Equifax grapples with fallout from massive data breach


Equifax, the credit reporting and data security firm now subject of one of most significant data breaches in American history, was grappling Friday with the fallout.

The cyber-attack Equifax disclosed Thursday struck at the heart of the company, CEO Rick Smith said, a business that’s a key cog in the American financial system. The company is so central to the financial universe, its future isn’t likely in doubt, analysts say, but as past breaches have shown, the costs will be heavy.

Criminals exploited a hole in its security walls, exposing the personal information, including Social Security numbers of 143 million U.S. consumers, or more than half the adult population of the country. It’s a nearly unprecedented cyber heist that will threaten consumers for years, consumer advocates said, because crooks could use the information to impersonate Americans and wreck their finances.

By Friday, members of Congress also called for hearings on the breach. In Oregon, lawyers filed a lawsuit seeking class action status, the first of what will undoubtedly be a wave of litigation in the case.

A number of outlets reported Friday the FBI is investigating the breach, though Equifax had said the day before it was working with federal authorities.

Consumer groups criticized the way Equifax notified the public with an end of business day news release Thursday that came more than a month after the company first learned of the breach.

Equifax has offered victims a free year of credit and identity protection services and vowed to upgrade security.

But some slammed the company for fine print in the free protective services that would seem to lock consumers into binding arbitration. Equifax said the arbitration clause only applied to problems that might arise from the use of the free products, not the liabilities that result from the hack.

“I’m not satisfied with how they’ve handled it, not at all,” said Liz Coyle, executive director of consumer advocacy group Georgia Watch.

Late Thursday, news broke that three executives — its chief financial officer and presidents of two business units — sold a combined $1.8 million in stock in early August, days after the company learned of the attack and before it was public.

That set off allegations the corporate executives profited from information at the expense of the public, which is illegal.

A company representative said, however, the executives “had no knowledge that an intrusion had occurred at the time.” But the company told its investors that it had “promptly” informed its board of directors of the incident.

Some on Wall Street were calling for a federal investigation into the trades.

Executives often use pre-programmed stock sales through a so-called 10b5-1 plan to avoid accusations of illegal insider trading. But the three executives’ stock sale disclosures filed with the U.S. Securities and Exchange Commission indicate that their stock sales were not pre-scheduled.

Equifax’s stock closed Friday at $123.23, down 13.7 percent from Thursday’s closing price, $142.72. The company had announced the breach after the end of trading Thursday.

Equifax’ shares hit a record high of over $147 in late July, around the time the company discovered the data breach, and a few days before the executives’ stock sales. Equifax shares have since plunged more than 16 percent — most of it on Friday.

‘A honey pot’

Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards. Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.

It’s the troves of information that Equifax holds that makes it and other bureaus prime targets.

“With that power of aggregating information about consumers there’s a high degree of risk,” said Dimitri Sirota, co-founder and CEO of BigID, a data security firm. “It amounts to a honey pot, a tempting target for a country or criminals to attack.”

Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review.

Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”

Jeffrey Mueler, a senior research analyst for Robert W. Baird & Co., wrote in a report to investors that he was informed the breach had to do with a security flaw in an application called Apache Struts, an open-source server software. The tech news website ZDNet reported this week the application, which is used by many Fortune 100 companies, has a flaw allowing hackers to exploit it and extract data.

An Equifax spokesman did not respond to questions about the security flaw.

Mueler said data security is a primary concern for all companies, especially credit bureaus.

“It’s a constant and key priority for the company and where they spend a lot of money,” Mueler said, calling the battle with hackers “a cat and mouse game.”

A report from Wells Fargo Securities said Equifax faces risk of losing some business and running up higher expenses for legal, customer service and security consulting needs.

The company also is likely to experience fines from regulators, much as Home Depot, Target and Anthem have for recent large breaches, the Wells Fargo report said.

Mueler called the immediate shock to Equifax’s share price an “overreaction,” but said in the near term the company faces a number of challenges.

“There’s a significant societal benefit to having credit bureaus; both for consumers and banks,” he said. “The system would be worse off if there were less data or two providers rather than three.”

But the assault is a huge dent to the reputation of a company selling identity security and financial fraud products. It’s also a blemish to the Atlanta region, a hub for financial technology firms that manage financial security and electronic payments.

Regulators and litigation

Equifax is already facing legal repercussions from several fronts due to the hacking incident.

On Friday, an Oregon couple sued alleging Equifax “negligently failed to maintain adequate technological safeguards” so that the company could increase its profits.

The Consumer Financial Protection Bureau and New York Attorney General Eric Schneiderman both said they’re launching investigations into Equifax’s hacking, while the House Financial Services Committee announced that it plans hearings on the company’s troubles, as well.

Meanwhile, by Friday afternoon, at least three law firms had already announced that they were investigating Equifax for potential securities and negligence lawsuits.

“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing,” said U.S. Rep. Jeb Hensarling, chairman of the House committee. “Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers.”

MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.

AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.



Reader Comments ...


Next Up in Business

Business stories of the week: Amazon, 2018 priorities, Phipps Plaza
Business stories of the week: Amazon, 2018 priorities, Phipps Plaza

The week had no shortage of business headlines among Atlanta area companies – or perhaps companies that want to become Atlanta area companies. From the Amazon second headquarters search to major development projects, here are some of the big business headlines you might have missed from the past week. Georgia and Atlanta area economic development...
More job cuts coming to Atlanta as part of Coca-Cola restructuring
More job cuts coming to Atlanta as part of Coca-Cola restructuring

Atlanta-based Coca-Cola plans to cut an additional 179 jobs in its hometown as part of a broader restructuring the beverage giant announced earlier this year. In filings with the Georgia Department of Economic Development’s Workforce Division, Coke identified layoffs at three corporate offices in the city effective by the end of December...
Atlanta’s Phipps Plaza makeover plan shifts into overdrive
Atlanta’s Phipps Plaza makeover plan shifts into overdrive

The reinvention of Phipps Plaza into a mixed-use entertainment and shopping complex has been in the works for more than a decade. But the announcement Tuesday of a $200 million-plus expansion, including a flagship Nobu hotel and restaurant, will take that the makeover to a new level, officials with mall owner Simon hope. In Nobu, Phipps will add...
4 of the best ways to turn your home into a cash cow
4 of the best ways to turn your home into a cash cow

Your house is a large expense with many associated costs like a mortgage payment, insurance, maintenance and more. It provides a roof over your head, of course, but since it usually costs you money each month, why not put it to work for you and earn some cash in the process? The following are four ways your house can make you money: If you're planning...
6 things to know about working for Uber
6 things to know about working for Uber

Uber has been making headlines in recent months for everything from a new CEO to industry regulation. But if you want to work as a driver for the service that revolutionized the taxi-transport industry, there is more important information about Uber you'll want to check out. Here are six things you need to know about Uber before working for them...
More Stories