Credit reporting giant Equifax has warned that data on 143 million of its customers has been accessed by attackers unknown, and is now facing questions over the timing of $1.8 million (around £1.37 million) in stock sales by three executives made before the public announcement.
Equifax announced its discovery of the attack, which is thought to have been exclusive to a database of the company's North American customers, late last night: 143 million personally-identifiable records, including US Social Security and driving licence numbers plus around 209,000 credit card details, accessed between mid-may and July 2017. Embarrassingly for a company which promises to provide security-related monitoring for customers' credit accounts, Equifax has proven extremely slow in warning said customers of the breach: While the company discovered the attack on July 29th, it only announced it to customers on September 8th - leaving those affected at risk in the interim.
The company's embarrassment is nothing, however, in the face of a report from Bloomberg alleging that three top executives sold off shares in the company totalling nearly $1.8 million between the discovery of the attack and the public announcement which unsurprisingly sent the company's share price plummeting 13 percent and counting. Equifax has claimed the three executives had no knowledge of the breach when the sale was made, but all the reported sales were made outside the company's 10b5-1 scheduled trading - suggesting they were off-the-cuff sales rather than a planned divestment - between three and four days post-discovery and well before the public disclosure.
Claims the executives had no prior knowledge of the breach are difficult to swallow, too, when you look at the positions of the three involved: Chief financial officer (CFO) John Gamble sold nearly a million dollars' worth of shares, president of workforce solutions Rodolfo Ploder solder over $250,000 in shares, and, most concerning, the president of Equifax's US information solutions division - someone you would have expected to be heavily involved with the investigation into the breach - Joseph Loughran sold nearly $600,000 of his own stock.
If the trio did indeed use their knowledge of the attack to preempt a stock price slump, the sales represent insider trading - an issue the US authorities take extremely seriously.
For those affected by the breach, Equifax has belatedly set up a website where accounts can be checked for their presence in the breach and credit monitoring - provided in a final twist of the knife by an Equifax subsidiary - applied if necessary.
August 13 2019 | 08:30