6 Reasons Why Heads Should Roll at Equifax After the Data Breach

Equifax is a company with one big asset: the financial identity and history of millions of people. Their entire business model revolves around selling that information to everyone from lenders to marketers to debt collectors. So the September 2017 announcement of a cyber attack exposing the personal data of over 140 people was a bombshell for financial professionals and ordinary consumers alike. The amount of information and the number of people affected is unprecedented. And as more details surface, the news gets worse and worse for Equifax.

Each new story makes it ever more apparent that the people running things at Equifax were not adequately defending against cyber attacks, nor preparing for the possibility of a breach. The company’s actions before and after the hack have left it vulnerable to multiple lawsuits, government investigations, and possibly even criminal charges.

Here are six reasons why we should expect some pretty big shakeups in Equifax’s personnel, from the boardroom level down to department heads.

The vulnerability that led to the hack was known for months before the Equifax attack began.

The hackers who struck Equifax exploited a weakness in web application software widely used in the financial industry. The problem was identified and announced in March 2017, and a patch was almost immediately available.

Equifax had not installed the fix when the breach occurred two months later. Hackers closely follow news of security holes and patches and deliberately search for companies who have not updated their software.  It is stunning that as juicy a target as a credit reporting company would fail to take such an elementary step to secure their systems.

Equifax did not make a public announcement of the breach for over a month after it was discovered. 

When a large attack becomes public knowledge, millions of people immediately want to know if their information was compromised, and what to do if it was. It’s reasonable to take some time to determine the full extent of the breach and to make sure there are resources available to help victims protect themselves. However, industry watchers have suggested that the time it took to make a public announcement seems excessive.

Even worse, despite the extra time, another big problem surfaced once people started going to the response site. Equifax offered free credit monitoring and identity theft protection to customers whose information is compromised. However, people who read the fine print quickly noticed that the service agreement for those programs included waiving the right to sue Equifax. Although Equifax hastily changed the terms, warnings had already gone viral and continue to spread. As a result, many potential refuse to sign up for the protections, or even go to the site to check whether their information was exposed.

By putting off informing the public, and then appearing to make victims sign away rights in return for any protection, the company gives the appearance that it was far more concerned with protecting itself than the people whose information had been stolen.

Equifax executives sold off stock in the company before the breach was announced.

On the heels of the initial announcement of the breach, SEC filings revealed that at least three Equifax executives sold off stock in the company days after the attack was discovered, and long before the public was told. All three men are likely to have been part of the decision on when to release the news to the public (two are division presidents and one is the Chief Financial Officer). This again has terrible optics for the company and makes the delay look even more suspect.

The news of the stock sales led directly to calls from federal and state officials for investigations of Equifax, bringing more scrutiny and bad press to bear on a company already in a crisis. And if the stock sell-off turns out to be a form of insider trading as some have suggested, the executives have left themselves and the company vulnerable to criminal charges.

Scrutiny of Equifax’s security has turned up even more potential problems.

The initial vulnerability allowed hackers to enter Equifax’s computer system from outside the company. However, once hackers get into a company’s computers, how much information they can access can be limited by robust internal security that that keeps different parts of the system walled off from each other. Given the size of the breach, and the fact that subsets of customers have had additional information like credit card numbers stolen, security analysts believe that sensitive information was not adequately protected even within Equifax’s own computer environment.

Further evidence of this came a week after the initial announcement of the breach when prominent security researcher Brian Krebs reported that an Equifax employee portal in Argentina still had an active “admin/admin” default login and password.  The fact that such a basic security hole exists in a company considered a top-level target for cyber thieves is surprising enough. That it was not found and closed in the first steps of a company-wide security audit following the hack is jaw-dropping.

Equifax may not have enough insurance to cover their liability for the attack.

Bloomberg and Insurance Journal both report that Equifax’s cyber insurance appears to cover approximately $100-$150 million in losses. However, the infamous 2013 Target security breach cost that company nearly $300 million dollars, and the information exposed was merely credit card numbers that could quickly be deactivated and reissued. With permanent information like names, dates of birth, and Social Security numbers of millions of customers now in the wild, Equifax’s potential liability is exponentially larger, yet their insurance would not even have fully covered the Target breach.

Class-action lawsuits are popping up like mushrooms, each one likely to take years of expensive maneuvering to fight or settle. In addition, the Federal Trade Commission, Congress, and various state agencies have opened investigations, each of which will be costly and likely to uncover even more unfortunate information about Equifax’s security lapses. The result will be more bad publicity and a strong possibility of hefty fines at both the state and federal levels. All of this suggests that the company’s level of insurance will be woefully inadequate.

Wall Street is already punishing Equifax.

When the news of the hack came out, Equifax’s stock began to plummet from a high of $143 per share. The ongoing revelations have continued to tarnish the company’s value. In the first week alone, stock prices have fallen by 18 percent. Some analysts are predicting that shares will be selling for under $100 by October.

Equifax’s entire business model rests on the collection and sale of people’s highly personal information. Both consumers and the financial industry assumed that the company was vigorously safeguarding the information they owned. The public is shocked and angry that their information was left so vulnerable. The industry is just as appalled that a multibillion-dollar corporation would be so careless with the assets that are the basis of the company’s entire value. The company’s reputation and value will be deeply affected by this incident for years to come.

For all of these reasons, we should expect, if not demand, to see high-level Equifax personnel announcing plans to spend more time with their families in the near future.