Northwest Arkansas Democrat-Gazette
Hacking whacks stock at Equifax
Firm loses 13.7 percent after data breach
More information about the data breach surfaced Friday including details about three Equifax Inc. senior executives who sold shares worth almost $1.8 million in the days after the company discovered the breach.
Shares of Equifax Inc. fell almost 14 percent Friday, a day after the company announced that hackers had gained access to names, addresses, Social Security numbers and some driver’s license numbers of potentially 143 million consumers.
One of the three biggest credit-reporting companies, Equifax generated $3.1 billion in revenue last year operating behind the scenes helping banks, insurers and employers assess people’s creditworthiness for loans, jobs and credit cards.
The incident is a stark reminder of the risk of consumers’ personal data being exposed online, security experts said. It’s particularly worrisome for the millions of people who trust creditreporting agencies such as Equifax to handle and protect their financial information. That kind of data is critical and could be used in multiple ways to harm consumers.
“This is massive,” said Paul Martini, chief executive officer of Iboss, a cybersecurity firm. “This overshadows any other breach that we’ve seen to date — not just the volume, the size, but the type of data that was in that database.”
Equifax shares fell $19.49, or 13.7 percent, to close Friday at $123.23.
Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit-card numbers for about 209,000 consumers were also accessed, the company said.
“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn. “You would expect these guys to have compartmentalized this data far enough away from a Web server — that there would not be any way to directly access it.”
More information about the data breach surfaced Friday including details about three Equifax Inc. senior executives who sold shares worth almost $1.8 million in the days after the company discovered the breach.
Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374, and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokesman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP who advises boards on matters including corporate compliance and enforcement challenges, said he does not know how Equifax’s board of directors can allow the executives to continue in their positions.
“Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear,” Friedman said.
Judy Burns, a spokesman for the Securities and Exchange Commission, declined to comment.
The Federal Bureau of Investigation said in a statement that it was aware of the hacking incident and was “tracking the situation as appropriate.”
INQUIRIES, LAWSUIT
In a letter sent to Equifax on Friday, New York Attorney General Eric Schneiderman requested specific details about when the company learned of the breach, what caused it and whether there was evidence of identity theft, abuse of financial information or data being offered for sale illegally, his office announced.
Also Friday, Rep. Ted Lieu, D-Calif., sent a letter to the leaders of the House Judiciary Committee — Rep. Bob Goodlatte, R-Va., who leads the panel, and Rep. John Conyers Jr. of Michigan, the ranking Democrat — calling for a hearing to address the breach.
In his letter, Lieu asked that representatives of Equifax, Experian and TransUnion — the nation’s three major credit-reporting agencies — be called to testify about how the latest intrusion occurred and what steps were being taken to prevent future intrusions.
“Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account,” Lieu wrote in the letter.
CARD NUMBERS
The hackers who targeted Equifax probably had a less aggressive goal than accessing consumers’ personal data: stealing their credit-card numbers.
According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active credit-card numbers, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud.
The person, who requested anonymity to discuss the ongoing investigation, said the Web application the attackers used to breach Equifax’s corporate network granted access to both the credit-card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.
Active credit-card numbers can fetch higher prices than even those other types of more revealing personal data, because they are usable immediately and without much additional work.
But investigators have not yet determined whether financial fraud was the attackers’ only goal, another person familiar with the investigation said. Some of the hackers’ behavior on Equifax’s network suggested that once they were inside, they sought financial and personal information on particular individuals, which is more commonly associated with higher-level forms of identity theft and espionage. Both people said it’s possible there may have been multiple motivations and possibly phases of the attack.
The company set up a website, www.equifax security2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.