WEBVTT

00:00:00.000 --> 00:00:03.000
Welcome back to the Deep Dive. Today we are pulling

00:00:03.000 --> 00:00:05.400
back the curtain on one of the most powerful

00:00:05.400 --> 00:00:09.419
yet least understood forces dictating your life

00:00:09.419 --> 00:00:11.599
in the modern financial world. That's right.

00:00:11.759 --> 00:00:14.119
We are peering deep inside the mechanics of the

00:00:14.119 --> 00:00:16.620
system that decides if you get that loan, if

00:00:16.620 --> 00:00:18.739
you qualify for that apartment, or even what

00:00:18.739 --> 00:00:20.940
price you pay for car insurance. We're talking

00:00:20.940 --> 00:00:24.480
about credit scores, massive data profiles, and

00:00:24.480 --> 00:00:27.920
the, well, the surprisingly vast yet fragile

00:00:27.920 --> 00:00:30.719
nature of the information we all entrust to the

00:00:30.719 --> 00:00:33.320
system. We have been handed a substantial stack

00:00:33.320 --> 00:00:36.380
of sources detailing the entire life cycle of

00:00:36.380 --> 00:00:39.100
a corporate giant, one of the big three, a company

00:00:39.100 --> 00:00:42.020
whose reach stretches across continents and whose

00:00:42.020 --> 00:00:44.460
name is, you know, synonymous with financial

00:00:44.460 --> 00:00:47.179
gatekeeping. Experian of Flanker. Experian. You

00:00:47.179 --> 00:00:48.600
definitely know the name. You've probably used

00:00:48.600 --> 00:00:50.340
their website. But what I think... many of us

00:00:50.340 --> 00:00:52.700
miss is that this company operates on a, well,

00:00:52.840 --> 00:00:55.880
a fundamentally dual mandate. It really does.

00:00:56.000 --> 00:00:58.060
On one hand, they're like a required utility,

00:00:58.380 --> 00:01:01.460
a library of stable financial data. But on the

00:01:01.460 --> 00:01:04.060
other hand, they function as an aggressive global

00:01:04.060 --> 00:01:07.019
data factory, constantly expanding its reach

00:01:07.019 --> 00:01:10.180
and monetization strategies, all while grappling

00:01:10.180 --> 00:01:13.659
with an... an astonishing string of major high

00:01:13.659 --> 00:01:15.959
profile security vulnerabilities. And that dual

00:01:15.959 --> 00:01:18.400
mandate is the core tension we really need to

00:01:18.400 --> 00:01:21.040
explore. Our mission today is to unpack this

00:01:21.040 --> 00:01:23.739
complex structure. We need to understand experience

00:01:23.739 --> 00:01:27.180
foundational role as a credit gatekeeper, a role

00:01:27.180 --> 00:01:30.340
often enforced by law, and then contrast that

00:01:30.340 --> 00:01:32.879
with their incredibly lucrative, often opaque

00:01:32.879 --> 00:01:36.040
secondary role as a massively scaled data broker.

00:01:36.459 --> 00:01:38.340
And maybe most critically, we have to analyze

00:01:38.340 --> 00:01:41.280
the devastating global implications of their

00:01:41.280 --> 00:01:43.079
security record. I mean, it stretches across

00:01:43.079 --> 00:01:45.480
multiple continents and affects hundreds of millions

00:01:45.480 --> 00:01:47.519
of people worldwide. It's a huge undertaking.

00:01:47.659 --> 00:01:50.319
So just the basics to start. Experian Giplek

00:01:50.319 --> 00:01:52.780
is an Irish multinational data broker and consumer

00:01:52.780 --> 00:01:54.939
credit reporting company. And this is not some

00:01:54.939 --> 00:01:56.939
small Silicon Valley startup. This is a massive

00:01:56.939 --> 00:01:59.480
corporation, a constituent of the FTSE 100 index

00:01:59.480 --> 00:02:01.920
listed on the London Stock Exchange. Absolutely.

00:02:02.099 --> 00:02:04.099
In the U .S., they stand shoulder to shoulder

00:02:04.099 --> 00:02:07.400
with TransUnion and Equifax, a triumvirate that

00:02:07.400 --> 00:02:10.000
holds the keys to creditworthiness for nearly

00:02:10.000 --> 00:02:12.479
every adult in the country. Deciding your access

00:02:12.479 --> 00:02:15.240
to capital, homes, and sometimes even employment

00:02:15.240 --> 00:02:17.340
opportunities. And when you look at the financials,

00:02:17.340 --> 00:02:20.379
that tension becomes almost unavoidable. We're

00:02:20.379 --> 00:02:22.639
discussing a company that is absolutely foundational

00:02:22.639 --> 00:02:25.740
to global commerce, yet their track record implies

00:02:25.740 --> 00:02:28.479
a... Well, a deep operational vulnerability.

00:02:28.939 --> 00:02:30.340
What are we talking about in terms of revenue?

00:02:30.580 --> 00:02:34.539
They reported revenues of U .S. $7 .097 billion

00:02:34.539 --> 00:02:38.379
in fiscal year 2024. Wow. So think about that.

00:02:38.479 --> 00:02:41.919
A $7 billion plus company that manages the most

00:02:41.919 --> 00:02:44.740
critical, sensitive financial identifiers imaginable.

00:02:44.800 --> 00:02:47.000
Yet they consistently face repeated dramatic

00:02:47.000 --> 00:02:50.240
security failures and regulatory fines. It just

00:02:50.240 --> 00:02:52.580
suggests a fundamental systemic misalignment

00:02:52.580 --> 00:02:55.659
between their mandate to protect data and their

00:02:55.659 --> 00:02:57.900
apparent ability to do so on a global scale.

00:02:58.020 --> 00:02:59.960
And that is the puzzle we are tasked with solving

00:02:59.960 --> 00:03:02.120
for you today. Let's get into it. OK, let's unpack

00:03:02.120 --> 00:03:03.860
this history, because the experience we know

00:03:03.860 --> 00:03:07.219
today isn't some organic entity that grew from

00:03:07.219 --> 00:03:11.460
scratch. It's a. A fascinating timeline of rapid

00:03:11.460 --> 00:03:14.500
corporate acquisitions, sale and evolution. It

00:03:14.500 --> 00:03:17.020
really shows how a U .S.-based financial reporting

00:03:17.020 --> 00:03:20.280
service metastasized into this global data giant.

00:03:20.500 --> 00:03:22.740
So where does it start? It's a classic example

00:03:22.740 --> 00:03:25.560
of corporate consolidation. The company's lineage

00:03:25.560 --> 00:03:28.599
first traces back over five decades to 1968,

00:03:28.879 --> 00:03:31.080
when a business called Credit Data Corporation

00:03:31.080 --> 00:03:34.659
was acquired by TRW Inc. TRW, I know that name.

