Newsletter Archives

• Insider trading charge leveled at Equifax CIO

  Posted on March 14, 2018 at 11:59 CDT by woody • Comment in the Forums

  Remember how three Equifax execs sold $1.8 million in Equifax stock, after the company was hacked but before the hack was announced?

  The SEC just nailed one of them:

  Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.  The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million.

  Let’s see what happens.

  Other Equifax, insider trading

• Wired: 6 fresh horrors from the Equifax (former) CEO’s Congressional hearing

  Posted on October 4, 2017 at 09:32 CDT by woody • Comment in the Forums

  Lily Hay Newman at Wired has distilled the essence of  yesterday’s hearing with Richard Smith. It’s mind-boggling.

  As many of you know, I’m no fan of the credit reporting agencies, least of all Equifax. (Try moving back to the US from overseas and you’ll see what I mean.) But this is… dumbfounding.

  I wonder about the other credit reporting agencies. More than that, I wonder about the state of stored personal information everywhere — including Microsoft and Google.

  Surely, this has to be one of the key issues for the coming decade.

  From today’s testimony:

  

  Thanks to Rich Uncle Pennybags for providing needed perspective.

  Other Equifax

• Looks like the bad guys may have broken into Equifax using a known hole in Apache Struts

  Posted on September 9, 2017 at 06:13 CDT by woody • Comment in the Forums

  Apache Struts is an open-source package that runs on servers to help Java web developers. Translation: If you don’t understand, you don’t need to worry about it.

  BUT.

  Apache Struts is very common around the web. Last week, Bas van Schaik on the lgtm blog said:

  Analyst Fintan Ryan at RedMonk estimates that at least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.

  Struts has been patched, and versions 2.3.34 and 2.5.13 don’t have the problem.

  Keith Collins on the Quartz blog explains that it isn’t clear if the Equifax hack took advantage of a bug disclosed in March, or one divulged in September.

  Dan Goodin, in an Ars Technica post from late last week, has details from a programming point of view.

  Other Apache Struts, Equifax

• Bloomberg: Three Equifax execs sold $1.8 M in stock days before hack was announced

  Posted on September 7, 2017 at 19:37 CDT by woody • Comment in the Forums

  UPDATE: More in Computerworld Woody on Windows

  ANOTHER UPDATE: This tweetstorm from Bob Sullivan.

  Equifax needs to remove #ripoffclause from its “free” offering to consumers now to avoid confusion.

  Original post:

  You know about the hack, yes? Equifax has officially disclosed:

  Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

  The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

  By comparison, the last census reported 321 million people in the US, with 26% under age 20. 74% of 321 million is 238 million, and 143 million of them had their records swiped.

  There’s no further official explanation, but based on the wording in the announcement, I’d be willing to bet the purloined data was in cleartext.

  I’m no fan of the three major credit reporting companies – bad experiences when I moved back to the US three and a half years ago – but this is a new low, even by their standards.

  Equifax didn’t disclose the breach until today. That may have been at the request of law enforcement (or maybe not), but it sure didn’t stop three execs from cashing in.

  Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed by Anders Melin, on Bloomberg.

  The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.

  I can’t get through to Equifax, but I’ll let you know if I find a way.

  UPDATE: Brian Krebs has a full analysis – about what little is known.

  Other Equifax