Equifax Data Breach Exposes Millions – Executives Dump Stock Before Breach Made Public

On Thursday, Equifax, one of the three major consumer credit reporting agencies announced that hackers had breached the company’s systems, giving them access to data that potentially may be compromised of sensitive information for 143 million American consumers. This sensitive data includes Social Security numbers, home addresses, and driver’s license numbers for up to 143 million Americans.

Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide leaving nearly 1 in 7 in the world potentially at risk of their sensitive information being made public.

Both Federal and State level governments have already responded to the breach with New York Atty. Gen. Eric Schneiderman launching an investigation into the breach and the House Financial Services Committee announcing it would hold a hearing on the matter. Through a spokesperson, the F.B.I. also said that it was aware of the cyber-security breach and was tracking the situation.

Some congressional leaders also responded, including Vice-Chairman of the Senate Intelligence Committee and Senate Cybersecurity Caucus founder, Mark Warner who took to Twitter, calling the Equifax hack “a threat to our economic security.”

As the New York Times notes, “Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.” This is both because of both the potential reach and scale of customers and the particularly sensitive type of data that can reap financial rewards for cyber-criminals.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.” Indeed, this includes most American adults as Equifax and other similar companies judgments regarding “the creditworthiness of individuals can affect their ability to gain loans, housing and jobs, while also determining the interest rates on consumer products.”

While other cyberattacks, like the recent security breach of Yahoo, have been larger in sheer size, impacting over 1 billion accounts, the Equifax breach represents a unique threat in regards to the type of data accessed. In the breach which exposed critical information like Social Security numbers, the perpetrators of the attack were functionally given “the keys that unlock consumers’ medical histories, bank accounts and employee accounts.”

The serious type of data stolen may be not be only thing that sets this breach apart. Indeed, the clean-up and precautions required to safeguard oneself from its impact is also likely to be far more exhaustive than a typical cyber-breach. While the process for users to change the passwords to their online accounts is relatively simple and painless, initiating a freeze on one’s credit can be a much more difficult process.

The National Consumer Law Center, a leading consumer advocate group, has urged anyone potentially at risk to request a credit freeze from all three major credit bureaus to prevent anyone utilizing the stolen data to potentially access credit in their name. They are also calling on Equifax to pay for the credit freezes.

In response to the breach, Equifax established a website, https://www.equifaxsecurity2017.com, where people can check to see if their personal information may have been stolen in the breach. Consumers can also call (866) 447-7559 for more information. However, in the immediate aftermath Equifax’s solution appears to have been hastily constructed as various individuals took to social media, pointing out a troublesome clause that appears to be a result of a copy and pasted terms of service agreement.

Burried in the fine print, the clause in question, which we reproduce in full below, contains language that appears to bar anyone who enrolls in the Equifax program from participating in any class-action lawsuits that may arise from the security breach. Commonly referred to as an “arbitration clause,” the terms of service agreement would seek to bar consumers from using the court system, instead forcing them to take claims and damages through a binding arbitration system under terms dictated by the company.

AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.

Given there is already at least one class-action lawsuit being initiated, this is a very real consideration for anyone affected by the Equifax breach. New York Attorney General, Eric Schneiderman, appears to be taking this possibility very seriously, calling the language “unacceptable and unenforceable,” and demanding Equifax remove the clause.

The seemingly exploitative Equifax terms of service quickly became the source of a great deal of scrutiny and negative publicity. Other sharp-eyed readers also noticed that the “complementary” credit monitoring service Equifax’s is offering to victims of the hack is only free for one year, after which, unless customers proactively cancel, they will have to pay for. Given that the terms of service state that users must use a credit or debit card to sign up this has opened up Equifax to criticism for potentially trying to profit from the security breach.

In response, Robert Weissman, president of the consumer watchdog Public Citizen, bashed Equifax’s reaction, claiming that it, “appears that the company thinks one of the worst data breaches in history is a marketing opportunity. Instead of trying to rip people off with new hidden charges and trick consumers to give up their rights it might be a better idea to actually remedy the harm.”

Despite having over six weeks to prepare their public approach, Equifax majorly flubbed it. The company’s disorganized initial response further stoked the flames of the growing crisis. After botching the company’s proactive solution for those affected by the hack by lazily porting over an already written terms of service agreement, Equifax set out to clarify and wrangle control over narrative before it got out of hand.

Friday evening, Equifax issued a statement to douse water on the flames. The statement read, “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.” Equifax added further clarification for consumers on an updated FAQ page on the TrustedID program which limits the scope of the arbitration language in the TrustedID program’s terms of use to “the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”

While Equifax is no stranger to criticism, the sheer deluge of bad press against the company appears to have hit a high water mark. It appears to have also drudged up a series of long-since forgotten scandals including the company’s practice of “collection and sale of consumer data,” a “lucrative and loosely regulated industry that in 2013 attracted the scrutiny of Senate investigators.”

