As one of three credit bureaus in the United States, Equifax keeps financial data on every adult in America, plus people in 16 other countries. But the company knows much more than just what goes into an old-fashioned credit score.

It maintains information about people who share the same phone number or address, "non-obvious" relationships between individuals, loans for dental work, magazine subscriptions, rental history, real estate assets, investment wealth, retail purchasing, the type of federal tax return someone files, marital status, employment, utility payments, cable TV accounts, criminal records, debt-to-income ratios, changes of address, motor vehicle files, post office boxes, inferences about someone's capacity to pay bills, predictions about someone's propensity to pay, links to past and potential fraud crimes--and more.

This pile of more than 800 billion records is sliced, diced, analyzed and indexed into 26 petabytes of data. That's more data than the FBI's Investigative Data Warehouse, said to be the single biggest repository at the agency, with its relatively measly 1 billion unique documents. In all, Equifax has data on 500 million consumers and 81 million businesses worldwide.

Says Equifax CIO Dave Webb: "We know more about you than you would care for us to know."

In his wry British way, Webb alludes to the power of information and his push to derive ever more lucrative products and services from Equifax's vast stores of it. Webb says Equifax can make money off IT innovation--that is, his staff's ability to manipulate massive amounts of data better and faster than competitors can.

The company has launched scores of new IT-based products in the past few years, chasing two ideas: cutting risk and improving marketing for its 46,000 business customers. Equifax can, among other things, check an immigrant's employment status, verify a doctor's credentials, assess an Internet user's social influence and monitor a child's budding credit portfolio. Big data. Big Brother. Big bucks.

But like other companies in various industries hoping to spin in-house data into revenue, Equifax has to maneuver through tricky economic, political and cultural changes. The recession forces businesses to seek out reliable data on which to base decisions (opportunity), but they have less money to spend (problem). Congress enacted tough regulations to try to control mortgage companies (opportunity), while President Obama's new Consumer Financial Protection Bureau says it's going to monitor credit bureaus (problem). People are freer with personal data than ever before (opportunity), but they don't like it when companies get too personal (problem).

Rivals Experian and TransUnion also are remaking themselves into analytics companies. "Decision analytics is the growth engine for these companies," says Elizabeth Mason, an analyst at Outsell, a company that studies the information industry. "Yet it's a shifting landscape. We don't know yet what the public's tolerance is for companies mining all of this data really well."

Privacy? What Privacy?

Business isn't just about building a better mousetrap. It's about finding out why people don't like mice and what they're willing to do about it. In the past, companies might have gathered consumers in a room to quiz them. Now they pay millions of dollars to collect, buy and analyze data about those consumers, to market the best mousetraps to the right customers.

And why not? People give up personal information in return for convenience. They hand over data about their Web activity for the chance to win a cruise. They let online game companies vacuum up personal tidbits from their Facebook accounts.

Equifax itself coaxes consumers to give up personal information online. A contest to win World Series tickets and $3,000 asked Facebook users to submit a photo and short essay on what they would do with the money.

Consumers share knowingly and unknowingly, through surveys, location-based services, searches, online resumes, photos, check boxes, check-ins, tweets and clicks. People have no time to read gobbledygook privacy policies; they simply click "I Agree."

"The majority of consumers have no clue about the breadth of the information about them, where their information is residing and who has access to it," says John Ulzheimer, president of consumer education at SmartCredit.com, which offers consumers credit scores, identity protection and credit-monitoring services.

How the norms have shifted. Until the mid-1990s, the conventional wisdom about privacy protection was, in essence, that information collected for one purpose shouldn't be used for another. The idea is rooted in a 1973 federal guideline, "Code of Fair Information Practices," which advocated consumer control and consent as core principles.

After the Web opened up, we moved away from the notion of separating and guarding individual pieces of data to protect privacy. Now the prevailing goal seems to be to collect and combine nearly as much personal information as possible in the quest for profit.

There's a growing movement against that trend, though, that CIOs should monitor. What people don't like is when companies combine personal data to reveal more than any single piece of information can, says Lee Rainie, director of the Pew Research Center's Internet and American Life Project. "They are nervous, concerned that material might hurt them," he says.

Still, he notes, people fail to lock down their data out of ignorance or neglect, or sometimes because it's simply not possible.

To protect consumers from themselves and from overreaching companies, lawmakers are getting involved. In March, the Federal Trade Commission recommended that businesses make privacy protection their "default setting." Companies are asked to issue clearer explanations about what happens to consumer data and simplify the choices people are given for how their information is used. "Implementing these best practices will enhance trust and stimulate commerce," the FTC says. Congress, meanwhile, is writing "Do Not Track" and other privacy bills.

For now, as data-based products grow more profitable, the boundaries consist of regulations, laws and the judgment of companies policing themselves.

Monetizing Innovation

Pulling in $2 billion in revenue, Equifax is the second-largest of the three credit bureaus, tucked between $1 billion TransUnion and $4 billion Experian. With no one dominant player, the three are in a constant, tense battle to come up with new products that reveal that much more about consumers. Each touts the breadth and uniqueness of its data. Where they overlap--and despite their rhetoric, they do overlap--speed and innovation are the advantages. "It's a fast-followers game," Webb says.

