Columns

Senators Hammer Former Equifax CEO on Breach Timeline, Stock Sales

Richard F. Smith, former chairman and CEO of Equifax, Inc., testifies before the Senate Committee on Banking, Housing, and Urban Affairs on Oct. 4, 2017. (Rex Features via AP Images)

WASHINGTON – Members of the Senate Banking Committee castigated Equifax’s recently retired CEO today while squeezing out details on the company’s massive breach and subsequent dumping of stocks, with one lawmaker calling Equifax executives “the luckiest investors” in the country.

According to testimony from CEO and Chairman Richard F. Smith, who abruptly retired last week, the Department of Homeland Security notified the Atlanta-based credit reporting agency of a potential vulnerability through a US-CERT notification on March 8, but the full extent of the breach was not understood until August.

The FBI was notified of the breach on Aug. 2, after three senior executives sold shares of stock worth nearly $1.8 million on Aug. 1 and 2. As pointed out by Sen. Tim Scott (R-S.C.), those sales represented a $655,000 profit, compared to the devaluation of the stocks following the breach. The average Equifax stockholder has lost more than 36 percent of their stock value.

Equifax has repeatedly denied allegations of insider trading. The breach, which may have compromised personal information for an estimated 143 million Americans, was publicly disclosed on Sept. 7.

“So all the folks in the executive suite had no clue (about the breach), but they were the luckiest investors on Aug. 1 to sell the stock at the best price to net $655,000? This was pure luck and nothing else?” Scott asked. “I find that hard to believe.”

Smith said the company experiences millions of suspicious attacks every year, and the executives followed company protocol in selling the stocks, which was approved by Equifax’s general counsel. The executives in question are Chief Financial Officer John Gamble, U.S. information solutions president Joseph Loughran and workforce solutions president Rodolfo Ploder.

“These are honorable men who followed the protocol,” Smith said.

The hearing audience included an individual dressed as Monopoly’s Rich Uncle Pennybags, who wore a top hat and monocle and gently nodded or offered looks of skepticism throughout the testimony.

Smith offered a detailed timeline for lawmakers. He said that after the US-CERT notification on March 8, a technology scan was applied but there was a “communication breakdown” within Equifax’s patching organization and the full extent of the problem was not immediately realized. According to Smith, a security employee again saw suspicious activity on July 29, and the portal was shut down a day later. Equifax brought in internal forensics on July 30 and then outside cyber security experts on Aug. 2, which included forensic auditors, a law firm and the FBI. Smith said there was no indication of a security breach before stocks were sold on Aug. 1 and 2.

“This really stinks,” Sen. Jon Tester (D-Mont.) said. “I mean, it smells really bad, and I guess smelling bad isn’t a crime. … This length of time on a breach this big in this day in age, when we have folks that are pretty damn good at this stuff, especially when the Department of Homeland Security through US Cert says” there’s a problem and it wasn’t dealt with properly.

Tester called the events “absolutely unacceptable” while noting that as many as 500,000 adults could have been impacted in his home state of Montana, a state with a population of about 1 million.

“We apologize for the breach,” Smith said. “We’ve done everything in our power to make it right for the consumer, and we think these services we’re offering is a right first step.”

Equifax is offering five free services for the next year to consumers, including programs that will allow people to monitor their credit activity, lock their credit file, scan the “dark web” for Social Security number activity and access insurance to recoup up to $1 million in damages.

Sen. Ben Sasse (R-Neb.) suggested that Equifax’s legal responsibility for the breach should not only last a year, and Smith said that the combination of the yearlong services and a lifetime lock option is a “good combination of services” to protect data moving forward.

“The responsibility extends well beyond a year, senator,” Smith said, while adding that the “ultimate control” is a lifetime lock.