00:03:35.020 --> 00:03:36.840
They were a huge defense and tech contractor,

00:03:36.960 --> 00:03:38.800
right? Exactly. So Credit Data Corporation was

00:03:38.800 --> 00:03:43.060
renamed TRW Information Services. For decades,

00:03:43.159 --> 00:03:45.120
it was just a specialized financial reporting

00:03:45.120 --> 00:03:47.719
arm tucked inside this much larger established

00:03:47.719 --> 00:03:50.680
conglomerate. Yeah. It was stable if, you know.

00:03:50.990 --> 00:03:53.409
somewhat anonymous. But that stability gave way

00:03:53.409 --> 00:03:56.210
to some really rapid churn in the mid -90s. I

00:03:56.210 --> 00:03:58.009
mean, the defining moment for Experian's global

00:03:58.009 --> 00:04:00.669
identity happened in 1996, didn't it? It did.

00:04:00.750 --> 00:04:03.009
It was a rapid two -step sale that just demonstrates

00:04:03.009 --> 00:04:05.610
how quickly these large -scale data assets were

00:04:05.610 --> 00:04:08.030
recognized as indispensable. Okay, so step one.

00:04:08.189 --> 00:04:11.849
The first step was in November 1996, when TRW

00:04:11.849 --> 00:04:13.949
sold the unit, which was then operating under

00:04:13.949 --> 00:04:16.889
the Experian name, to two major private equity

00:04:16.889 --> 00:04:20.009
firms, Bain Capital and Thomas H. Lee Partners.

00:04:20.480 --> 00:04:22.319
Right. And private equity is known for buying

00:04:22.319 --> 00:04:24.720
things to streamline and, well, sell them quickly

00:04:24.720 --> 00:04:27.660
for a profit. And they absolutely did. The really

00:04:27.660 --> 00:04:30.079
interesting part is just the sheer speed of the

00:04:30.079 --> 00:04:32.160
second sale. It was just one month later. Right.

00:04:32.199 --> 00:04:35.560
Just one month. In December 1996, those two firms

00:04:35.560 --> 00:04:38.980
sold Experian again. This time, the buyer was

00:04:38.980 --> 00:04:42.800
the Great Universal Stores Limited, or GUS. Okay,

00:04:42.839 --> 00:04:45.920
GUS. For our listeners, what was GUS? You can

00:04:45.920 --> 00:04:49.319
think of it as a massive UK retail conglomerate.

00:04:49.579 --> 00:04:52.420
Sort of like a Sears or a Tesco that relied very

00:04:52.420 --> 00:04:55.100
heavily on customers using credit for their purchases.

00:04:55.319 --> 00:04:57.560
That makes perfect sense. So they bought a credit

00:04:57.560 --> 00:04:59.860
reporting agency to support their core retail

00:04:59.860 --> 00:05:02.519
business. That rapid turnaround shows the immediate

00:05:02.519 --> 00:05:05.240
valuation jump. But the real strategic move happened

00:05:05.240 --> 00:05:07.660
next. GUS wasn't just acquiring the American

00:05:07.660 --> 00:05:10.319
arm. They were merging the U .S. operation with

00:05:10.319 --> 00:05:12.540
their own internal behemoth. Oh, interesting.

00:05:12.680 --> 00:05:14.180
So they already had their own credit business

00:05:14.180 --> 00:05:18.000
in the U .K. They did. GUS already owned CCN,

00:05:18.160 --> 00:05:20.100
which was the largest credit service company

00:05:20.100 --> 00:05:23.360
in the UK at the time. GUS merged CCN directly

00:05:23.360 --> 00:05:26.240
into the newly acquired Experian entity. So that

00:05:26.240 --> 00:05:28.480
single moment is the birth of the multinational

00:05:28.480 --> 00:05:30.639
structure we're analyzing today. Absolutely.

00:05:31.129 --> 00:05:33.910
By fusing the large scale, comprehensive U .S.

00:05:33.910 --> 00:05:35.889
credit reporting infrastructure with the leading

00:05:35.889 --> 00:05:39.089
U .K. market services, they instantly dominated

00:05:39.089 --> 00:05:41.730
both sides of the Atlantic. It gave them an unprecedented

00:05:41.730 --> 00:05:44.350
transatlantic mandate over consumer financial

00:05:44.350 --> 00:05:47.290
health. It really secured their status as a global

00:05:47.290 --> 00:05:50.089
player from that moment onward. It did. And this

00:05:50.089 --> 00:05:51.689
corporate structure eventually sought its own

00:05:51.689 --> 00:05:54.889
independence. A decade later, in October 2006,

00:05:55.310 --> 00:05:58.129
Experian emerged from GUS and officially listed

00:05:58.129 --> 00:06:00.329
on the London Stock Exchange. Firmly establishing

00:06:00.329 --> 00:06:03.490
its independent public identity as a massive

00:06:03.490 --> 00:06:06.430
FTSE 100 constituent. Exactly. So if we look

00:06:06.430 --> 00:06:08.709
at the entity today, that legacy of rapid global

00:06:08.709 --> 00:06:11.310
expansion really dictates its footprint. You

00:06:11.310 --> 00:06:12.949
mentioned the revenue, but let's talk about their

00:06:12.949 --> 00:06:15.550
sheer physical scale. Oh, Experian is formerly

00:06:15.550 --> 00:06:17.709
headquartered in Dublin, Ireland. Which is a

00:06:17.709 --> 00:06:20.120
pretty strategic move, I'd imagine. Puts them

00:06:20.120 --> 00:06:22.399
in an advantageous position within the EU regulatory

00:06:22.399 --> 00:06:25.160
and tax environment. No doubt. But their physical

00:06:25.160 --> 00:06:27.839
operations are truly global, reflecting that

00:06:27.839 --> 00:06:31.079
initial GUSECN merger. They maintain massive

00:06:31.079 --> 00:06:33.220
operational centers in Costa Mesa, California,

00:06:33.600 --> 00:06:36.639
Nottingham in the UK, Sao Paulo, Brazil. And

00:06:36.639 --> 00:06:37.980
we'll definitely be talking more about Brazil

00:06:37.980 --> 00:06:40.560
shortly. We will. And also Hamburg, Germany,

00:06:40.899 --> 00:06:44.079
Singapore, and Hyderabad, India. It's a huge

00:06:44.079 --> 00:06:45.980
footprint. And in managing this scale requires

00:06:45.980 --> 00:06:48.620
an army, I'm sure. The sources indicate they

00:06:48.620 --> 00:06:52.420
have, what, 21 ,700 employees as of 2025? That's

00:06:52.420 --> 00:06:54.259
the number. And when you look at the financials

00:06:54.259 --> 00:06:56.720
again, that operating income of U .S. $1 .928

00:06:56.720 --> 00:07:00.360
billion for FY 2024, sitting on total assets

00:07:00.360 --> 00:07:04.639
of U .S. $11 .712 billion. Well, that's the financial

00:07:04.639 --> 00:07:06.720
bedrock supporting this whole global operation.

