Three Equifax executives sold a combined $1.8 million worth of shares just days after the credit reporting agency discovered a massive data breach.
But before it was made public.
Most everyone has heard about what happened by now. On 29 July, Equifax discovered that someone had gained unauthorized access to certain files by exploiting a “U.S. website application vulnerability.”
In doing so, the hacker might have compromised the Social Security Numbers, addresses, and other information of 143 million U.S. consumers, not to mention credit card numbers for 209,000 Americans.
The scale of this security incident likely makes it the largest theft of Social Security Numbers. Indeed, it nearly doubles the 80 million individuals affected by the Anthem breach, an event for which the health insurance plan provider agreed to set up a recovery fund of $115 million earlier in 2017.
But there’s something besides the sheer amount of compromised data that makes the Equifax breach stand out.
As reported by Bloomberg, regulatory findings indicate that three executives at the credit-reporting service sold a portion of their shares just days after Equifax discovered the breach. Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, who is president of U.S. information solutions, sold $584,099 worth of stock; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock. All those sales took place on 1-2 August.
Ines Gutzmer, a spokesperson for the company, told Bloomberg that all three executives “sold a small percentage of their Equifax shares” and “had no knowledge that an intrusion had occurred at the time.”
But that explanation is unsatisfactory for several reasons.
First, the company’s 10b5-1 scheduled trading plans don’t list the transactions. That means Equifax didn’t foresee the share disposals. So why were the sales unpredicted?
Second, even if CFO John Gamble didn’t know about the breach in early August, shouldn’t he have? The credit-reporting service’s IT staff should have alerted Gamble and the other C-level executives about the breach immediately upon discovery. That such high-ranking personnel wouldn’t know about the event several days later boggles the mind…and makes you question Equifax’s security practices going forward.
Senator Mark Warner of Virginia, who is vice chairman of the Senate Intelligence Committee, seems to be of the same opinion. He went so far as to suggest to Yahoo! Finance that Congress reconsider data protection policies so that organizations like Equifax “have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”
Might not be a bad idea. Companies like Equifax should have better security measures (like data encryption) in place. But they shouldn’t also constitute a single-point of failure by collecting and storing so much data.
Of course, diversifying those in charge of protecting people’s credit-related information is a whole other challenge. What might be needed, therefore, are some realistic conversations on how credit should work moving forward in this age of mega-breaches.
For more discussion on this topic, be sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.