In one report produced by the Senate Commerce Committee, congressional investigators found that these data brokers divided and organized data on Americans according to their financial characteristics, using labels such as “X-tra Needy,” “Fragile Families” and “Ethnic Second-City Strugglers” to describe the financially vulnerable. Beyond just labels, the Federal Trade Commission accused Equifax in 2012 of inappropriately selling consumer data to third party data brokers who then “used the lists to pitch loan modification and debt relief services to people in financial distress.”

The incident related publicity has even prompted discussions regarding the feasibility and desirability of the very business model that Equifax and other credit reporting companies employ. Prominent individuals have begun to question the role that private corporations should play in something as important as determination of credit, creating an opening for public debate and possible momentum for credit reform legislation.

Seizing on this opportunity, Congressional Representative Maxine Waters, ranking member of the House Committee on Financial Services, called for a complete overhaul of the nation’s credit reporting system in a statement issued on Friday.

In the release, Waters states, “Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system.” Waters further added that she will continue to push for “an overhaul of our nation’s credit reporting system” including new legislation she plans to introduce soon to better protect consumers and their identities.

Democratic Senators, Mark Warner of Virginia, and Elizabeth Warren of Massachusetts, also voiced their support for congressional review and potential legislative action.

But wait… there’s more…

Executives Dump Stock Before Breach Was Made Public:

Further exacerbating the already mammoth-sized scandal, public financial disclosure forms revealed that three senior Equifax executives sold shares worth almost $1.8 million in the days after the company discovered the security breach into their systems. While the shares were not part of a sale planned in advance, the company maintained that the three high level executives had not yet been informed of the incident.

Equifax said earlier in a statement that it discovered the intrusion on July 29. According to Bloomberg, who first broke the news of the stock sales, “Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.”

Ines Gutzmer, a spokeswoman for the credit-reporting service, told Bloomberg that the trio “sold a small percentage of their Equifax shares,” and that they “had no knowledge that an intrusion had occurred at the time.” However, Bloomberg notes that “Gamble sold more than 13 percent of his stake in Equifax. Loughran sold 9 percent of his holdings and Ploder disposed of 4 percent,” a not-completely-insignificant stake of their holdings.

When news of the cyber-breach broke, “Equifax shares tumbled 13 percent to $123.81 in early trading at 9:04 a.m. in New York.” On August 1st, the date of the three executive’s stock sales, the closing price of Equifax stock was $146.26. The 15.3% savings the trio netted would amount to a combined $272,482 or nearly 86% of the cost of an average American home, a home which, in order to buy, would likely require one to receive the approval of a credit-reporting service like Equifax.

Key Takeaways:

• Equifax suffered a massive security breach resulting in over 143 million American consumers sensitive data being compromised. The data includes Social Security numbers, home addresses, and driver’s license numbers. In response to the breach, Equifax established a website, https://www.equifaxsecurity2017.com, you can check to see if your personal information may have been stolen in the breach. The company also launched a much criticized solution, a free year of their premium credit-monitoring service, which includes a clause in its terms of service that by signing, may or may not forfeit your right to pursue class action legal options against the company, although the company now contends this section does not apply in their FAQ.

• Equifax has had a bad day. From the P.R. fallout of the breach itself to the flubbed credit-monitoring solution whose terms of service agreement’s “arbitration clause” incited passionate backlash and the news of executive stock sales prior to the company’s public acknowledgement of the brief. Equifax’s problems, including the breach itself, seem to be almost entirely self generated as the company acted hastily and in a disorganized fashion. The recent fallout is an excellent case study in what not to do when confronted with a crisis.

• Equifax is in very hot water, it is bubbling and just on the verge of boiling. The major deluge of terrible press has also unearthed scandals from the past. The public negative sentiment towards Equifax creates the potential momentum necessary for changes in the industry, whether regulatory or broader legislative changes. This could spell major change for the credit-reporting business as the fallout from the financial crisis, which lead to the passage of Dodd-Frank did for the banking industry. Notable Congressional Representatives have publicly voiced their disapproval and intention to introduce legislation. although they were primarily Democrats, who do not have a legislative majority.

Questions Left:

• What will the long term societal fallout of this massive breach be? Given the sensitive nature of the data and its close link to individual finances we are in uncharted territory.

• Will there be a rash of credit related fraud?

• Will the housing market face a slowdown as credit freezes delay mortgages with added paperwork and security measures?

• Will new legislation impacting the credit-reporting industry gain the momentum needed to pass?

• Will there be any changes to the Social-Security-Number-centric credit system we use or any added security measures to access credit?

• What will the long term company-related fallout of this massive breach be?

• Will Equifax weather this storm quickly or will it drag out over time as credit related fraud resurfaces whenever public attention dies down too much?

• Will the company face new regulations? If so, will these regulations threaten the fundamental business model they utilize?

• More broadly, could this breach catalyze the action needed to shift our credit model from a for-profit corporation based system to a governmental solution?

Support Quality Journalism:

Read the original source reporting in full at the New York Times, the Washington Post, Bloomberg, and for further details and contribute to help support The Daily Briefing on our donation page or use our express donation form below.