00:07:07.019 --> 00:07:09.139
It's an undeniable infrastructure. And I think

00:07:09.139 --> 00:07:10.639
to really understand their function, you have

00:07:10.639 --> 00:07:12.680
to look past the consumer -facing score, don't

00:07:12.680 --> 00:07:15.680
you? Oh, absolutely. While credit reporting is

00:07:15.680 --> 00:07:18.819
their primary required function, the source material

00:07:18.819 --> 00:07:22.379
really highlights their secondary and arguably

00:07:22.379 --> 00:07:26.639
more profitable role selling decision analytic

00:07:26.639 --> 00:07:29.079
and marketing assistance to businesses. OK, so

00:07:29.079 --> 00:07:31.500
this is where they shift from being a credit

00:07:31.500 --> 00:07:34.300
score calculator to a full blown data broker.

00:07:34.600 --> 00:07:37.160
What does that decision analytic and marketing

00:07:37.160 --> 00:07:39.620
assistance actually look like in practice for,

00:07:39.779 --> 00:07:43.339
say, an average business? It means they're selling

00:07:43.339 --> 00:07:46.420
deeply synthesized consumer profiles. It's what

00:07:46.420 --> 00:07:48.720
the sources term individual fingerprinting and

00:07:48.720 --> 00:07:50.959
targeting. Individual fingerprinting. That sounds

00:07:50.959 --> 00:07:53.920
intense. It is. This goes far beyond just determining

00:07:53.920 --> 00:07:56.100
if you're a high or low credit risk. This is

00:07:56.100 --> 00:07:58.019
about synthesizing your demographic information,

00:07:58.339 --> 00:08:01.339
your geographical location, your likely socioeconomic

00:08:01.339 --> 00:08:04.040
status, and your spending patterns into a predictive

00:08:04.040 --> 00:08:06.420
model. And they sell this capability to companies.

00:08:06.779 --> 00:08:09.920
Yes. So those companies can decide who to target.

00:08:10.240 --> 00:08:13.000
with a specific advertisement, a specific price

00:08:13.000 --> 00:08:16.060
point, or a specific product line. They are fundamentally

00:08:16.060 --> 00:08:18.439
shaping how businesses interact with you, the

00:08:18.439 --> 00:08:21.720
consumer, turning data aggregation into a sophisticated

00:08:21.720 --> 00:08:24.279
weapon for market segmentation. And to drive

00:08:24.279 --> 00:08:26.899
home just how deeply embedded they are in U .S.

00:08:26.899 --> 00:08:29.019
infrastructure, we need to spend a moment on

00:08:29.019 --> 00:08:31.120
the USPS partnership, which I think is often

00:08:31.120 --> 00:08:33.519
overlooked. It is, and it perfectly illustrates

00:08:33.519 --> 00:08:37.519
their function as an essential utility. The USPS...

00:08:37.879 --> 00:08:40.820
United States Postal Service, needs clean, verified

00:08:40.820 --> 00:08:43.399
data to ensure mail gets delivered efficiently,

00:08:43.620 --> 00:08:45.820
right? Especially to new addresses or when data

00:08:45.820 --> 00:08:48.679
is transferred between state systems. So Experian

00:08:48.679 --> 00:08:50.840
provides the validation engine for this. That's

00:08:50.840 --> 00:08:53.320
it. Their data confirms that a specific address

00:08:53.320 --> 00:08:56.200
corresponds to a known, verified consumer profile.

00:08:56.500 --> 00:08:58.840
So when a government or a large commercial entity

00:08:58.840 --> 00:09:01.169
needs to ensure they have the absolute... Most

00:09:01.169 --> 00:09:03.649
current address for millions of people, they

00:09:03.649 --> 00:09:06.230
often rely on experience data and systems to,

00:09:06.269 --> 00:09:09.769
well, to check the boxes. Precisely. This means

00:09:09.769 --> 00:09:13.509
experience data is literally woven into the critical

00:09:13.509 --> 00:09:15.570
national infrastructure of the United States

00:09:15.570 --> 00:09:18.370
mail system. It's an integration that proves

00:09:18.370 --> 00:09:21.590
their essential nature. I mean, they are not.

00:09:22.159 --> 00:09:24.179
easily replaced. But that level of integration

00:09:24.179 --> 00:09:27.100
also means the stakes for security and regulatory

00:09:27.100 --> 00:09:30.220
compliance are catastrophically high. Because

00:09:30.220 --> 00:09:32.740
failure impacts not just personal credit, but

00:09:32.740 --> 00:09:34.740
vital government and commerce functions. OK,

00:09:34.820 --> 00:09:37.840
so given that they are this globally integrated,

00:09:38.200 --> 00:09:41.840
powerful and critical utility, how do they navigate

00:09:41.840 --> 00:09:44.539
the legal requirements placed upon them, especially

00:09:44.539 --> 00:09:47.379
those intended to protect the consumer? Well,

00:09:47.440 --> 00:09:49.549
that brings us to a major tension point. The

00:09:49.549 --> 00:09:51.990
controversy surrounding free credit reports.

00:09:52.250 --> 00:09:54.710
Right. This is a classic case of, well, corporate

00:09:54.710 --> 00:09:56.649
maneuvering around the spirit of the law, isn't

00:09:56.649 --> 00:09:59.029
it? It really is. In the U .S., the right to

00:09:59.029 --> 00:10:01.370
a free annual credit report is enshrined in the

00:10:01.370 --> 00:10:03.590
Fair and Accurate Credit Transactions Act of

00:10:03.590 --> 00:10:06.990
2003, the FASI Act. The legislative intent was

00:10:06.990 --> 00:10:09.370
crystal clear. Consumers should have mandatory

00:10:09.370 --> 00:10:12.110
free transparency into the data that determines

00:10:12.110 --> 00:10:14.659
their financial future. But instead of simply

00:10:14.659 --> 00:10:17.779
directing consumers to the legally mandated annual

00:10:17.779 --> 00:10:20.919
disclosure site, Experian went in a very different

00:10:20.919 --> 00:10:23.080
direction. They did. They heavily marketed their

00:10:23.080 --> 00:10:26.100
for profit service, FreeCreditReport .com. And

00:10:26.100 --> 00:10:28.279
this is the core criticism highlighted in the

00:10:28.279 --> 00:10:31.120
sources. Experian, along with the other two bureaus,

00:10:31.179 --> 00:10:34.100
was consistently criticized and sued for selling

00:10:34.100 --> 00:10:37.379
reports to consumers who by law could get that

00:10:37.379 --> 00:10:40.100
exact report for free. They were capitalizing

00:10:40.100 --> 00:10:42.659
on consumer confusion and leveraging their brand

00:10:42.659 --> 00:10:45.000
recognition to drive paid enrollments. It was

00:10:45.000 --> 00:10:46.799
a huge business. And this is where the Federal

00:10:46.799 --> 00:10:49.460
Trade Commission, the FTC, stepped in back in

00:10:49.460 --> 00:10:52.659
2005. The settlement Experian accepted wasn't

00:10:52.659 --> 00:10:55.710
just about general misleading ads. It was highly

00:10:55.710 --> 00:11:00.009
specific and pretty damning. It was. The FTC

00:11:00.009 --> 00:11:02.450
charged that Experian had violated a prior settlement

00:11:02.450 --> 00:11:05.230
by failing to adequately disclose a crucial detail.

