Board of Directors Investigation Reportedly Now Focusing on Chief Legal Officer
Mr. Smith is going to Washington.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
This week, Richard Smith, the former CEO and chairman of the board at embattled credit-reporting bureau Equifax, is set to testify before three Congressional committees over the company’s massive data breach.
The breach at Equifax, which the company first disclosed on Sept. 7, exposed 143 million U.S. consumers’ personal details, including Social Security numbers.
The hearings will likely focus on Equifax’s information security practices, breach response, data obtained by hackers, as well as the suspicious timing of stock sales by three top executives.
Smith, who “retired” last week, is due to appear before the House Energy and Commerce Committee on Tuesday, followed by the Senate Banking Committee on Wednesday and the House Financial Services Committee on Thursday. At all three hearings, Smith – now listed as being “adviser to the interim CEO and former chairman and CEO of Equifax” – is the sole witness being called.
When Smith retired, he handed the reins to Paulino do Rego Barros, who will serve as interim CEO until the board finds a permanent replacement. Smith, meanwhile, has agreed to advise Equifax for 90 days.
Prior to his resignation, Smith had written that the breach was the “most humbling moment” in the history of 118-year-old Equifax.
Questions Dog Stock Sale Timing
A Sunday report in the Wall Street Journal says that Equifax’s board of directors is focusing on the role played by Equifax Chief Legal Officer John J. Kelley, who oversaw information security at the company – the company’s CSO reports to him – and who had ultimate authority for approving stock sales.
After Equifax warned that it had been breached, a review of the company’s filings with the U.S. Securities and Exchange Commission revealed that three executives, including the CFO, collectively sold Equifax stock worth almost $1.8 million on Aug. 1 and Aug. 2 – just days after the breach was discovered, and well before the company issued its public breach notification.
The company notified the SEC about the stock sales on Aug. 3 in documents signed by Lisa Stockard, assistant general counsel at Equifax.
The stock sales generated $946,374 for CFO John Gamble, $584,099 for U.S. Information Solutions President Joseph Loughran – who also exercised an option to purchase 3,000 shares at a price of $33.60 – and $250,458 for Consumer Information Solutions President Rodolfo Ploder (see Equifax Breach: 8 Takeaways).
Equifax has claimed the executives did not know about the breach at the time of their stock sales. But some outside executives have noted that it would have been highly unusual for the publicly traded company’s CFO to not have been part of an emergency meeting of the executive management committee to plan its breach response.
Meanwhile, a letter from Equifax lawyer Theodore Hester to members of Congress, dated Thursday, said that the board has formed a special committee to investigate the stock sales and that it “takes these matters seriously,” Reuters reports.
Equifax declined to share a copy of the letter, which was the company’s response to questions posed by Democrats on the House Energy and Commerce Committee. The committee could not be immediately reached for a copy of the letter.
Smith’s Delayed Compensation
Smith’s departure followed the company’s CIO and CSO similarly “retiring,” as Equifax likewise described their departures. Equifax says Smith will forego his severance package, but noted that he might still be due compensation, contingent upon the results of the board’s cybersecurity investigation, worth up to $90 million.
In an SEC filing, the company says that “any obligations or benefits owed” to Smith will be evaluated following that investigation, suggesting that the board could attempt to “claw back” some of Smith’s compensation if it finds fault with his leadership.
In 2016, Smith received a pay package of nearly $15 million, and he holds stock in the company currently valued at $29 million, although not all of it has vested.
Equifax, Under Pressure
The Equifax breach is now the focus of a criminal investigation by the FBI. Equifax also faces investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the SEC, as well as consumer lawsuits and legal actions by financial services firms whose customers’ payment card details were exposed.
The Justice Department last month announced that it has opened an investigation into the timing of stock sales by three senior Equifax executives, and both the SEC and the U.S. Attorney in Atlanta are reportedly participating in the probe (see More Questions Raised After Equifax CIO, CSO ‘Retire’).
