Until 12 Days Post-Breach, None Knew Equifax Had Suffered Massive Hack
Equifax says that four top executives did not know the company had suffered one of the worst breaches in history when they collectively sold about $1.8 million worth of shares. Those executives included the company’s CFO, who was the first of the four senior executives to learn of the breach, but not until 12 days after it was discovered.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Those findings come via a special committee appointed by Equifax’s board of directors to investigate the suspiciously timed trades as well as the company’s cybersecurity practices, chaired by Equifax board member Elane B. Stock. The committee’s findings were reported to the U.S. Securities and Exchange Commission by Equifax in a Form-8K filing on Friday.
The Equifax breach resulted in the theft of personal information pertaining to 145.5 million U.S. individuals, including Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers. Also, 15.2 million U.K. records were exposed along with 8,000 Canadian records (see Gauging Equifax’s Future in Wake of Massive Breach).
After Equifax first publicly disclosed its breach on Sept. 7, the company almost immediately faced potential insider-trading questions over the the timing of the four executives’ stock sales. The stock sales occurred just days after July 29, when the company discovered suspicious activity on its systems.
Trading on non-public information is illegal under U.S. securities laws.
“The board takes seriously any allegation of insider trading,” says Equifax’s non-executive chairman, Mark L. Feidler, in the filing. “The conclusion that company executives in question traded appropriately is an extremely important finding and very reassuring.”
Attackers Hacked Unpatched Struts
The SEC continues to investigate the circumstances surrounding the massive Equifax breach as well as the timing of the executives’ stock sales. Equifax also faces numerous probes from state and federal regulators, class-action lawsuits in the United States and Canada and probes launched by U.K. and Canadian regulators.
The Equifax breach occurred after attackers exploited a vulnerability in an Apache Struts web application used by Equifax. Apache had issued a patch in early March for the Struts vulnerability.
But Richard Smith, Equifax’s ex-CEO, who retired on Sept. 26, told Congress last month that one employee on the security team failed to heed a security alert about the flaw that was circulated by the company’s IT team around March 9, leaving the system unpatched (see Equifax Ex-CEO Blames One Employee For Patch Failures).
‘Trading Preclearance Requirement’
The report from Equifax’s board of directors offers additional details into how the company responded to the breach.
The special committee focused on John W. Gamble, CFO; Joseph M. Loughran, president, U.S. Information Systems; and Rodolfo O. Ploder, president of Workforce Solutions. The committee expanded the review to include Douglas G. Brandberg, senior vice president of investor relations, who also sought clearance to sell shares.
The special committee interviewed 62 people and reviewed 55,000 documents, including emails, text messages, phone logs, calendar entries, voice mails and electronic documents generated between July 29 and Aug. 2, when the last two trades were completed. The committee also reviewed emails and texts to and from the executives’ administrative assistants, Equifax says.
The committee found that all four executives, who must comply with its “trading preclearance requirement” – aka insider-trading policy – did seek permission to sell shares from Equifax’s legal department. Under company procedures, certain executives are only allowed to sell shares after obtaining preclearance, with the sales taking place in a small trading window, according to the filing.
After being notified of an open trading period between July 28 and Aug. 31, the four executives proceeded accordingly:
- Gamble requested clearance to sell 6,500 shares, which was 13.4 percent of his holdings. The stock sold on Aug. 1, when Equifax’s share price closed at $146.26, making the trade worth around $950,700.
- Loughran requested and received permission to sell 4,000 shares, worth around $585,000, on July 28. Those shares sold on Aug. 1.
- Ploder obtained preclearance sell 1,719 shares on Aug. 1 and sold on Aug. 2. The stock closed at $145.49 that day, making the sale worth $250,100.
- Brandberg obtained preclearance to sell on Aug. 1, the same day his 1,724 shares sold for $250,800.
Notification Delay, For Some Executives
One of the lingering Equifax breach questions is why it took nearly six weeks for the company to begin notifying victims. The filing shows it took 12 days before even one of the four aforementioned senior executives knew something was wrong.
On Aug. 10, Gamble became the first of the four executives to learn of the breach, at a management offsite meeting. He received a more “detailed briefing” on Aug. 17 and then more details on Aug. 22 during a senior leadership team meeting.
Loughran was next, learning at a “general level” of a security issue via texts, emails and phone calls with Equifax’s legal department starting on Aug. 13. Brandberg learned of the breach on Aug. 14, and later at the Aug. 22 meeting, where Ploder first heard of it.
On Aug. 15, Equifax imposed a blackout on trading for all employees who had knowledge of the breach.
While the special committee has submitted to the SEC its report on the four executives’ compliance with the company’s insider trading policy, its broader cybersecurity review remains underway. “The special committee continues to review the cybersecurity incident, the company’s response to it, and all relevant policies and practices,” according to its filing.
Executive Editor Mathew Schwartz contributed to this report.