Equifax, the credit reporting and data security firm now subject of one of most significant data breaches in American history, was grappling Friday with the fallout.
The cyber-attack Equifax disclosed Thursday struck at the heart of the company, CEO Rick Smith said, a business that’s a key cog in the American financial system. The company is so central to the financial universe, its future isn’t likely in doubt, analysts say, but as past breaches have shown, the costs will be heavy.
Criminals exploited a hole in its security walls, exposing the personal information, including Social Security numbers of 143 million U.S. consumers, or more than half the adult population of the country. It’s a nearly unprecedented cyber heist that will threaten consumers for years, consumer advocates said, because crooks could use the information to impersonate Americans and wreck their finances.
By Friday, members of Congress also called for hearings on the breach. In Oregon, lawyers filed a lawsuit seeking class action status, the first of what will undoubtedly be a wave of litigation in the case.
A number of outlets reported Friday the FBI is investigating the breach, though Equifax had said the day before it was working with federal authorities.
Consumer groups criticized the way Equifax notified the public with an end of business day news release Thursday that came more than a month after the company first learned of the breach.
Equifax has offered victims a free year of credit and identity protection services and vowed to upgrade security.
But some slammed the company for fine print in the free protective services that would seem to lock consumers into binding arbitration. Equifax said the arbitration clause only applied to problems that might arise from the use of the free products, not the liabilities that result from the hack.
“I’m not satisfied with how they’ve handled it, not at all,” said Liz Coyle, executive director of consumer advocacy group Georgia Watch.
Late Thursday, news broke that three executives — its chief financial officer and presidents of two business units — sold a combined $1.8 million in stock in early August, days after the company learned of the attack and before it was public.
That set off allegations the corporate executives profited from information at the expense of the public, which is illegal.
A company representative said, however, the executives “had no knowledge that an intrusion had occurred at the time.” But the company told its investors that it had “promptly” informed its board of directors of the incident.
Some on Wall Street were calling for a federal investigation into the trades.
Executives often use pre-programmed stock sales through a so-called 10b5-1 plan to avoid accusations of illegal insider trading. But the three executives’ stock sale disclosures filed with the U.S. Securities and Exchange Commission indicate that their stock sales were not pre-scheduled.
Equifax’s stock closed Friday at $123.23, down 13.7 percent from Thursday’s closing price, $142.72. The company had announced the breach after the end of trading Thursday.
Equifax’ shares hit a record high of over $147 in late July, around the time the company discovered the data breach, and a few days before the executives’ stock sales. Equifax shares have since plunged more than 16 percent — most of it on Friday.
‘A honey pot’
Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards. Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.
It’s the troves of information that Equifax holds that makes it and other bureaus prime targets.
“With that power of aggregating information about consumers there’s a high degree of risk,” said Dimitri Sirota, co-founder and CEO of BigID, a data security firm. “It amounts to a honey pot, a tempting target for a country or criminals to attack.”
Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review.
Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Jeffrey Mueler, a senior research analyst for Robert W. Baird & Co., wrote in a report to investors that he was informed the breach had to do with a security flaw in an application called Apache Struts, an open-source server software. The tech news website ZDNet reported this week the application, which is used by many Fortune 100 companies, has a flaw allowing hackers to exploit it and extract data.
An Equifax spokesman did not respond to questions about the security flaw.
Mueler said data security is a primary concern for all companies, especially credit bureaus.
“It’s a constant and key priority for the company and where they spend a lot of money,” Mueler said, calling the battle with hackers “a cat and mouse game.”
A report from Wells Fargo Securities said Equifax faces risk of losing some business and running up higher expenses for legal, customer service and security consulting needs.
The company also is likely to experience fines from regulators, much as Home Depot, Target and Anthem have for recent large breaches, the Wells Fargo report said.
Mueler called the immediate shock to Equifax’s share price an “overreaction,” but said in the near term the company faces a number of challenges.
“There’s a significant societal benefit to having credit bureaus; both for consumers and banks,” he said. “The system would be worse off if there were less data or two providers rather than three.”
But the assault is a huge dent to the reputation of a company selling identity security and financial fraud products. It’s also a blemish to the Atlanta region, a hub for financial technology firms that manage financial security and electronic payments.
Regulators and litigation
Equifax is already facing legal repercussions from several fronts due to the hacking incident.
On Friday, an Oregon couple sued alleging Equifax “negligently failed to maintain adequate technological safeguards” so that the company could increase its profits.
The Consumer Financial Protection Bureau and New York Attorney General Eric Schneiderman both said they’re launching investigations into Equifax’s hacking, while the House Financial Services Committee announced that it plans hearings on the company’s troubles, as well.
Meanwhile, by Friday afternoon, at least three law firms had already announced that they were investigating Equifax for potential securities and negligence lawsuits.
“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing,” said U.S. Rep. Jeb Hensarling, chairman of the House committee. “Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers.”
MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.
AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:
- Study: Atlanta and Georgia pensions get mixed grades
- Georgians’ auto premiums are through the roof, consumer researchers say
- How many lifetimes would you have to work to earn top Georgia CEOs’ pay?
Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.
Resources for consumers
Equifax has created a website with information for consumers. The company also said it would provide a free one-year package of credit monitoring and ID protection services. For more information, visit: https://www.equifaxsecurity2017.com/
Privacy Rights Clearinghouse: https://www.privacyrights.org/consumer-guides/what-do-when-you-receive-data-breach-notice
Federal Trade Commission: https://www.identitytheft.gov/Info-Lost-or-Stolen