

00:16:39.059 --> 00:16:41.399
home addresses, driver's license numbers, and

00:16:41.399 --> 00:16:43.860
for some people, their credit card details. This

00:16:43.860 --> 00:16:45.960
is the kind of data that enables identity theft

00:16:45.960 --> 00:16:48.480
that can last a lifetime. And we even know who

00:16:48.480 --> 00:16:50.039
was behind it, which tells you something about

00:16:50.039 --> 00:16:53.360
the stakes here. We do. In February 2020, the

00:16:53.360 --> 00:16:55.639
U .S. Department of Justice indicted four members

00:16:55.639 --> 00:16:58.200
of China's People's Liberation Army for the breach.

00:16:58.580 --> 00:17:00.840
China denied any state involvement, of course,

00:17:00.879 --> 00:17:02.980
but the indictment points to a highly organized,

00:17:03.200 --> 00:17:05.319
state -sponsored operation that was targeting

00:17:05.319 --> 00:17:08.440
the crown jewels of U .S. financial data. But

00:17:08.440 --> 00:17:10.619
the story of failure doesn't stop with the breach

00:17:10.619 --> 00:17:13.619
itself. The aftermath, the post -disclosure phase

00:17:13.619 --> 00:17:16.160
revealed a security culture so bad it was almost

00:17:16.160 --> 00:17:18.880
comical. It truly was. I mean, think about the

00:17:18.880 --> 00:17:20.480
other things that came out at the same time.

00:17:20.740 --> 00:17:23.559
Brian Krebs reported on this catastrophic failure

00:17:23.559 --> 00:17:27.160
at Equifax's Argentine office. They were maintaining

00:17:27.160 --> 00:17:29.900
an online system with private data for about

00:17:29.900 --> 00:17:34.279
14 ,000 people. And how was it secured? Remind

00:17:34.279 --> 00:17:36.539
us. The security for the Argentine system. The

00:17:36.539 --> 00:17:39.279
username and the password were admin and admin.

00:17:39.519 --> 00:17:43.609
Just wow. A security failure so basic, so entry

00:17:43.609 --> 00:17:46.509
-level, that it points to a total company -wide

00:17:46.509 --> 00:17:49.769
failure to just establish and enforce the most

00:17:49.769 --> 00:17:52.230
basic security rules across their entire global

00:17:52.230 --> 00:17:54.650
operation. And that wasn't the only immediate

00:17:54.650 --> 00:17:56.950
mess -up. Their mobile apps were also compromised.

00:17:57.549 --> 00:17:59.970
Yep. On the very same day they announced the

00:17:59.970 --> 00:18:02.569
massive breach, they had to pull their own official

00:18:02.569 --> 00:18:05.680
mobile apps from the app stores. Why? Because

00:18:05.680 --> 00:18:08.279
the apps themselves had security flaws, including

00:18:08.279 --> 00:18:09.980
being vulnerable to man -in -the -middle attacks

00:18:09.980 --> 00:18:12.359
because they were still using insecure HTTP for

00:18:12.359 --> 00:18:15.059
some communications instead of HTTPS. It just

00:18:15.059 --> 00:18:17.200
shows neglect across the board. And then there's

00:18:17.200 --> 00:18:19.299
the awful, terrible irony involving the work

00:18:19.299 --> 00:18:21.240
number, that platform with all our salary histories.

00:18:21.460 --> 00:18:25.470
The irony is just, it's brutal. The data that

00:18:25.470 --> 00:18:28.250
was stolen in the big breach, the social security

00:18:28.250 --> 00:18:31.029
numbers and dates of birth, were the exact pieces

00:18:31.029 --> 00:18:33.809
of information you needed to access someone's

00:18:33.809 --> 00:18:36.349
salary history on the work number website. So

00:18:36.349 --> 00:18:38.670
the first breach basically gave the hackers the

00:18:38.670 --> 00:18:41.470
keys to unlock a second highly sensitive vault

00:18:41.470 --> 00:18:43.890
that Equifax was also supposed to be protecting.

