Equifax Breach Exposes Personal Info of Half the U.S. Population
Three executives sold shares worth a total of $1.8 million two days after Equifax discovered the breach.
On Thursday, major national credit-reporting company Equifax revealed that a cyberattack from July exposed personal information of about 143 million U.S. consumers. The company wrote in a statement:
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
There are many angles to this story. First off, the breach. It occurred in July and the steps Equifax has taken to prevent another one. Second, the company discovered the breach on July 29 and some board members sold stocks on August 1. Third, users have filed a proposed class-action lawsuit against the company.
The Breach
Equifax is one of the largest credit agencies that has information on 821 million consumers and 91 million businesses. From The New York Times:
Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.
“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”
—-
“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.
Starting in mid-May, cyber terrorists targeted a weak spot in Equifax’s website software. This allowed them to access birth names, birthdays, addresses, credit card numbers, and Social Security numbers. The breach also took “documents with personal information used in disputes for 182,000 people.”
With this information, the criminals “can impersonate people with lenders, creditors and service providers.”
Equifax developed a website to see if your information is compromised, but yet they ask for your last name and the last six digits of your SSN, which has some shaking their heads. From The Washington Post:
“This is very unusual — most security systems are hard-wired only to reveal the last four digits of an SSN for identification purposes,” said Satya Gupta, co-founder & chief technology officer at Virsec Systems, a cybersecurity firm. “This strongly implies that the typical four digits may have been compromised, and they need additional, previously ‘secret’ information to positively identify customers. This reinforces the conundrum of these breaches — with more information exposed, how do you now prove a person’s identity?”
The company has also suggested consumers receive a free copy of their credit report from them, Experian, or TransUnion. Consumer credit expert John Ulzheimer told The New York Times that “Equifax is offering consumers the ability to freeze their Equifax credit reports.” He continued:
“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.
Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.
Insider Trading?
News also came out that three executives sold shares that totaled $1.8 million only a few days after Equifax learned of the breach.
Equifax claims that these executives did not know of the breach at the time, though. From Bloomberg:
The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”
Equifax’s shares fell by 13% after news broke of the breach. Bloomberg continued:
“I don’t know how the board will allow these executives to continue in their positions,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on matters including corporate compliance and enforcement challenges. “Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”
Lawsuit
To no one’s shock, there has already been one lawsuit filed against Equifax. Plaintiffs Mary McHill and Brook Reinhard, both from Oregon, allege that “Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.” From Bloomberg:
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” the complaint stated. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally.
Something tells me this won’t be the only lawsuit.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
I am not a computer or systems pro, but I am still confounded that no one in the US, not even with the money of the US Govt, can build a safe computer system.
Safe systems could be built, but then they wouldn’t have the back doors that allow NSA and CIA to break in.
See the Vault 7 WikiLeaks for details.
The bigger picture is Equifax (and others) hold extensive data on people who have never agreed to do business with them.
Being a Dave Ramsey follower, I wonder how much they have on someone who never uses credit. Dave’s take is your credit score goes to zero not long after you close everything out- as in there are no records.
I think he’s wrong because 5-6 years back when I switched banks- and had not had an open credit account for years, I “almost” set up a credit card but even though my score was great (contrary to Dave’s assertion) they were asking for more records than I was comfortable providing (hmmm I’m feeling smart about that one now) and they should not have needed to open a low dollar credit card given the average amount of cash that was sitting in my savings account on a monthly basis, but they ran a check on me in the process and stuff I bought from 10 years ago was still showing up.
The whole experience was the nail in the coffin for ever dealing with credit. It felt icky.
He’s wrong.
Do you have an account with your power company for electric and gas?
They report to the credit bureau.
Do you have a cable television account?
They report to the credit bureau.
Do you have a cellular phone?
They report to the credit bureau.
I used to be a credit analyst, and people without *revolving* credit (cards) would have *worse* scores because they don’t have the type of account that Dave is talking about, but they still GET a credit score, because they were involved with other entities that report to the bureaus.
You got it all figured out correctly.
The three major bureaus collect a wide range of data and they produce a variety of scores and products using that data.