SEC Chairman Jay Clayton appeared to confirm the probe last week when testifying before the Senate Banking Committee. “I’m glad to hear that you’re investigating,” Sen. John Kennedy, R-La., told Clayton, who replied: “Thank you.”
Equifax is also facing probes by U.K. and Canadian regulators, owing to the breach exposing personal data for 400,000 British consumers and 100,000 Canadian consumers.
Probing Breach Details
This week’s hearings on Capitol Hill will likely see lawmakers demanding more extensive details about what data, exactly, attackers obtained, and how it was being secured. Equifax has yet to describe precisely what was stolen in the breach, except to say that Social Security numbers, names, birthdates and addresses were exposed, as were drivers’ license numbers, in some cases.
The hearings could presage further calls for greater privacy rights for consumers and oversight of the “big three” data brokers – Equifax, Experian and TransUnion. But Republicans, who control a majority in Congress, have signaled that they do not expect to pass any new legislation as a result of the Equifax breach (see Cynic’s Guide to the Equifax Breach: Nothing Will Change).
Equifax has already stated that attackers exploited a flaw in its open source Apache Struts application framework that it failed to patch after Apache issued an emergency security update on March 6. On March 10, hackers reportedly used the flaw to exploit Equifax (see Equifax’s Colossal Error: Not Patching Apache Struts Flaw).
Equifax says it discovered the breach on July 29.
Since at least February, Equifax was aware that online attackers had been abusing its payroll service by entering stolen information – including Social Security numbers – and downloading W-2 and other tax forms for employees from multiple firms. These forms were allegedly then used to file fraudulent tax returns in employees’ names (see Equifax Disputes Report of Undisclosed Breach From March).
Equifax hired FireEye’s Mandiant incident response group in March to investigate the attacks as part of what Smith designated as “a top-secret project,” one unidentified source told Bloomberg. But Equifax’s relationship with Mandiant allegedly soured, with Equifax suggesting that the team deployed by Mandiant was undertrained.
Equifax could not be immediately reached for comment on that report, which suggests that the breakdown between the company and Mandiant may have allowed the Apache Struts attackers to roam unchecked for a longer period of time.
But Mandiant was brought in again after Equifax discovered signs that it had been hacked in March, in what may or may not have been a separate attack. In a report issued last month to Equifax’s customers – including banks – Mandiant reportedly said that attackers had installed 30 web shells across various Equifax systems, giving them persistent access. Investigators reportedly said they were able to identify who hacked Equifax.
FireEye declined to comment.
Poor Victim Support
As part of its breach notification, Equifax created a website – www.equifaxsecurity2017.com – designed to give consumers breach-related information. But it has been dogged by technical problems.
The company’s own customer support team has also been inadvertently directing potential breach victims to a lookalike site, securityequifax2017.com, created by a security researcher to highlight the risks faced by consumers when attempting to differentiate Equifax’s official breach notification site from potentially bogus ones.
Following the breach, Equifax faced widespread criticism for apparently requiring anyone who signed up for the identity theft monitoring service it was monitoring – prepaid for the first year – to waive their right to participate in any lawsuits against Equifax.
Equifax quickly adjusted those terms of service. But it – and other credit-reporting agencies – have faced criticism from consumer-rights groups, and Democratic legislators, for charging breach victims a fee to freeze their credit files. Identity theft experts say that credit freezes remain the best way for breach victims to protect themselves.
Equifax says that by Jan. 31, 2018, it plans to offer consumers the ability to permanently restrict access to their personal credit data. “The service the company is developing will let consumers lock and unlock access to their Equifax credit files, at will, without charge and for life,” the company said in a Thursday 8-K filing to the SEC.
Late last month, student loan refinancing website LendEDU says it surveyed 1,000 American consumers over the age of 17 about the Equifax breach and found that while 84 percent of respondents had heard of it. But it found that only 45 percent had visited Equifax’s breach-notification site to see if they were a victims. That’s despite the breach having resulted in the exposure of data relating to a majority of American adults.