00:11:05.389 --> 00:11:07.610
Which was? That customers responding to the free

00:11:07.610 --> 00:11:09.490
credit report advertisement would be automatically

00:11:09.490 --> 00:11:12.490
enrolled in Experian's expensive recurring credit

00:11:12.490 --> 00:11:15.350
monitoring program. For how much? It was $79

00:11:15.350 --> 00:11:19.659
.95. Wow. That is a textbook definition of a

00:11:19.659 --> 00:11:22.759
bait and switch. They use the word free to lure

00:11:22.759 --> 00:11:24.940
people in, knowing that the public generally

00:11:24.940 --> 00:11:28.220
trusts the need for credit monitoring. And then

00:11:28.220 --> 00:11:30.860
they secretly auto enrolled them in a recurring

00:11:30.860 --> 00:11:33.759
charge. That's exactly it. They were undercutting

00:11:33.759 --> 00:11:37.159
the fax tax guarantee of free transparency with

00:11:37.159 --> 00:11:39.720
a high cost subscription service. It demonstrates

00:11:39.720 --> 00:11:43.820
a willingness to, you know. aggressively monetize

00:11:43.820 --> 00:11:46.639
every single touchpoint, even those designed

00:11:46.639 --> 00:11:49.740
by Congress to be consumer protections. And these

00:11:49.740 --> 00:11:52.480
regulatory penalties aren't just limited to historical

00:11:52.480 --> 00:11:55.259
U .S. marketing practices. We see major financial

00:11:55.259 --> 00:11:57.980
enforcement actions that hit at the core quality

00:11:57.980 --> 00:12:00.279
of their service, both domestically and internationally.

00:12:00.990 --> 00:12:03.389
Let's look at the 2017 action from the U .S.

00:12:03.389 --> 00:12:05.389
Consumer Financial Protection Bureau. For our

00:12:05.389 --> 00:12:07.649
listeners who might not be familiar, what exactly

00:12:07.649 --> 00:12:09.830
is the CFPB and why did they get involved here?

00:12:09.950 --> 00:12:12.470
The CFPB, the Consumer Financial Protection Bureau,

00:12:12.610 --> 00:12:15.490
is the watchdog established after the 2008 financial

00:12:15.490 --> 00:12:18.289
crisis. It's designed specifically to regulate

00:12:18.289 --> 00:12:20.830
financial products and services offered to consumers,

00:12:20.990 --> 00:12:23.950
including credit reporting. And they fined Experian.

00:12:24.110 --> 00:12:27.850
In 2017, the CFPB fined Experian $3 million.

00:12:28.629 --> 00:12:31.450
The significance here is that the fine wasn't

00:12:31.450 --> 00:12:34.490
related to a marketing deception or breach. It

00:12:34.490 --> 00:12:37.509
was for providing invalid credit scores to consumers.

00:12:37.809 --> 00:12:39.950
Invalid scores. So the core product was just

00:12:39.950 --> 00:12:42.830
wrong. That suggests a fundamental operational

00:12:42.830 --> 00:12:45.950
failure in the very thing they're selling. What

00:12:45.950 --> 00:12:48.649
makes a score invalid? The sources suggest there

00:12:48.649 --> 00:12:51.350
were systematic issues in how the data was aggregated

00:12:51.350 --> 00:12:54.090
and processed. This resulted in scores that just

00:12:54.090 --> 00:12:56.669
did not accurately reflect the underlying financial

00:12:56.669 --> 00:12:58.970
data. So if the gatekeeper is providing faulty

00:12:58.970 --> 00:13:01.629
information, it creates chaos. Complete chaos.

00:13:02.090 --> 00:13:03.990
Consumers are denied loans they should qualify

00:13:03.990 --> 00:13:06.129
for, or they are forced into higher interest

00:13:06.129 --> 00:13:09.470
rates. The CAPB fine implies a systemic failure

00:13:09.470 --> 00:13:12.580
to maintain data integrity, which really... destabilizes

00:13:12.580 --> 00:13:14.840
the entire lending ecosystem that depends on

00:13:14.840 --> 00:13:16.559
these scores being accurate. And internationally,

00:13:16.759 --> 00:13:19.279
their practices are being policed even more stringently,

00:13:19.419 --> 00:13:22.519
especially in Europe, where data privacy is paramount.

00:13:22.580 --> 00:13:24.840
Absolutely. The recent event detailed in the

00:13:24.840 --> 00:13:26.940
sources regarding the Netherlands is a profound

00:13:26.940 --> 00:13:29.460
demonstration of their vulnerability to EU regulation.

00:13:29.960 --> 00:13:32.220
What happened there? It's a big one. In October

00:13:32.220 --> 00:13:35.879
2025, Experian shut down its entire Dutch operations,

00:13:36.059 --> 00:13:38.279
just packed up and left. The whole operation?

00:13:38.460 --> 00:13:42.159
Why? This withdrawal followed a massive $2 .7

00:13:42.159 --> 00:13:45.000
million fine levied by the Dutch Data Protection

00:13:45.000 --> 00:13:48.899
Authority. The reason cited was illegally processing

00:13:48.899 --> 00:13:52.200
credit reference data on Dutch consumers. When

00:13:52.200 --> 00:13:55.340
a major European regulator issues a fine that

00:13:55.340 --> 00:13:58.080
forces a complete market withdrawal that speaks

00:13:58.080 --> 00:14:00.860
volumes about the severity of the offense, what

00:14:00.860 --> 00:14:02.799
kind of illegal processing were they engaged

00:14:02.799 --> 00:14:05.200
in? Well, the details suggest that they were

00:14:05.200 --> 00:14:07.779
processing and potentially sharing consumer data

00:14:07.779 --> 00:14:11.179
without sufficient legal basis or consent. It

00:14:11.179 --> 00:14:13.899
likely violated core GDPR general data protection

00:14:13.899 --> 00:14:16.690
regulation principles. They were treating consumer

00:14:16.690 --> 00:14:19.289
data in a way the Dutch regulator found fundamentally

00:14:19.289 --> 00:14:22.009
unacceptable. And it shows that experience large

00:14:22.009 --> 00:14:24.429
scale doesn't grant them immunity. In fact, their

00:14:24.429 --> 00:14:26.409
size makes them a larger target for regulators

00:14:26.409 --> 00:14:28.429
seeking to enforce these strict data protection

00:14:28.429 --> 00:14:31.049
laws. This cycle of fines and market withdrawal

00:14:31.049 --> 00:14:33.269
is linked directly back to that secondary role

00:14:33.269 --> 00:14:36.649
we identified, the data brokering. It is. And

00:14:36.649 --> 00:14:39.809
this is where the aha. Moment for many listeners

00:14:39.809 --> 00:14:42.669
will land. We need to talk about Mosaic. Mosaic.