You’re correct that they collect data from companies like cellular companies, cable companies, etc. But those data sources do not factor into a “traditional credit score” aka a “FICO score”. If you stop using credit, your credit score will drop, because they will have no data history to analyze.
But they’ll still be getting other types of data on you. You’d have to go majorly off the grid to escape them.
The bureaus do offer other scores and other data services based on those “non traditional” types of data.
In terms of data collected on you from places that you do business in the “physical world”, the three major credit bureaus probably have more data that anybody else.
Good info. Dave said it would go to zero and I was annoyed because I wanted it to be nada.
I refused to give the cable company my SS # and paid a deposit to drive the point home that they weren’t getting it unless they intended to send me a W2 or 1099. I don’t recall giving it to the power company I and know for sure I didn’t give it to my celluar provider (burner phone).
I’m sure my decades old stuff would be in there somewhere, but I’d hope at some point it starts falling off the grid.
“News also came out that three executives sold shares that totaled $1.8 million only a few days after Equifax learned of the breach.
Equifax claims that these executives did not know of the breach at the time, though.”
Now why do I have difficulty believing that last statement?
Regulators likely will not believe that statement, either.
Pull ryan and mconnell out of the Congressional lounge and force them to hold hearings on this.
I loathe Equifax, fuck this company and not just for the current reason.
Equifax is one of the most greedy companies I have seen in a while. Up yours I hope your company goes in the shitter.
Now what would be ironic is a second class action by subscribers to its TrustedID and other protection services because Equifax failed to report a breach and damage to subscribers due to a hack of Equifax’s system.
I may try that.
There’s another twist here, don’t see it mentioned above:
When you click thru the info screens (I did this earlier and am likely impacted), you are unwittingly forfeiting your rights to participate in any litigation which may arise from this.
I did not initially see this discliamer, but needless to say, I will be participating in at least a class action (probably more) against EFX. Those types of forfeit clauses have been tried before in the brokerage industry (you “forfeit your right to sue or otherwise bring action against Firm X” and implicitly agree to arbitration) and have been slammed.
This nonsense with Equifax is one reason I actually support a sliver of what the CFPB is doing, its class action regulation proscribing consumer service providers from taking away rights of customers.
Unfortunately, an appreciable number of class actions are crap and are the toil of fast buck artists, but without them, corporate behavior would be even worse. GM had an ignition scandal despite know what would happen in the civil system if they got caught, and Takata had an airbag deployment device scandal with the same knowledge, and they both did it anyway. Imagine what they will do with no risk of a class action.
CFPB is an unconstitutional construct, but your point is very prescient.
Let’s face it. Every hacker around the world already has every Americans data. The questions is, what are we going to do about it?
hang ’em by their toes PUBLICLY – pour encourager les autres -.
Unless the executives who sold shares had a 10b5-1 plan in place, those sales look very, very bad from a regulatory perspective.
I do not believe they did have a 10b5-1 plan.
According to the Bloomberg report quoted above, the transactions were not part of any reported scheduled sale.
I hope the regulators go after them, especially the CFO.
Yes, I’m aware, but do not trust Bloomberg reporting.
I’ve encountered too many instances of inaccurate and incomplete reporting by BBG.
I would expect they have already received a call from SEC, but I have not seen anything on the SEC website.
” but do not trust Bloomberg reporting…”
Sad state of affairs, huh? But it would be sadder if you did trust Bloomingidiotberg reporting.
I work in the financial industry.
Bloomberg is incredibly sloppy.
Mike Bloomberg is an ignorant, socially awkward pig.
From what I read, the breach occurred because Equifax failed to apply security patches to their web servers. Dummies…
Maybe Equifax had their servers set up by John Podesta and used “p@ssw0rd” for their top level password?
I’m sure they didn’t make that mistake.
It was S3cr3t!!
I’d appreciate you all not publicly blasting out my go-to p-words.
A while back, I went to work at a small NGO as the CFO. The password for the payroll system was really “secret”. That lasted for about a nanosecond.
So what happens to Equifax’s credit score?
Watch: they’ll find all this date on Wassherman SSchultz’s laptop, with a tie to a hillary clinton scam.
And Sessions still won’t investigate…