Equifax Inc. (NYSE: EFX) announced on 9/7 a cybersecurity incident potentially impacting 143 million U.S. residents.
The attackers exploited a website application vulnerability and gained access to certain files.
Based on Equifax’s investigation, the attackers had access from mid-May through the end July 2017.
The criminals gained access to peoples names, addresses, birth days, social security numbers and in some cases drivers license numbers.
Other than the obvious questions on how this could happen and how to protect your identity online if you were exposed, it also raises some other questions.
#1: Equifax offers credit monitoring (one of their key services) to anyone effected by the breach, but only for 1 year.
You will be vulnerable a lot longer than that from the breach. Is this just a smart up-sell?
You also waive your rights to sue Equifax if you get the protection, unless you write them within 30 days letting them know you want to opt out of the “no sue” clause.
#2: After the breach the Equifax Chairman and CEO, Richard F. Smith, said “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
This is almost as hamfisted as the BP CEO explaining how he had to cut his vacation short and no one was as effected by the gulf oil spill as he was.
Equifax lost 58% of the adult US populations names, addresses, birthdays and social security numbers and you think you are a leader of protecting data?!?
#3: The breach was detected in July, in August Equifax bought the “sign up here if you were compromised” website (https://www.equifaxsecurity2017.com) and in September they told the press.
Why did it take that long to tell anyone about the breach?
From the discovery to the disclosure, the attackers could have have made 100,000s of fake credit cards and bank accounts, they can have ruined many lives because Equifax waited almost 6 weeks to disclose the breach.
#4: 3 Senior Executives sold close to 1.8 million USD in Equifax stock (these were non-planned sales) just days before the public was told about the breach, but over 5 weeks after Equifax knew about the breach.
Supposedly they did not know about the breach, I just really doubt the CFO wakes up one morning and decides to sell $1,000,000 of stock that wasn’t planned and then a few days later “Oh by the way we were breached 6 weeks ago”.
Chief Financial Officer John Gamble sold stock for $946,374.
U.S. Information Solutions President Joseph Loughran sold stock for $584,099.
Consumer Information Solutions President Rodolfo Ploder sold stock for $250,458.
How can or will anyone ever trust Equifax with their data?