00:18:44.069 --> 00:18:46.960
And as if all that wasn't enough. Equifax's own

00:18:46.960 --> 00:18:49.779
corporate website got hacked weeks after the

00:18:49.779 --> 00:18:52.920
whole world learned about the 148 million record

00:18:52.920 --> 00:18:55.539
breach. Correct. Their main public website was

00:18:55.539 --> 00:18:58.900
temporarily hijacked to distribute malware. Attackers

00:18:58.900 --> 00:19:01.200
compromised a third -party script and used it

00:19:01.200 --> 00:19:03.119
to trick visitors into downloading a fake Adobe

00:19:03.119 --> 00:19:05.740
Flash update, which was actually malware. And

00:19:05.740 --> 00:19:07.970
the fallout from that was immediate. The IRS

00:19:07.970 --> 00:19:10.990
suspended a $7 .2 million contract with Equifax

00:19:10.990 --> 00:19:13.349
as a direct result of this whole cascade of failures.

00:19:13.569 --> 00:19:15.549
So this whole period, it isn't just about one

00:19:15.549 --> 00:19:18.170
mistake. It's a complete demonstration of institutional

00:19:18.170 --> 00:19:21.430
decay, from ignoring warnings to unpatched servers

00:19:21.430 --> 00:19:24.230
to admin -admin passwords, all the way to their

00:19:24.230 --> 00:19:26.549
own website spreading malware. A total breakdown.

00:19:26.789 --> 00:19:29.430
So given the scale of that disaster, nearly 150

00:19:29.430 --> 00:19:32.630
million identities compromised, four months of

00:19:32.630 --> 00:19:36.470
undetected hacking, the big question then became...

00:19:36.779 --> 00:19:40.160
Accountability, legal accountability, financial

00:19:40.160 --> 00:19:42.339
accountability. Right. And regulators around

00:19:42.339 --> 00:19:44.319
the world started focusing on that. The first

00:19:44.319 --> 00:19:46.880
and maybe most straightforward consequences were

00:19:46.880 --> 00:19:49.200
for the executives who tried to personally profit

00:19:49.200 --> 00:19:52.980
from it. The insider traders. Yes. Two executives

00:19:52.980 --> 00:19:56.000
face charges. Junying, who was the former CIO,

00:19:56.220 --> 00:19:58.839
was sentenced to four months in prison plus a

00:19:58.839 --> 00:20:01.380
year of supervised release. And he had to pay

00:20:01.380 --> 00:20:03.359
over one hundred and seventy two thousand dollars

00:20:03.359 --> 00:20:06.380
in fines and restitution. He admitted he sold

00:20:06.380 --> 00:20:08.160
his stock after he found out about the breach,

00:20:08.240 --> 00:20:09.940
but before it was announced to the public. And

00:20:09.940 --> 00:20:12.299
there was another one? Yes. A manager named Sudhakar

00:20:12.299 --> 00:20:15.200
Reddy Banthu also pleaded guilty to insider trading.

00:20:15.380 --> 00:20:18.259
He got eight months of home confinement. So those

00:20:18.259 --> 00:20:20.700
sentences sent a message that trying to profit

00:20:20.700 --> 00:20:22.359
from the company's failure would be punished.

00:20:22.779 --> 00:20:24.660
But, you know, a lot of people felt the punishment

00:20:24.660 --> 00:20:27.240
didn't really fit the crime. But the really big

00:20:27.240 --> 00:20:29.880
legal hammer was the global settlement with the

00:20:29.880 --> 00:20:32.039
millions of consumers who were affected and all

00:20:32.039 --> 00:20:35.450
the regulators. In 2019, Equifax agreed to this

00:20:35.450 --> 00:20:38.690
huge global settlement. It involved the FTC,

00:20:38.970 --> 00:20:42.329
the CFPB, state attorneys general, and a massive

00:20:42.329 --> 00:20:45.289
class action lawsuit. The total amount was capped

00:20:45.289 --> 00:20:48.529
at $700 million, with a big chunk of that set

00:20:48.529 --> 00:20:50.690
aside for consumer restitution. And this is where

00:20:50.690 --> 00:20:52.650
all the consumer frustration really boiled over.

