Three Equifax execs sold $1.8 million of stock days after breach discovery

Unclear as to what motivated these sales.

David bisson
David Bisson
@
@DMBisson

Three Equifax execs sold $1.8 million of stock days after breach discovery

Three Equifax executives sold a combined $1.8 million worth of shares just days after the credit reporting agency discovered a massive data breach.

But before it was made public.

Most everyone has heard about what happened by now. On 29 July, Equifax discovered that someone had gained unauthorized access to certain files by exploiting a “U.S. website application vulnerability.”

Sign up to our free newsletter.
Security news, advice, and tips.

In doing so, the hacker might have compromised the Social Security Numbers, addresses, and other information of 143 million U.S. consumers, not to mention credit card numbers for 209,000 Americans.

The scale of this security incident likely makes it the largest theft of Social Security Numbers. Indeed, it nearly doubles the 80 million individuals affected by the Anthem breach, an event for which the health insurance plan provider agreed to set up a recovery fund of $115 million earlier in 2017.

But there’s something besides the sheer amount of compromised data that makes the Equifax breach stand out.

As reported by Bloomberg, regulatory findings indicate that three executives at the credit-reporting service sold a portion of their shares just days after Equifax discovered the breach. Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, who is president of U.S. information solutions, sold $584,099 worth of stock; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock. All those sales took place on 1-2 August.

Ines Gutzmer, a spokesperson for the company, told Bloomberg that all three executives “sold a small percentage of their Equifax shares” and “had no knowledge that an intrusion had occurred at the time.”

But that explanation is unsatisfactory for several reasons.

First, the company’s 10b5-1 scheduled trading plans don’t list the transactions. That means Equifax didn’t foresee the share disposals. So why were the sales unpredicted?

Second, even if CFO John Gamble didn’t know about the breach in early August, shouldn’t he have? The credit-reporting service’s IT staff should have alerted Gamble and the other C-level executives about the breach immediately upon discovery. That such high-ranking personnel wouldn’t know about the event several days later boggles the mind…and makes you question Equifax’s security practices going forward.

Senator Mark Warner of Virginia, who is vice chairman of the Senate Intelligence Committee, seems to be of the same opinion. He went so far as to suggest to Yahoo! Finance that Congress reconsider data protection policies so that organizations like Equifax “have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”

Might not be a bad idea. Companies like Equifax should have better security measures (like data encryption) in place. But they shouldn’t also constitute a single-point of failure by collecting and storing so much data.

Of course, diversifying those in charge of protecting people’s credit-related information is a whole other challenge. What might be needed, therefore, are some realistic conversations on how credit should work moving forward in this age of mega-breaches.

For more discussion on this topic, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #042: 'Equifax, BlueBorne, and the iPhone X'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

8 comments on “Three Equifax execs sold $1.8 million of stock days after breach discovery”

  1. Davo

    Lying Bastards ! Didn't know it happened, my ASS !

  2. Ron

    Lock 'em up! Lock 'em up! Lock 'em up!

  3. dale

    I hope they have to at least burn up their ill gotten gains on lawyers. Jail would be better but these people always get off.

    1. Tom Smith · in reply to dale

      Not so easy. Equifax, like many corporations, likely enters into indemnity agreements with its officers and directors. Thus the company pays to defend and may reimburse any losses. The US SEC is getting tougher on that, insisting on claw-back provisions in public entities' options and bonus programs. Have no idea what Equifax's programs or indemnities are like, but just pointing out that it is not so easy to make the individual actor pay. The SEC needs to enforce against the company and insist on a claw-back without indemnity to make it happen.

  4. kim

    Not only is is unethical, I believe it will be found to be criminal when all the dust settles.

  5. Mike

    I believe that democratically, it appears that these 3 people need locking up.

    Their first sentence should relate to their underhand activities. The second concurrent sentence should relate to the breach that affects virtually all US citizens and who knows how many UK citizens (all of them maybe?).

    1. Tom Smith · in reply to Mike

      Interesting opinion, but can you cite to the crimes that were committed?

  6. Publio Vestone

    Now, now…let's not jump to conclusions. We don't know for a fact that these corporate big-wigs actually knew about the data breach before they sold their shares.

    I mean, maybe they're just incredibly stupid. And maybe Equifax is just an incredibly stupid company with such incredibly stupid policies that a massive data breach could take place and top-level company officials would NOT know about it.

    Actually, they're probably incredibly stupid any way you cut it. They're stupid if they didn't know about the data breach, and they're even stupider if they DID know about it and went ahead and sold their shares anyway. That's insider trading, and it has been against the law in the U.S. ever since Joseph Kennedy made it illegal…right after he made his fortune via insider trading so no one else could get rich the same way.

    So, you see, "the government" (which is made up of people like Kennedy) will take care of everything. Just be sure to scream and holler and demand that "There oughta be a law!"…and you'll get plenty more of the same laws that failed to prevent this data breach in the first place.

    I suspect that, while Congress is debating this to death and missing the point entirely while they engage in their endless political infighting, the market will sort this out…by which I mean, Equifax will have huge costs in restitution and litigation, and a massive exodus of paying customers. If they're able to remain in business, it will be nothing short of a non-theological miracle.

Leave a Reply to Davo Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.