His mission: to use his operations and IT background, combined with financial industry expertise, to uncover new revenue for Equifax. Webb joined the company in 2010 from SVB Financial Group, a financial services company with $20 billion in assets, where he was CIO and later COO. While his bachelor's degree in Russian may not help, his MBA certainly does.

"I am amazed at how few opportunities business identifies to mine data," Webb says. "We have a responsibility to identify opportunities."

Asked how far Equifax should go, Webb pauses. "The morality question is another whole discussion. But we have the technology to do this, and if it's legal, we should."

They are. Equifax cranked out 69 new products last year in risk management, identity verification, fraud detection, analytics and marketing. Equifax executives carefully measure innovation in revenue terms. An index called New Product Innovation (NPI) measures the revenue generated from products launched in the previous three years to see if they, combined, can bring in at least 10 percent of the company's revenue in a given year. NPI revenue last year was $181 million, up from $176 million in 2010 and $134 million in 2009.

In another innovation program, the company removes 12-15 high-performers from various business units and support functions and sends them off together to brainstorm new products. They meet for three or four weeks, excused from their day jobs, to talk about how to target a need in a specific industry. Most of their ideas make it through the NPI process.

Two new products in development would help companies use analytics to avoid bad customers, says David Brooks, senior vice president of integrated data solutions at Equifax. In one, developers are building a model for banks that combines a person's credit scores with his track record for paying utility bills. The results would indicate whether it's worth the bank's time to pursue the customer for delinquent credit card payments.

The other new product, nicknamed Suspicious ID internally, is a system for watching inquiries on credit reports in real time, to catch crime in the making. The rate of inquiries, along with other factors, would be scored according to fraud risk. "When fraudsters find something that works," says Keith Manthey, the company's vice president of integrated data solutions, "they share it and use it quick."

Breaking IT Traditions

Webb has been stepping up Equifax's analytics and collaboration capabilities, buying a business intelligence tools company and a workflow software vendor last year. The company has spent $1.7 billion in the past five years acquiring data-collection and technology companies. It's a long way from the paper ledgers the company kept through the first 50 of its 113 years in existence. If the useful life of data is two to 15 years, as Equifax says in its latest annual report, Webb wants to make the most of that time. He has set loose his 1,000-member IT group to attack big data, and they've come back with technology innovations that create competitive advantage, he says.

The way Equifax's data is stored and retrieved, for example, bucks tradition. Historically, companies with enormous amounts of data build giant warehouses, often running on massively parallel processing systems. The hardware is expensive, and the architecture of a relational database inhibits queries of unstructured data, Brooks says.

Instead, Equifax views the work as content delivery, rather than query processing. Data is spread across a grid of low-cost servers. IT developed proprietary distributed indexing technology to find information.

"Since our data sizes, transaction inquiry volumes and response-time requirements are all very challenging, we have to be careful about blindly following an industry-standard approach," Brooks says. "That can drive large and complex infrastructure demands that may not be necessary if you step back and think differently about the problem."

The IT group also tosses aside another worn idea. Where master data management projects seek the fabled single version of the truth, Brooks says there's no such thing. Equifax data gurus certainly spend time de-duplicating and cleansing data they integrate from public and private sources, but they've stopped fretting about finding and storing one definitive view of a consumer. Context is more important. "The reality is, they're all right. Now we think of observations more than truth," he says.

Webb encourages creativity in IT, saying the best results come from people who feel challenged. "You know who in your organization wants to learn. Let them have the reins," he says. "Set out the problem and get out of the way."

Mining You

One common way to uncover insights is to mix and match data sets, looking for correlations. Do the credit limits on the department store charge cards of single women indicate anything about their propensity to lease cars? Such blue-sky dabbling might produce useful results for marketers. For example, Equifax's rival Experian recently discovered that adults who use social media are more likely than other Internet users to visit Starbucks. Starbucks--or its coffee competitors--may want to step up its ad buys on Facebook.

At Equifax, insights also come from an executive brain spark. Last spring, Webb's imagination was caught by a CNN story about a $500,000 credit card fraud. According to federal investigators, two brothers conspired with an employee at a Beverly Hills dentist office to create hundreds of fake people who looked real on paper. They made up names, Social Security numbers and other personal data to generate "synthetic" individuals to whom the insider could pretend to give loans for dental work. The insider then reported the loans and false payments to Experian, to establish credit histories under names such as Garnik Dumanov and Grisha Stpanov.

For more than a year, the trio got credit cards under these and other false identities from Bank of America, Wells Fargo and 19 other banks, which approved them after seeing good credit scores. DirecTV and several cell phone providers approved accounts. Car dealerships approved loans for an Audi Q7 and a Lexus IS 250.

Webb emailed Brooks: Could we catch scams like this?

Brooks, Manthey and other colleagues looked up more details about the crime and pulled internal data beyond just credit reports from across Equifax's wide assortment of records. Then they began testing new ways to analyze the information in an effort to produce the outcome they already knew to be true--that Stpanov, for example, couldn't be real.