00:14:42.830 --> 00:14:44.970
What is it? Mosaic is experience proprietary

00:14:44.970 --> 00:14:47.669
market segmentation tool. And it beautifully

00:14:47.669 --> 00:14:49.889
illustrates the extent to which your consumer

00:14:49.889 --> 00:14:53.029
profile is monetized and repurposed far beyond

00:14:53.029 --> 00:14:55.710
basic credit decisions. So it's not about loans

00:14:55.710 --> 00:14:58.629
anymore. Not at all. It takes demographic, geographic

00:14:58.629 --> 00:15:02.110
and behavioral data and synthesizes it into hyper

00:15:02.110 --> 00:15:05.509
granular consumer identities for sale to businesses,

00:15:05.710 --> 00:15:08.720
marketers and critically political parties. The

00:15:08.720 --> 00:15:10.759
granularity here is just stunning, isn't it?

00:15:10.759 --> 00:15:12.620
It's not just the demographic bucket. It's an

00:15:12.620 --> 00:15:15.159
individual fingerprint. Exactly. In the British

00:15:15.159 --> 00:15:17.639
version, the sources detail that Mosaic breaks

00:15:17.639 --> 00:15:20.559
down consumers into 15 main groups, which are

00:15:20.559 --> 00:15:23.100
then further subdivided into 89 hyper -specific

00:15:23.100 --> 00:15:26.899
categories. 89. And these are precise, descriptive

00:15:26.899 --> 00:15:30.320
labels designed to capture every facet of a person's

00:15:30.320 --> 00:15:32.220
existence. That's the idea. We aren't talking

00:15:32.220 --> 00:15:34.519
about broad labels like suburban homeowners or

00:15:34.519 --> 00:15:37.100
city dwellers. So give us a few examples of these

00:15:37.100 --> 00:15:39.610
highly specific... labels from the source material?

00:15:39.870 --> 00:15:41.590
What do they call people? Well, we're talking

00:15:41.590 --> 00:15:43.889
about classifications like corporate chieftains,

00:15:43.909 --> 00:15:47.450
the assumption being high net worth, busy executives

00:15:47.450 --> 00:15:50.309
who might respond to specific luxury branding

00:15:50.309 --> 00:15:54.590
or golden empty nesters, a demographic characterized

00:15:54.590 --> 00:15:57.029
by having adult children who have left home,

00:15:57.149 --> 00:15:59.990
high disposable income, and specific lifestyle

00:15:59.990 --> 00:16:03.029
interests. These labels are designed to predict

00:16:03.029 --> 00:16:06.450
your spending habits, your hobbies, even your

00:16:06.450 --> 00:16:08.840
media consumption. And the power of this tool

00:16:08.840 --> 00:16:11.539
is that this level of segmentation can be taken

00:16:11.539 --> 00:16:14.440
down to the level of individual postcodes, right?

00:16:14.559 --> 00:16:17.679
To the postcode. Imagine, the moment you move

00:16:17.679 --> 00:16:20.059
into a specific neighborhood, you're instantly

00:16:20.059 --> 00:16:23.799
categorized as a rising metro star or a thrifty

00:16:23.799 --> 00:16:25.879
pensioner. It allows for surgical precision in

00:16:25.879 --> 00:16:28.179
marketing. If you're a retailer, you know exactly

00:16:28.179 --> 00:16:30.159
which catalog to send to which house. And if

00:16:30.159 --> 00:16:32.019
you're a political operative, you know precisely

00:16:32.019 --> 00:16:34.259
what language will resonate with the likely voters

00:16:34.259 --> 00:16:37.009
in that small geographic area. And the source

00:16:37.009 --> 00:16:39.590
material confirms this political usage, which

00:16:39.590 --> 00:16:42.470
is arguably the most sensitive application of

00:16:42.470 --> 00:16:45.389
this tool. Mosaic was first adopted by the Labour

00:16:45.389 --> 00:16:48.750
Party and then subsequently taken up by the Conservatives

00:16:48.750 --> 00:16:51.710
in the 2015 UK general election campaign. This

00:16:51.710 --> 00:16:54.769
is so significant. It highlights that Experian

00:16:54.769 --> 00:16:57.590
isn't just selling to banks deciding on a mortgage

00:16:57.590 --> 00:17:00.389
rate. They're selling deep, actionable insight

00:17:00.389 --> 00:17:03.279
into the electorate itself. They are providing

00:17:03.279 --> 00:17:05.619
the underlying infrastructure that enables modern

00:17:05.619 --> 00:17:08.019
political micro -targeting. Which means the data

00:17:08.019 --> 00:17:10.500
used to calculate your credit limit is also being

00:17:10.500 --> 00:17:12.859
leveraged to fine -tune the political messaging

00:17:12.859 --> 00:17:15.259
you encounter, perhaps exploiting a perceived

00:17:15.259 --> 00:17:18.000
vulnerability or interest associated with your

00:17:18.000 --> 00:17:20.000
assigned behavioral label. And we can see this

00:17:20.000 --> 00:17:22.059
aggressive expansion continuing through their

00:17:22.059 --> 00:17:24.799
acquisition strategy. They are proactively buying

00:17:24.799 --> 00:17:27.740
up new forms of data. Absolutely. The 2017 acquisition

00:17:27.740 --> 00:17:30.900
of Clarity Services is a perfect example. Clarity

00:17:30.900 --> 00:17:33.880
Services is a credit bureau specializing in alternative

00:17:33.880 --> 00:17:35.539
consumer data. What does that mean, alternative

00:17:35.539 --> 00:17:38.599
data? It means data sources outside of traditional

00:17:38.599 --> 00:17:41.680
loans. So think payday loans, rent payments,

00:17:41.880 --> 00:17:44.960
utility bills. By integrating this alternative

00:17:44.960 --> 00:17:47.819
data, Experian broadens the scope of the consumer

00:17:47.819 --> 00:17:50.200
profile they can sell. It ensures they capture

00:17:50.200 --> 00:17:52.339
information on consumers who might not have traditional

00:17:52.339 --> 00:17:54.519
credit histories. And on the international stage,

00:17:54.799 --> 00:17:57.079
we see them moving heavily into risk mitigation,

00:17:57.440 --> 00:18:00.579
which is, I guess, a bit ironic given their own

00:18:00.579 --> 00:18:02.319
history of breaches. A very key observation.

00:18:02.500 --> 00:18:06.180
In 2024, they agreed to acquire the Brazilian

00:18:06.180 --> 00:18:08.720
digital fraud prevention provider ClearSale.

00:18:09.150 --> 00:18:12.950
for $350 million. So they are strategically embedding

00:18:12.950 --> 00:18:16.089
themselves into high growth, high risk data areas

00:18:16.089 --> 00:18:18.829
internationally, constantly increasing the volume

00:18:18.829 --> 00:18:20.869
and sensitivity of the data they handle. While

00:18:20.869 --> 00:18:23.630
simultaneously trying to sell solutions to manage

00:18:23.630 --> 00:18:26.069
the fraud risk that their own expanded data universe

00:18:26.069 --> 00:18:29.309
creates. Which brings us inevitably to the catastrophic

00:18:29.309 --> 00:18:32.369
downside of holding so much sensitive, high value

00:18:32.369 --> 00:18:35.509
data. The continuous large scale and globally

00:18:35.509 --> 00:18:37.769
publicized security breaches that have plagued

00:18:37.769 --> 00:18:40.559
the company. This next section, I think, must

00:18:40.559 --> 00:18:43.500
be approached with the gravity it deserves. The

00:18:43.500 --> 00:18:45.660
security record of Experian is not merely vulnerable.

