Bloomberg: Three Equifax execs sold $1.8 M in stock days before hack was announced

UPDATE: More in Computerworld Woody on Windows

ANOTHER UPDATE: This tweetstorm from Bob Sullivan.

Equifax needs to remove #ripoffclause from its “free” offering to consumers now to avoid confusion.

Original post:

You know about the hack, yes? Equifax has officially disclosed:

Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

By comparison, the last census reported 321 million people in the US, with 26% under age 20. 74% of 321 million is 238 million, and 143 million of them had their records swiped.

There’s no further official explanation, but based on the wording in the announcement, I’d be willing to bet the purloined data was in cleartext.

I’m no fan of the three major credit reporting companies – bad experiences when I moved back to the US three and a half years ago – but this is a new low, even by their standards.

Equifax didn’t disclose the breach until today. That may have been at the request of law enforcement (or maybe not), but it sure didn’t stop three execs from cashing in.

Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed by Anders Melin, on Bloomberg.

The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.

I can’t get through to Equifax, but I’ll let you know if I find a way.

UPDATE: Brian Krebs has a full analysis – about what little is known.