On Thursday, major national credit-reporting company Equifax revealed that a cyberattack from July exposed personal information of about 143 million U.S. consumers. The company wrote in a statement:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

There are many angles to this story. First off, the breach. It occurred in July and the steps Equifax has taken to prevent another one. Second, the company discovered the breach on July 29 and some board members sold stocks on August 1. Third, users have filed a proposed class-action lawsuit against the company.

The Breach

Equifax is one of the largest credit agencies that has information on 821 million consumers and 91 million businesses. From The New York Times:

Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

—-

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.

Starting in mid-May, cyber terrorists targeted a weak spot in Equifax’s website software. This allowed them to access birth names, birthdays, addresses, credit card numbers, and Social Security numbers. The breach also took “documents with personal information used in disputes for 182,000 people.”

With this information, the criminals “can impersonate people with lenders, creditors and service providers.”

Equifax developed a website to see if your information is compromised, but yet they ask for your last name and the last six digits of your SSN, which has some shaking their heads. From The Washington Post:

“This is very unusual — most security systems are hard-wired only to reveal the last four digits of an SSN for identification purposes,” said Satya Gupta, co-founder & chief technology officer at Virsec Systems, a cybersecurity firm. “This strongly implies that the typical four digits may have been compromised, and they need additional, previously ‘secret’ information to positively identify customers. This reinforces the conundrum of these breaches — with more information exposed, how do you now prove a person’s identity?”

The company has also suggested consumers receive a free copy of their credit report from them, Experian, or TransUnion. Consumer credit expert John Ulzheimer told The New York Times that “Equifax is offering consumers the ability to freeze their Equifax credit reports.” He continued:

“It’s like locking one of three doors in your house and leaving the other two unlocked,” Mr. Ulzheimer said. “You’re hoping the thief stumbles on the locked door.” He recommended that all those affected immediately place a fraud alert on all three of their credit files, which anyone can do for free.

Equifax’s offer of one year of free protection falls short of what consumers really need, because their information can be bought and sold by hackers for years to come, Mr. Ulzheimer added.

Insider Trading?

News also came out that three executives sold shares that totaled $1.8 million only a few days after Equifax learned of the breach.

Equifax claims that these executives did not know of the breach at the time, though. From Bloomberg:

The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.

The three “sold a small percentage of their Equifax shares,” Ines Gutzmer, a spokeswoman for the Atlanta-based company, said in an emailed statement. They “had no knowledge that an intrusion had occurred at the time.”

Equifax’s shares fell by 13% after news broke of the breach. Bloomberg continued:

“I don’t know how the board will allow these executives to continue in their positions,” said Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP, who advises boards on matters including corporate compliance and enforcement challenges. “Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear.”

Lawsuit

To no one’s shock, there has already been one lawsuit filed against Equifax. Plaintiffs Mary McHill and Brook Reinhard, both from Oregon, allege that “Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.” From Bloomberg:

“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” the complaint stated. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”

The case was filed by the firm Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class actions. Ben Meiselas, an attorney for Geragos, said the class will seek as much as $70 billion in damages nationally.

Something tells me this won’t be the only lawsuit.