00:18:46.079 --> 00:18:48.680
It reads like a document detailing repeated,

00:18:48.859 --> 00:18:51.759
escalating global catastrophes. So where do we

00:18:51.759 --> 00:18:54.460
start? We have to begin with the 2013 identity

00:18:54.460 --> 00:18:56.779
theft scandal involving the Vietnamese national

00:18:56.779 --> 00:19:00.980
human Ningo. This case really shone an unwelcome

00:19:00.980 --> 00:19:03.480
spotlight on the data aggregator side of experience

00:19:03.480 --> 00:19:06.440
business. Ingo was a prolific identity thief

00:19:06.440 --> 00:19:08.660
charged by the U .S. Department of Justice with

00:19:08.660 --> 00:19:11.660
attempting to sell personally identifiable information,

00:19:12.000 --> 00:19:15.299
or PII, on hundreds of thousands of U .S. residents.

00:19:15.599 --> 00:19:18.759
And this PII, the DOJ initially alleged, was

00:19:18.759 --> 00:19:21.220
acquired from an experienced subsidiary and data

00:19:21.220 --> 00:19:23.579
aggregator called Court Ventures. So the initial

00:19:23.579 --> 00:19:26.660
narrative was straightforward. An Experian subsidiary

00:19:26.660 --> 00:19:29.279
having aggregated sensitive data sold access

00:19:29.279 --> 00:19:31.559
to that data stream to a known identity thief

00:19:31.559 --> 00:19:33.900
who then resold it for profit on the digital

00:19:33.900 --> 00:19:35.920
black market. Right. It was a failure of due

00:19:35.920 --> 00:19:38.099
diligence and oversight at a bare minimum. But

00:19:38.099 --> 00:19:40.480
the sources contain a fascinating and complicated

00:19:40.480 --> 00:19:43.299
twist regarding the chain of custody. They do.

00:19:43.819 --> 00:19:47.019
Ingo later testified under oath that the information

00:19:47.019 --> 00:19:49.220
he sold to identity thieves was actually acquired

00:19:49.220 --> 00:19:52.619
from another hacker based in Russia and not from

00:19:52.619 --> 00:19:55.400
Experian or Court Ventures directly. That discrepancy

00:19:55.400 --> 00:19:58.000
doesn't exactly absolve Experian, does it? Not

00:19:58.000 --> 00:20:00.480
at all. But it complicates the supply chain of

00:20:00.480 --> 00:20:03.039
stolen data. Whether the ultimate source was

00:20:03.039 --> 00:20:05.579
a direct sale by the subsidiary or a Russian

00:20:05.579 --> 00:20:07.980
hacker exploiting a vulnerability, the system

00:20:07.980 --> 00:20:10.519
India was running these identity fraud -enabling

00:20:10.519 --> 00:20:14.759
websites, supergit .info and findgit .me, was

00:20:14.759 --> 00:20:17.220
clearly successful in leveraging massive amounts

00:20:17.220 --> 00:20:20.150
of sensitive U .S. data. And the specific types

00:20:20.150 --> 00:20:22.349
of TII being sold on these sites is what should

00:20:22.349 --> 00:20:24.789
truly shock the listener. This wasn't just old

00:20:24.789 --> 00:20:26.910
email lists being passed around. No, not at all.

00:20:26.950 --> 00:20:29.009
The data offered for anonymous sale included

00:20:29.009 --> 00:20:31.190
the full package required for complete financial

00:20:31.190 --> 00:20:33.910
impersonation. Name, address, social security

00:20:33.910 --> 00:20:36.609
number. The SSN, of course. Date of birth, place

00:20:36.609 --> 00:20:38.869
of work, driver's license number, mother's maiden

00:20:38.869 --> 00:20:42.170
name, a classic security question. Answer, bank

00:20:42.170 --> 00:20:44.509
account numbers, bank routing numbers, email

00:20:44.509 --> 00:20:46.609
accounts, and other account passwords. Wait,

00:20:46.690 --> 00:20:49.430
wait, wait. Other account passwords. That implies

00:20:49.430 --> 00:20:51.609
that the aggregated data stream was not only

00:20:51.609 --> 00:20:54.289
containing financial identifiers, but was potentially

00:20:54.289 --> 00:20:57.029
storing or linking login credentials for other

00:20:57.029 --> 00:20:59.329
systems. It sure does. That moves way beyond

00:20:59.329 --> 00:21:01.569
credit reporting and into a direct threat to

00:21:01.569 --> 00:21:03.930
a person's entire digital life. It absolutely

00:21:03.930 --> 00:21:06.450
does. It demonstrates that the information Experian

00:21:06.450 --> 00:21:09.470
manages, whether directly or through its subsidiaries,

00:21:09.549 --> 00:21:12.190
is the fundamental, immutable data required to

00:21:12.190 --> 00:21:15.559
completely hijack a person's identity. When data

00:21:15.559 --> 00:21:18.140
this sensitive is breached, the fallout for the

00:21:18.140 --> 00:21:20.920
consumer is permanent and requires years of vigilance

00:21:20.920 --> 00:21:23.960
to mitigate. Now let's move to the massive global

00:21:23.960 --> 00:21:26.319
breaches that have made headlines. Starting in

00:21:26.319 --> 00:21:29.059
2015, we saw the North American breach affecting

00:21:29.059 --> 00:21:32.000
customers of T -Mobile. This breach exposed a

00:21:32.000 --> 00:21:34.819
deep, sustained vulnerability. The window of

00:21:34.819 --> 00:21:37.500
exposure was noted as September 2013 to September

00:21:37.500 --> 00:21:40.400
2015. A two -year period. A two -year period

00:21:40.400 --> 00:21:42.960
where the breach was active before it was discovered

00:21:42.960 --> 00:21:46.099
and contained, up to 15 million people were affected.

00:21:46.359 --> 00:21:49.259
And these included customers of T -Mobile who

00:21:49.259 --> 00:21:51.700
had applied for Experian credit checks, meaning

00:21:51.700 --> 00:21:54.299
the data was fresh and directly linked to recent

00:21:54.299 --> 00:21:57.039
financial activity. The CEO of Experian North

00:21:57.039 --> 00:22:00.119
America, Craig Boundy, was personally obligated

00:22:00.119 --> 00:22:01.799
to send out letters confirming the compromise.

00:22:02.759 --> 00:22:05.700
That kind of public, direct admission signals

00:22:05.700 --> 00:22:08.279
the severity. It does. And then the geographic

00:22:08.279 --> 00:22:11.740
scope expanded rapidly. In 2020, Experian suffered

00:22:11.740 --> 00:22:14.299
a substantial data breach in South Africa. The

00:22:14.299 --> 00:22:17.599
numbers are staggering again. Data on 24 million

00:22:17.599 --> 00:22:20.460
South Africans was leaked, alongside detailed

00:22:20.460 --> 00:22:23.779
information on nearly 800 ,000 businesses. And

00:22:23.779 --> 00:22:26.319
out of those businesses, over 24 ,000 had their

00:22:26.319 --> 00:22:29.480
financial details exposed. But the real controversy

00:22:29.480 --> 00:22:31.660
here stems less from the size of the breach and

00:22:31.660 --> 00:22:34.400
more from the corporate response. How so? Precisely.