00:20:52.750 --> 00:20:56.289
The headlines were all promising $125 cash payment

00:20:56.289 --> 00:20:58.990
for every affected consumer. Right. But that

00:20:58.990 --> 00:21:01.460
promise pretty much evaporated instantly. The

00:21:01.460 --> 00:21:04.259
fine print showed that the $125 was subject to

00:21:04.259 --> 00:21:06.900
all these qualifications and hurdles. But the

00:21:06.900 --> 00:21:09.319
real reason the payout got so small was the structure

00:21:09.319 --> 00:21:11.720
of the class action lawsuit itself. Can you unpack

00:21:11.720 --> 00:21:15.299
that for us? Why did a promise of $125 turn into,

00:21:15.420 --> 00:21:18.359
what, less than $10? It's a systemic thing with

00:21:18.359 --> 00:21:20.819
these huge class action settlements. The total

00:21:20.819 --> 00:21:22.799
amount of cash for consumers was a fixed pot

00:21:22.799 --> 00:21:25.279
of money. But way more people filed claims than

00:21:25.279 --> 00:21:27.859
they expected. And on top of that, the federal

00:21:27.859 --> 00:21:29.720
judge had to approve payments for the lawyers

00:21:29.720 --> 00:21:31.740
who negotiated the settlement. And the class

00:21:31.740 --> 00:21:34.619
action attorneys were awarded about $77 .5 million

00:21:34.619 --> 00:21:39.579
for their fees. $77 .5 million. For the lawyers

00:21:39.579 --> 00:21:42.380
before the consumers got paid. Correct. So you

00:21:42.380 --> 00:21:44.880
take that massive fee out, plus all the administrative

00:21:44.880 --> 00:21:46.579
costs of the settlement, and then you divide

00:21:46.579 --> 00:21:48.519
what's left among the millions of people who

00:21:48.519 --> 00:21:51.200
filed a claim, which led to reports that individual

00:21:51.200 --> 00:21:53.680
consumers would end up getting maybe six or seven

00:21:53.680 --> 00:21:56.980
dollars. And that huge contrast just fueled this

00:21:56.980 --> 00:21:59.240
widespread feeling that this system was really

00:21:59.240 --> 00:22:01.900
designed to benefit the lawyers, not the victims.

00:22:02.650 --> 00:22:05.170
And outside the U .S., Equifax was also facing

00:22:05.170 --> 00:22:07.430
penalties. Yeah, the accountability was global.

00:22:07.589 --> 00:22:09.890
In the U .K., for example, their financial conduct

00:22:09.890 --> 00:22:12.789
authority fined Equifax over 11 million pounds

00:22:12.789 --> 00:22:16.390
in 2023. And that fine was specifically for failing

00:22:16.390 --> 00:22:19.849
to protect U .K. customer data in the 2017 breach.

00:22:20.230 --> 00:22:22.309
So the negligence was recognized and punished

00:22:22.309 --> 00:22:24.529
in every major market they operated. OK, let's

00:22:24.529 --> 00:22:27.130
pivot from the security failures to an issue

00:22:27.130 --> 00:22:29.450
that is just as chronic. And that was there long

00:22:29.450 --> 00:22:31.980
before the breach. the quality of their main

00:22:31.980 --> 00:22:35.099
product, data inaccuracy. If you trace the history

00:22:35.099 --> 00:22:37.799
of complaints, the problems with data accuracy

00:22:37.799 --> 00:22:41.640
are just as systemic as the security flaws. The

00:22:41.640 --> 00:22:45.200
sources show Equifax had over 57 ,000 consumer

00:22:45.200 --> 00:22:48.200
complaints filed against it with the CFPB just

00:22:48.200 --> 00:22:51.140
between 2012 and 2017. And most of those were

00:22:51.140 --> 00:22:53.700
about reports being inaccurate, incomplete, or,

00:22:53.819 --> 00:22:55.940
and this is the critical one, misattributed,

00:22:55.940 --> 00:22:58.160
where your file gets mixed up with someone else's.

