ArkansasOnline: Hacking whacks stock at Equifax
Shares of Equifax Inc. fell almost 14 percent Friday, a day after the company announced that hackers had gained access to names, addresses, Social Security numbers and some driver's license numbers of potentially 143 million consumers.
One of the three biggest credit-reporting companies, Equifax generated $3.1 billion in revenue last year operating behind the scenes helping banks, insurers and employers assess people's creditworthiness for loans, jobs and credit cards.
The incident is a stark reminder of the risk of consumers' personal data being exposed online, security experts said. It's particularly worrisome for the millions of people who trust credit-reporting agencies such as Equifax to handle and protect their financial information. That kind of data is critical and could be used in multiple ways to harm consumers.
"This is massive," said Paul Martini, chief executive officer of Iboss, a cybersecurity firm. "This overshadows any other breach that we've seen to date -- not just the volume, the size, but the type of data that was in that database."
Equifax shares fell $19.49, or 13.7 percent, to close Friday at $123.23.
Criminals took advantage of a "U.S. website application vulnerability to gain access to certain files" from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit-card numbers for about 209,000 consumers were also accessed, the company said.
"It's a huge deal," said Tim Crosby, senior consultant with security-assessment firm Spohn. "You would expect these guys to have compartmentalized this data far enough away from a Web server -- that there would not be any way to directly access it."
More information about the data breach surfaced Friday including details about three Equifax Inc. senior executives who sold shares worth almost $1.8 million in the days after the company discovered the breach.
Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374, and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
The three "sold a small percentage of their Equifax shares," Ines Gutzmer, a spokesman for the Atlanta-based company, said in an emailed statement. They "had no knowledge that an intrusion had occurred at the time."
Bart Friedman, a senior counsel at Cahill Gordon & Reindel LLP who advises boards on matters including corporate compliance and enforcement challenges, said he does not know how Equifax's board of directors can allow the executives to continue in their positions.
"Yes, they should have a careful investigation and have an independent law firm interview the executives and review their emails and determine what they knew and when, but the end result is likely clear," Friedman said.
Judy Burns, a spokesman for the Securities and Exchange Commission, declined to comment.
The Federal Bureau of Investigation said in a statement that it was aware of the hacking incident and was "tracking the situation as appropriate."
In a letter sent to Equifax on Friday, New York Attorney General Eric Schneiderman requested specific details about when the company learned of the breach, what caused it and whether there was evidence of identity theft, abuse of financial information or data being offered for sale illegally, his office announced.
Also Friday, Rep. Ted Lieu, D-Calif., sent a letter to the leaders of the House Judiciary Committee -- Rep. Bob Goodlatte, R-Va., who leads the panel, and Rep. John Conyers Jr. of Michigan, the ranking Democrat -- calling for a hearing to address the breach.
In his letter, Lieu asked that representatives of Equifax, Experian and TransUnion -- the nation's three major credit-reporting agencies -- be called to testify about how the latest intrusion occurred and what steps were being taken to prevent future intrusions.
"Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account," Lieu wrote in the letter.
A lawsuit seeking class-action status was filed against Equifax Inc. late Thursday evening in a federal court in Portland, Ore., shortly after the company reported the hack.
"In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards ... from unauthorized access by hackers," the complaint stated. "Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to."
The case was filed by the firms Olsen Daines PC along with Geragos & Geragos, a celebrity law firm known for blockbuster class-action suits.
Equifax and the other large credit-data brokers have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information for hundreds of millions of Americans. Critics have taken aim at errors that affect people's ability to secure home loans, credit cards and reasonable interest rates.
U.S. Sen. Mark Warner, a Virginia Democrat, said the attack should spur renewed interest in stronger data-breach notification standards as well as policies to improve the protection of consumers' data.
"It is no exaggeration to suggest that a breach such as this -- exposing highly sensitive personal and financial information central for identity management and access to credit -- represents a real threat to the economic security of Americans," Warner said in a statement.
The hackers who targeted Equifax probably had a less aggressive goal than accessing consumers' personal data: stealing their credit-card numbers.
According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active credit-card numbers, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud.
The person, who requested anonymity to discuss the ongoing investigation, said the Web application the attackers used to breach Equifax's corporate network granted access to both the credit-card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver's license numbers and other sensitive information, Equifax said Thursday in a statement.
Active credit-card numbers can fetch higher prices than even those other types of more revealing personal data, because they are usable immediately and without much additional work.
But investigators have not yet determined whether financial fraud was the attackers' only goal, another person familiar with the investigation said. Some of the hackers' behavior on Equifax's network suggested that once they were inside, they sought financial and personal information on particular individuals, which is more commonly associated with higher-level forms of identity theft and espionage. Both people said it's possible there may have been multiple motivations and possibly phases of the attack.
Equifax's breach will test measures the financial industry has rolled out to prevent thieves from abusing troves of stolen credit-card numbers. A few years ago, banks in the U.S. began embedding computer chips on cards to prevent criminals from forging their own with much simpler magnetic stripes.
The underlying technology -- called EMV for founders Europay, MasterCard and Visa -- generates new codes for each transaction. The codes on stripes are static, making them susceptible to duplication. Still, stolen card numbers can be useful at cash registers that don't accept chips or for shopping online.
The Equifax breach also may open the way for another type of fraud called synthetic identity theft. Typically, fraudsters mix stolen Social Security numbers, and potentially other information from the owners, with a borrowed mailing address and apply for new credit cards that they control. Some patient con artists even use the new personas to seek additional credit cards or loans, then max them all out at once, potentially making off with tens of thousands of dollars.
Banks typically pick up the cost when thieves abuse stolen card numbers, assuming it's caught promptly. The expenses can add up fast.
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It's also offering free credit-file monitoring and identify-theft protection.
Information for this article was contributed by Polly Mosendz, Brian Womack, Anders Melin, Jordan Robertson and Michael Riley of Bloomberg News, and by Tiffany Hsu of The New York Times.