00:22:34.400 --> 00:22:36.539
The sources highlight that Experian initially

00:22:36.539 --> 00:22:38.579
issued statements claiming the incident had been

00:22:38.579 --> 00:22:40.720
contained and the exposure was limited. Which

00:22:40.720 --> 00:22:43.250
turned out to be false. It was later shown to

00:22:43.250 --> 00:22:46.390
be untrue. The data eventually found its way

00:22:46.390 --> 00:22:48.210
onto the Internet and into the hands of malicious

00:22:48.210 --> 00:22:51.269
actors. This pattern of delayed or inaccurate

00:22:51.269 --> 00:22:54.369
reporting just severely erodes consumer trust

00:22:54.369 --> 00:22:57.190
and raises serious questions about their commitment

00:22:57.190 --> 00:23:00.309
to transparency during a crisis. So if the 2020

00:23:00.309 --> 00:23:03.250
breach in South Africa was significant, the 2021

00:23:03.250 --> 00:23:06.710
breach in Brazil related to their subsidiary

00:23:06.710 --> 00:23:09.809
Sarasa Experian is described in the source material

00:23:09.809 --> 00:23:12.750
with some truly concerning language. I think

00:23:12.750 --> 00:23:16.599
it was probably the most... That phrasing is

00:23:16.599 --> 00:23:18.740
used for a reason. Just look at the scope. The

00:23:18.740 --> 00:23:21.599
breach resulted in data on 220 million citizens

00:23:21.599 --> 00:23:24.980
being sold on the web. 220 million. To put that

00:23:24.980 --> 00:23:27.059
in perspective, Brazil's population is around

00:23:27.059 --> 00:23:29.839
214 million. So this data set covered nearly

00:23:29.839 --> 00:23:32.440
every single citizen, including some who were

00:23:32.440 --> 00:23:35.059
already deceased. It was a total countrywide

00:23:35.059 --> 00:23:38.019
compromise. What specific PII was leaked in this

00:23:38.019 --> 00:23:40.619
catastrophic event that elevated it above a typical

00:23:40.619 --> 00:23:43.990
breach? The leak included the usuals. names,

00:23:44.049 --> 00:23:46.509
social security numbers, addresses, but it also

00:23:46.509 --> 00:23:48.750
included income tax declaration forms and other

00:23:48.750 --> 00:23:51.210
deeply private financial information. Income

00:23:51.210 --> 00:23:54.190
tax forms. The inclusion of income tax declaration

00:23:54.190 --> 00:23:57.569
forms is the key differentiator here. This isn't

00:23:57.569 --> 00:24:00.750
just basic identity data. This is the full financial

00:24:00.750 --> 00:24:04.210
fingerprint proof of income, assets, dependence,

00:24:04.650 --> 00:24:07.779
detailed financial standing. For identity thieves,

00:24:08.079 --> 00:24:10.940
this is the ultimate prize. It lets them create

00:24:10.940 --> 00:24:13.460
completely authentic, high -value fraudulent

00:24:13.460 --> 00:24:16.240
profiles. It's everything. And what was Experian's

00:24:16.240 --> 00:24:18.539
official defense regarding the source of this

00:24:18.539 --> 00:24:21.140
virtually complete data set on the entire Brazilian

00:24:21.140 --> 00:24:23.779
population? I'm almost afraid to ask. The defense

00:24:23.779 --> 00:24:26.660
was highly specific, almost semantic. Experian

00:24:26.660 --> 00:24:28.279
claimed there was no evidence that its systems

00:24:28.279 --> 00:24:30.119
had been compromised. They essentially argued

00:24:30.119 --> 00:24:32.059
the data must have been aggregated or obtained

00:24:32.059 --> 00:24:34.200
elsewhere. But the sources note that a Brazilian

00:24:34.200 --> 00:24:37.170
Consumer Rights Foundation countered this claim.

00:24:37.349 --> 00:24:40.170
They did. Their argument was, how could such

00:24:40.170 --> 00:24:42.710
a comprehensive nationwide data set, including

00:24:42.710 --> 00:24:45.769
tax forms, have been compiled and leaked unless

00:24:45.769 --> 00:24:49.309
Experian or its subsidiary Sarasa was the only

00:24:49.309 --> 00:24:52.190
probable source? So even if an outsider performed

00:24:52.190 --> 00:24:54.890
the extraction, the data was uniquely consolidated

00:24:54.890 --> 00:24:57.750
within Experian's domain. That's the implication.

00:24:58.519 --> 00:25:00.740
The criticism suggested that the company was

00:25:00.740 --> 00:25:03.700
engaging in semantic evasion rather than acknowledging

00:25:03.700 --> 00:25:05.799
a fundamental security failure in the way they

00:25:05.799 --> 00:25:08.819
managed or protected this repository. This ongoing

00:25:08.819 --> 00:25:12.319
cycle of massive global compromise raises an

00:25:12.319 --> 00:25:15.549
essential question. Are these dramatic, large

00:25:15.549 --> 00:25:18.349
-scale breaches the only way consumer data is

00:25:18.349 --> 00:25:21.490
exposed? Or is the day -to -day security posture

00:25:21.490 --> 00:25:24.309
equally vulnerable? Unfortunately, the latter

00:25:24.309 --> 00:25:27.049
is true. The sources detail a much more subtle,

00:25:27.150 --> 00:25:30.289
almost shockingly simple security flaw that emerged

00:25:30.289 --> 00:25:33.890
in late 2022 and was only fixed in early 2023.

00:25:34.369 --> 00:25:36.029
So this illustrates continuous vulnerability,

00:25:36.349 --> 00:25:39.109
even in their most basic consumer -facing operations.

00:25:39.490 --> 00:25:41.109
Clearly does. Let's break down this technical

00:25:41.109 --> 00:25:42.970
vulnerability because it sounds like something

00:25:42.970 --> 00:25:44.950
that should should never have existed in a system

00:25:44.950 --> 00:25:47.650
managing this level of sensitive data. It was

00:25:47.650 --> 00:25:49.750
a basic flaw in Experian's website that allowed

00:25:49.750 --> 00:25:51.930
access to an individual's full credit report

00:25:51.930 --> 00:25:54.990
without requiring full authentication. Imagine

00:25:54.990 --> 00:25:57.490
a highly secured vault where the front door requires

00:25:57.490 --> 00:26:00.170
three keys and a biometric scan. But the window

00:26:00.170 --> 00:26:02.529
on the second floor has a broken latch. Exactly.