00:22:58.220 --> 00:23:00.660
And the stories here really illustrate the failure

00:23:00.660 --> 00:23:02.680
of their dispute process, which is something

00:23:02.680 --> 00:23:05.660
they're required by law by the FCRA to have.

00:23:05.799 --> 00:23:08.180
That's the key. The law gives you the right to

00:23:08.180 --> 00:23:10.380
dispute an error, and the Bureau must investigate.

00:23:10.970 --> 00:23:13.190
But when they fail to investigate or they refuse

00:23:13.190 --> 00:23:15.769
to correct what are clearly errors, the consumer's

00:23:15.769 --> 00:23:18.509
only option is to sue. And the landmark case

00:23:18.509 --> 00:23:21.210
here is from 2013 with a woman in Oregon named

00:23:21.210 --> 00:23:23.329
Julie Miller. What happened to her? So Miller

00:23:23.329 --> 00:23:26.509
sued Equifax after they repeatedly refused to

00:23:26.509 --> 00:23:28.829
fix dozens of false collection accounts that

00:23:28.829 --> 00:23:31.390
were on her file. They'd merged her file with

00:23:31.390 --> 00:23:33.390
someone else's, even though the other person

00:23:33.390 --> 00:23:35.349
had a different social security number and a

00:23:35.349 --> 00:23:38.150
different birth date. The false information destroyed

00:23:38.150 --> 00:23:41.680
her credit. She was denied loans and a jury originally

00:23:41.680 --> 00:23:46.400
awarded her $18 .6 million. $18 .6 million. A

00:23:46.400 --> 00:23:49.339
judge later reduced it to $1 .62 million, but

00:23:49.339 --> 00:23:52.000
it's still a powerful example of the damage that's

00:23:52.000 --> 00:23:54.160
done when the system designed to fix mistakes

00:23:54.160 --> 00:23:57.990
just actively resists doing its job. The absurdity

00:23:57.990 --> 00:23:59.910
of some of these errors is really what makes

00:23:59.910 --> 00:24:02.029
them stick with you. It highlights the real human

00:24:02.029 --> 00:24:04.869
cost of bad data management. Absolutely. There's

00:24:04.869 --> 00:24:07.650
the famous 2014 case of Kimberly Heyman, who

00:24:07.650 --> 00:24:10.049
had to sue Equifax because she was erroneously

00:24:10.049 --> 00:24:12.569
reported as being deceased. Can you just imagine

00:24:12.569 --> 00:24:15.029
trying to live your financial life, open a bank

00:24:15.029 --> 00:24:17.210
account, get a loan, when this massive data company

00:24:17.210 --> 00:24:19.670
has officially declared you dead? It's surreal.

00:24:19.869 --> 00:24:22.529
Excuse me, I'm not dead. And another case from

00:24:22.529 --> 00:24:26.099
2014 involved a man named Godgazarov. He sued

00:24:26.099 --> 00:24:28.880
and settled because he claimed Equifax kept reporting

00:24:28.880 --> 00:24:31.500
him as having no credit history at all, just

00:24:31.500 --> 00:24:33.259
because his first name was unusual and their

00:24:33.259 --> 00:24:35.380
automated systems kept flagging it as an error.

