There are some things you can do in a podcast you can’t do with the written word. Here’s one:
For this episode of Breach, we tracked down audio of the CEO of Equifax speaking at a business school in 2017. His words are tough to take knowing what we know now about the Equifax hack:
“It’s unlike any business model I’ve ever seen,” said former CEO Richard Smith. “If you’re interested in business models and I know this is a business group here, is: you think about our business, our cost of goods sold, is our data right? Our data’s free. There’s some instances where it’s not free, but by and large it’s free. We take those PHDs I talked about. We take the technology platforms, AI and others, we create value. We sell back to those who gave us the data for a gross margin of about 90 percent. That’s a pretty unique model. [laughs]”
He’s bragging: Your personal data is Equifax’s raw material. They get it (take it?) for free, and then sell it, earning 90% profit margins — gross indeed.
Now, know this: Smith said these words on Aug. 17, 2017 – AFTER Equifax had discovered it had been hacked, but BEFORE the public was told. (NOTE: This sentence initially read Aug. 7, 2017, in error. Updated 3/13/2019)
I really encourage you to listen to episode 2 of this season’s Breach, where we investigate the Equifax hack. Because however you feel reading that speech, you’ll feel more of it when you hear those words come directly out of former CEO Richard Smith’s mouth.
In this episode, we deal with the very straightforward question many Americans had right after the Equifax breach: “Who the heck is Equifax, and why does it have my data?”
You’ll also hear from New York Times columnist Ron Lieber (again) discussing what’s really wrong with Equifax’s business model.
“One of the biggest problems here is that Equifax’s customer is not me and it’s not the two of you,” he says. “Their customer is American Express. Their customer is Bank of America. Their customer is Verizon, right? The people who are paying Equifax money are the people who want the credit data. So they had no particular interest in satisfying our concerns after the breach. They weren’t going to lose a bunch of money from us. In fact, they were going to make money because some of us were paying money for credit freezes.
And you’ll also hear from Prof. Dan Solove of George Washington University, who I call the father of U.S. privacy law scholarship. He explains how foolish we have been to make Social Security numbers the key to our financial system.
DANIEL SOLOVE: The social security number is the worst password ever created.
DANIEL SOLOVE: It’s bad because first of all, it doesn’t even qualify under the, requirements of a decent password. It’s just a set of numbers. Most passwords have to have a mixture of numbers and letters and special characters. Um, also, what makes it particularly bad is it’s not a secret. In fact, everybody knows it. You can buy someone’s security number, um, from companies. It’s not illegal to sell them.
BOB: This little string of numbers was never intended to be a secret password.
DANIEL SOLOVE: Social Security Number was never designed to be used as an authenticator. It was basically designed as a differentiator. It was designed to separate out all the people with the same name.
And there’s much more. Episode 2 of Breach Season 2 — “Introducing Equifax — examines Equifax’s business model, how it collects data, its customers, and its product—your personal information. It also takes a closer look at Equifax’s history of consumer rights violations and lawsuits, explains why the company has little incentive to ensure that your data is secure, and how they indirectly profited from the breach.
You’ll also learn about other major players in the credit reporting space such as, how credit reports are compiled, how credit scores are calculated, and the reason there is a need for multiple credit reporting agencies. The answer may surprise you. Hint: It’s not confidence inspiring.
You can listen to episode one by clicking play below, if that embedded link works for you. If not, click :