Equifax grapples with fallout from massive data breach

Equifax, the credit reporting and data security firm now subject of one of most significant data breaches in American history, was grappling Friday with the fallout.

The cyber-attack Equifax disclosed Thursday struck at the heart of the company, CEO Rick Smith said, a business that’s a key cog in the American financial system. The company is so central to the financial universe, its future isn’t likely in doubt, analysts say, but as past breaches have shown, the costs will be heavy.

Criminals exploited a hole in its security walls, exposing the personal information, including Social Security numbers of 143 million U.S. consumers, or more than half the adult population of the country. It’s a nearly unprecedented cyber heist that will threaten consumers for years, consumer advocates said, because crooks could use the information to impersonate Americans and wreck their finances.

By Friday, members of Congress also called for hearings on the breach. In Oregon, lawyers filed a lawsuit seeking class action status, the first of what will undoubtedly be a wave of litigation in the case.

A number of outlets reported Friday the FBI is investigating the breach, though Equifax had said the day before it was working with federal authorities.

Consumer groups criticized the way Equifax notified the public with an end of business day news release Thursday that came more than a month after the company first learned of the breach.

Equifax has offered victims a free year of credit and identity protection services and vowed to upgrade security.

But some slammed the company for fine print in the free protective services that would seem to lock consumers into binding arbitration. Equifax said the arbitration clause only applied to problems that might arise from the use of the free products, not the liabilities that result from the hack.

“I’m not satisfied with how they’ve handled it, not at all,” said Liz Coyle, executive director of consumer advocacy group Georgia Watch.

Late Thursday, news broke that three executives — its chief financial officer and presidents of two business units — sold a combined $1.8 million in stock in early August, days after the company learned of the attack and before it was public.

That set off allegations the corporate executives profited from information at the expense of the public, which is illegal.

A company representative said, however, the executives “had no knowledge that an intrusion had occurred at the time.” But the company told its investors that it had “promptly” informed its board of directors of the incident.

Some on Wall Street were calling for a federal investigation into the trades.

Executives often use pre-programmed stock sales through a so-called 10b5-1 plan to avoid accusations of illegal insider trading. But the three executives’ stock sale disclosures filed with the U.S. Securities and Exchange Commission indicate that their stock sales were not pre-scheduled.

Equifax’s stock closed Friday at $123.23, down 13.7 percent from Thursday’s closing price, $142.72. The company had announced the breach after the end of trading Thursday.

Equifax’ shares hit a record high of over $147 in late July, around the time the company discovered the data breach, and a few days before the executives’ stock sales. Equifax shares have since plunged more than 16 percent — most of it on Friday.

‘A honey pot’

Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards. Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.

It’s the troves of information that Equifax holds that makes it and other bureaus prime targets.

“With that power of aggregating information about consumers there’s a high degree of risk,” said Dimitri Sirota, co-founder and CEO of BigID, a data security firm. “It amounts to a honey pot, a tempting target for a country or criminals to attack.”

Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review.

Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”

Jeffrey Mueler, a senior research analyst for Robert W. Baird & Co., wrote in a report to investors that he was informed the breach had to do with a security flaw in an application called Apache Struts, an open-source server software. The tech news website ZDNet reported this week the application, which is used by many Fortune 100 companies, has a flaw allowing hackers to exploit it and extract data.

An Equifax spokesman did not respond to questions about the security flaw.

Mueler said data security is a primary concern for all companies, especially credit bureaus.

“It’s a constant and key priority for the company and where they spend a lot of money,” Mueler said, calling the battle with hackers “a cat and mouse game.”

A report from Wells Fargo Securities said Equifax faces risk of losing some business and running up higher expenses for legal, customer service and security consulting needs.

The company also is likely to experience fines from regulators, much as Home Depot, Target and Anthem have for recent large breaches, the Wells Fargo report said.

Mueler called the immediate shock to Equifax’s share price an “overreaction,” but said in the near term the company faces a number of challenges.

“There’s a significant societal benefit to having credit bureaus; both for consumers and banks,” he said. “The system would be worse off if there were less data or two providers rather than three.”

But the assault is a huge dent to the reputation of a company selling identity security and financial fraud products. It’s also a blemish to the Atlanta region, a hub for financial technology firms that manage financial security and electronic payments.

Regulators and litigation

Equifax is already facing legal repercussions from several fronts due to the hacking incident.

On Friday, an Oregon couple sued alleging Equifax “negligently failed to maintain adequate technological safeguards” so that the company could increase its profits.

The Consumer Financial Protection Bureau and New York Attorney General Eric Schneiderman both said they’re launching investigations into Equifax’s hacking, while the House Financial Services Committee announced that it plans hearings on the company’s troubles, as well.

Meanwhile, by Friday afternoon, at least three law firms had already announced that they were investigating Equifax for potential securities and negligence lawsuits.

“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing,” said U.S. Rep. Jeb Hensarling, chairman of the House committee. “Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers.”


AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.

Reader Comments ...

Next Up in Business

Atlanta-based Home Depot hits $100 billion in sales
Atlanta-based Home Depot hits $100 billion in sales

Home Depot sales have grown more than twice as fast as the nation’s economy, a pace that will continue through this year, the company predicted Tuesday. Although the massive Atlanta-based company opened just six new stores during the past year, growth of sales surged 6.7 percent from the previous fiscal year to break the $100 billion barrier...
Put that pen down: Why baby boomers should not co-sign college loans 
Put that pen down: Why baby boomers should not co-sign college loans 

We all know that young people should show respect for their elders. In return, those elders should extend all their resources to the up-and-coming generation. Right? Not so fast, says the Motley Fool. When it comes to co-signing for college loans, parents and grandparents in the Baby Boom generation (born 1946 to 1964) should just say no...
More lactation pods added at Hartsfield-Jackson
More lactation pods added at Hartsfield-Jackson
The world’s busiest airport now has lactation pods for nursing mothers at six different locations. The company that designs the lactation pods, Mamava, opened four of the units at Hartsfield-Jackson International Airport in 2016, free to use and paid for with advertising.  Now, Mamava has added two more locations in the Atlanta airport and...
Audit finds red flags in Hartsfield-Jackson contracting
Audit finds red flags in Hartsfield-Jackson contracting

A city audit found red flags in contracting for construction projects in Hartsfield-Jackson International Airport’s $6 billion expansion, indicating an “elevated risk of fraud.” The audit found errors in the contracting process — including errors that may have affected the outcome of a contract award — as well...
Meet Janice Bryant Howroyd, the first African-American woman to run a $1 billion business
Meet Janice Bryant Howroyd, the first African-American woman to run a $1 billion business

Janice Bryant Howroyd, 65, is founder and chief executive of Act 1 Group, an employment agency that also provides consulting and business services, including background checks and screening. She’s the first African-American woman to operate a company that generates more than $1 billion in annual revenue, according to Black Enterprise Magazine...
More Stories