00:24:36.019 --> 00:24:38.940
These are not small mistakes. They're existential

00:24:38.940 --> 00:24:41.660
identity errors that took lawsuits to fix. And

00:24:41.660 --> 00:24:43.640
it's crucial to point out, these aren't just

00:24:43.640 --> 00:24:46.960
old stories. The data inaccuracy problem is still

00:24:46.960 --> 00:24:49.759
happening today. Oh, absolutely. In August 2022,

00:24:50.259 --> 00:24:53.269
Equifax admitted that a technical glitch A coding

00:24:53.269 --> 00:24:55.730
error caused them to send millions of incorrectly

00:24:55.730 --> 00:24:58.230
calculated credit scores to lenders for about

00:24:58.230 --> 00:25:00.569
a month. And were these errors significant? Did

00:25:00.569 --> 00:25:02.549
they actually affect people? They were significant

00:25:02.549 --> 00:25:05.049
enough to change lending decisions. We know from

00:25:05.049 --> 00:25:06.789
the class action lawsuits that followed, one

00:25:06.789 --> 00:25:08.750
woman alleged the error dropped her score by

00:25:08.750 --> 00:25:11.529
130 points. She claimed it directly resulted

00:25:11.529 --> 00:25:14.109
in her getting a substantially pricier car loan,

00:25:14.329 --> 00:25:16.809
which would cost her thousands more over the

00:25:16.809 --> 00:25:19.420
life of the loan. So it shows that whether it's

00:25:19.420 --> 00:25:21.839
a huge cyber attack or just a simple internal

00:25:21.839 --> 00:25:25.559
glitch, the cost of Equifax's negligence is always

00:25:25.559 --> 00:25:27.819
passed directly down to the consumer. Which brings

00:25:27.819 --> 00:25:30.259
us right back to the latest legal threat, the

00:25:30.259 --> 00:25:32.480
one that challenges their entire business model,

00:25:32.599 --> 00:25:36.380
the 2024 antitrust class action lawsuit. This

00:25:36.380 --> 00:25:38.140
is a really critical development because this

00:25:38.140 --> 00:25:40.680
time the challenge is coming from mortgage lenders

00:25:40.680 --> 00:25:44.039
themselves, not from consumers. They're accusing

00:25:44.039 --> 00:25:47.589
Equifax of... illegally monopolizing the market

00:25:47.589 --> 00:25:50.390
for income and employment verification services.

00:25:50.630 --> 00:25:52.269
That's the work number platform we were just

00:25:52.269 --> 00:25:54.369
talking about. So the lenders are saying that

00:25:54.369 --> 00:25:57.349
because Equifax has this total control over the

00:25:57.349 --> 00:26:00.089
central database for salary verification, they

00:26:00.089 --> 00:26:02.690
can kill competition and charge artificially

00:26:02.690 --> 00:26:04.769
high prices for a service that lenders are now

00:26:04.769 --> 00:26:06.869
forced to use. Yeah. And if you look at the big

00:26:06.869 --> 00:26:09.519
picture. This lawsuit challenges the very foundation

00:26:09.519 --> 00:26:12.640
of Equifax's modern dominance. They use their

00:26:12.640 --> 00:26:15.500
power and credit data to acquire and then dominate

00:26:15.500 --> 00:26:17.940
employment verification. If the courts agree

00:26:17.940 --> 00:26:19.819
that the work number is an illegal monopoly,

00:26:20.240 --> 00:26:22.740
it could completely restructure how income is

00:26:22.740 --> 00:26:24.720
verified in this country. It could potentially

00:26:24.720 --> 00:26:27.559
break up Equifax's dual control over both your

00:26:27.559 --> 00:26:29.759
creditworthiness and your earning power. OK,

00:26:29.799 --> 00:26:32.059
let's try to synthesize all of this. We've charted

00:26:32.059 --> 00:26:35.420
this incredible and often pretty appalling journey

00:26:35.420 --> 00:26:38.779
of Equifax Inc. It starts as the retail credit

00:26:38.779 --> 00:26:41.559
company, this controversial rumor mill that literally

00:26:41.559 --> 00:26:43.839
paid its employees to collect dirt on private

00:26:43.839 --> 00:26:46.259
citizens. And we saw how that history of controversy

00:26:46.259 --> 00:26:48.400
led directly to being forced into federal regulation

