Pay attention to the dates in this post.
Equifax is a consumer credit reporting firm, the oldest of the three largest U.S. credit agencies (the other two are Experian and TransUnion). Founded in 1899, Equifax gathers and maintains information on over 800 million consumers and more than 88 million businesses worldwide. Based in 1550 Peachtree St. NW, Atlanta, Georgia, Equifax is a global service provider with $2.7 billion in annual revenue and more than 9,000 employees in 14 countries. Equifax is listed on the New York Stock Exchange (NYSE).
On Thursday, September 7, 2017, Equifax said that on July 29, i.e., 39 days ago, the company discovered that some time in May, someone(s) hacked into its online databases and stole the names, birth dates, Social Security numbers, addresses and driver’s license numbers of 143 million consumers in the United States.
The company admitted that 209,000 U.S. credit card numbers are also breached, as well as “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
But Equifax has not told the public how the data breach happened.
The next day, Sept. 8, speaking to Jeffrey Meuler, an analyst at RW Baird & Co., Equifax blamed the hacking on a flaw in the STRUTS open-source software used to run its online databases.
STRUTS is a widely available software system, created by the Apache Foundation, which is used by about 65% of Fortune 100 companies — including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime — and by the IRS.
STRUTS has been under attack by hackers since at least March, according to Ars Technica, which has reported on the software’s vulnerability. So Apache issued several patches or software fixes for its STRUTS system, but it’s unclear if the company had patched its systems since March. (New York Post)
Reporting for CNBC on Sept. 8, Todd Haselton and Yen Nee Lee discovered from filings to the Securities and Exchange Commission (SEC) that on August 1 and 2 — two days after the company had discovered the data breach, and 37 days before Equifax informed the public about the breach — three Equifax executives sold nearly $2 million in Equifax shares.
The three executives are:
- Corporate vice president and chief financial officer John W. Gamble Jr. sold 6,500 shares at a price of $145.596, valued at $946,374, on August 1, 2017. (See the SEC’s Form 4, “Statement of Changes in Beneficial Ownership,” here.) In 2016, Gamble received $632K in salary, $759K in non-equity incentive plan compensation, $1.2M in stock awards, and $17K in all other compensation, totaling $2.7 million. He has an estimated net worth of $12.2 million. (Source: Bigwigs).
- Workforce Solutions president Rodolfo O. Ploder, of 1550 Peachtree St. NW, Atlanta, GA 30309, sold 1,719 shares at a price of $145.70, valued at $250,458, on August 2, 2017. (See the SEC’s Form 4 here.) In 2016, Ploder received $500K in salary, $600K in non-equity incentive plan compensation, $785K in stock awards, and $105K in all other compensation, totaling $2 million. He has an estimated net worth of $19.8 million. (BigWigs).
- Chief marketing officer and U.S. Information Solutions president Joseph Michael Loughran III, of 1550 Peachtree St. NW, Atlanta, GA 30309, sold 3,000 shares at a price of $33.60 (total value: $100,800) and 4,000 shares at a price of $146.0247 (total value: $584,099), on August 1, 2017. (See the SEC’s Form 4 here) He has an estimated net worth of $12.3 million. (BigWigs).
The total value of Equifax shares sold by Gamble, Ploder and Loughran 2 days after Equifax had discovered the data breach and 37 days before the company informed the public about the breach is $1.88 million.
In a statement, while admitting that the three executives had sold a “small percentage” of their shares, Equifax insists the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Dr. Eowyn’s post first appeared at Fellowship of the Minds