00:26:03.049 --> 00:26:06.150
The vulnerability was rooted in a common, yet

00:26:06.150 --> 00:26:09.210
often overlooked, parameter manipulation technique

00:26:09.210 --> 00:26:12.920
on the web address, the URL. So how did an attacker

00:26:12.920 --> 00:26:15.880
exploit this? When a user requested their credit

00:26:15.880 --> 00:26:18.900
report, the URL contained certain parameters,

00:26:19.160 --> 00:26:21.579
usually something generic like a crew, the OW

00:26:21.579 --> 00:26:23.640
standing for out of wallet or security questions.

00:26:23.940 --> 00:26:26.460
An attacker found that simply by changing the

00:26:26.460 --> 00:26:29.640
last part of the URL being requested, just switching

00:26:29.640 --> 00:26:32.539
it from that secure OW URL path to the unsecured

00:26:32.539 --> 00:26:35.349
Acroport path, The system was tricked. So just

00:26:35.349 --> 00:26:38.349
by modifying the web address to bypass the step

00:26:38.349 --> 00:26:40.269
that required them to answer security questions

00:26:40.269 --> 00:26:42.650
like their mother's maiden name or past addresses,

00:26:42.869 --> 00:26:44.970
they could immediately pull the full sensitive

00:26:44.970 --> 00:26:47.730
report. That is the implication. The system incorrectly

00:26:47.730 --> 00:26:49.730
validated the request and just delivered the

00:26:49.730 --> 00:26:51.750
report without completing the necessary mandatory

00:26:51.750 --> 00:26:54.430
authentication steps. Unbelievable. The flaw

00:26:54.430 --> 00:26:57.549
was fixed in early 2023. But the truly unnerving

00:26:57.549 --> 00:26:59.470
detail is that the scope of the damage remains

00:26:59.470 --> 00:27:02.269
unknown. There is no reliable number for how

00:27:02.269 --> 00:27:03.849
many credit reports were stolen through this

00:27:03.849 --> 00:27:06.130
simple technical weakness during its active period.

00:27:06.480 --> 00:27:09.319
The fact that such a basic, almost amateur technical

00:27:09.319 --> 00:27:12.480
flaw could exist, allowing unauthorized access

00:27:12.480 --> 00:27:15.799
to credit reports for an unknown period, it sits

00:27:15.799 --> 00:27:18.900
right next to the globally publicized catastrophes

00:27:18.900 --> 00:27:21.180
in South Africa and the compromise of nearly

00:27:21.180 --> 00:27:24.079
every Brazilian citizen. It paints a picture

00:27:24.079 --> 00:27:26.779
of a consistent, multilayered security failure

00:27:26.779 --> 00:27:29.539
across different platforms and different levels

00:27:29.539 --> 00:27:32.460
of technical sophistication. So we circle back

00:27:32.460 --> 00:27:35.269
to the core question. What does this detailed

00:27:35.269 --> 00:27:38.549
journey mean for you, the listener, who is required

00:27:38.549 --> 00:27:40.930
to participate in this financial system? We've

00:27:40.930 --> 00:27:42.849
mapped the history of a company that is absolutely

00:27:42.849 --> 00:27:45.150
a foundational pillar of global finance. And

00:27:45.150 --> 00:27:47.369
one that's required by U .S. law to offer free

00:27:47.369 --> 00:27:50.430
transparency. Right. Yet simultaneously, they

00:27:50.430 --> 00:27:52.490
are monetizing your identity and your life patterns

00:27:52.490 --> 00:27:55.609
to an extreme degree. using hypergranular tools

00:27:55.609 --> 00:27:58.349
like Mosaic to categorize you as a corporate

00:27:58.349 --> 00:28:00.769
chieftain or a golden empty nester. They profit

00:28:00.769 --> 00:28:03.269
immensely by knowing precisely who you are and

00:28:03.269 --> 00:28:06.049
what you might buy or vote for. And the unavoidable

00:28:06.049 --> 00:28:08.490
third dimension of this analysis is their security

00:28:08.490 --> 00:28:12.009
record. They have repeatedly failed, sometimes

00:28:12.009 --> 00:28:14.950
spectacularly, and sometimes through shockingly

00:28:14.950 --> 00:28:18.109
simple technical oversights, to secure that critical

00:28:18.109 --> 00:28:20.970
data against massive, high -profile breaches.

00:28:21.390 --> 00:28:23.470
From the two year T -Mobile vulnerability in

00:28:23.470 --> 00:28:25.769
the US to the staggering compromise of nearly

00:28:25.769 --> 00:28:28.849
the entire population in Brazil, their defenses

00:28:28.849 --> 00:28:31.490
have just proven insufficient time and time again.

00:28:31.750 --> 00:28:33.849
And the sources prove the stakes are not trivial.

00:28:34.380 --> 00:28:36.799
We are talking about the compromise of the most

00:28:36.799 --> 00:28:38.920
sensitive details defining your economic life

00:28:38.920 --> 00:28:42.599
and identity. Income tax declaration forms, SSNs,

00:28:42.619 --> 00:28:44.940
mother's maiden names, and even other account

00:28:44.940 --> 00:28:47.779
passwords. This duality, this constant existential

00:28:47.779 --> 00:28:50.319
conflict between generating massive profit through

00:28:50.319 --> 00:28:52.319
data aggregation and the fundamental repeated

00:28:52.319 --> 00:28:54.980
failure in data stewardship, that's the central

00:28:54.980 --> 00:28:57.700
critical takeaway. Experian is both financially

00:28:57.700 --> 00:29:00.079
essential and profoundly risky. Which leaves

00:29:00.079 --> 00:29:02.490
us with a final question. The one we want you

00:29:02.490 --> 00:29:05.150
to mull over or explore on your own. It builds

00:29:05.150 --> 00:29:07.349
directly on the source material we've unpacked.

00:29:07.349 --> 00:29:09.869
Given that these massive credit reporting agencies

00:29:09.869 --> 00:29:13.009
perform a critical, almost governmental function

00:29:13.009 --> 00:29:16.509
in regulating global finance. But also pose an

00:29:16.509 --> 00:29:19.250
unprecedented, repeated, and documented risk

00:29:19.250 --> 00:29:22.109
to the identity and financial security of nearly

00:29:22.109 --> 00:29:24.849
every adult citizen on the planet. How should

00:29:24.849 --> 00:29:26.970
regulators balance the essential function these

00:29:26.970 --> 00:29:30.650
companies perform against the unprecedented documented

00:29:30.650 --> 00:29:34.109
risk they pose to public financial safety. It

00:29:34.109 --> 00:29:36.569
is a fundamental conflict between necessary structure

00:29:36.569 --> 00:29:39.170
and catastrophic liability. The very systems

00:29:39.170 --> 00:29:41.910
we rely on may be the very systems putting us

00:29:41.910 --> 00:29:43.910
at the greatest risk. Food for thought, indeed.

00:29:44.250 --> 00:29:46.230
Thank you for joining us on this deep dive into

00:29:46.230 --> 00:29:49.049
the complex, powerful, and precarious world of

00:29:49.049 --> 00:29:51.049
Experian. We'll see you next time. Goodbye for

00:29:51.049 --> 00:29:51.190
now.