00:26:48.400 --> 00:26:50.819
with the Fair Credit Reporting Act. And yet,

00:26:50.920 --> 00:26:54.309
despite that. Equifax transformed itself into

00:26:54.309 --> 00:26:57.170
this globally indispensable data utility. It

00:26:57.170 --> 00:26:59.490
now controls not just credit reports, but also

00:26:59.490 --> 00:27:01.970
utility payments. And through the work number,

00:27:02.089 --> 00:27:04.809
our actual salary and employment histories. And

00:27:04.809 --> 00:27:07.289
this indispensable utility is also consistently

00:27:07.289 --> 00:27:09.769
and systemically flawed. We've seen the issues

00:27:09.769 --> 00:27:12.289
range from the huge security breaches of 2017,

00:27:12.549 --> 00:27:15.009
where they ignored known vulnerabilities, lost

00:27:15.009 --> 00:27:18.130
data on 148 million people, and then made these

00:27:18.130 --> 00:27:20.549
embarrassing mistakes like the admin admin password

00:27:20.549 --> 00:27:22.789
thing. Right. all the way to internal failures

00:27:22.789 --> 00:27:26.750
leading to insider trading convictions. And maybe

00:27:26.750 --> 00:27:28.950
the most frustrating flaw for the average person

00:27:28.950 --> 00:27:32.549
is still the chronic data inaccuracy. Those 57

00:27:32.549 --> 00:27:35.549
,000 -plus complaints, the famous lawsuits from

00:27:35.549 --> 00:27:38.390
people reported as dead, or denied credit because

00:27:38.390 --> 00:27:40.990
of merged files, or given the wrong credit score.

00:27:41.369 --> 00:27:43.670
It all paints a picture of an organization whose

00:27:43.670 --> 00:27:46.009
legally mandated dispute system just routinely

00:27:46.009 --> 00:27:48.299
fails the people it's supposed to protect. So

00:27:48.299 --> 00:27:50.460
the vital knowledge to take away from this for

00:27:50.460 --> 00:27:52.380
you, the listener, is really understanding that

00:27:52.380 --> 00:27:55.420
the stability and the security of your core financial

00:27:55.420 --> 00:27:58.579
identity, your ability to get a job, buy a car,

00:27:58.640 --> 00:28:00.940
get a fair loan, it's all fundamentally dependent

00:28:00.940 --> 00:28:03.720
on a company that has a documented century -long

00:28:03.720 --> 00:28:06.180
history of prioritizing its own expansion over

00:28:06.180 --> 00:28:08.619
security and accuracy. Which brings us to our

00:28:08.619 --> 00:28:10.640
final provocative thought, which is rooted in

00:28:10.640 --> 00:28:14.140
that 2024 antitrust lawsuit. If a handful of

00:28:14.140 --> 00:28:16.339
companies like Equifax control both your historical

00:28:16.339 --> 00:28:18.150
credit data and your your current employment

00:28:18.150 --> 00:28:20.609
and salary data through these proprietary systems

00:28:20.609 --> 00:28:23.309
like the work number, what does that concentration

00:28:23.309 --> 00:28:26.430
of power really mean for all of us? When one

00:28:26.430 --> 00:28:29.029
corporation holds the keys to both how much you

00:28:29.029 --> 00:28:31.210
owe and the definitive record of how much you

00:28:31.210 --> 00:28:34.210
earn, the stakes are existential. So the question

00:28:34.210 --> 00:28:37.069
is, what comprehensive regulatory steps are actually

00:28:37.069 --> 00:28:39.369
needed to ensure the integrity of these systems

00:28:39.369 --> 00:28:42.470
and to prevent one corporation's culture of negligence

00:28:42.470 --> 00:28:45.109
from becoming, yet again, an international crisis

00:28:45.109 --> 00:28:47.750
for millions of consumers? That's a question

00:28:47.750 --> 00:28:49.390
we're thinking about the next time you interact

00:28:49.390 --> 00:28:51.210
with the digital infrastructure of finance.