In what is quickly becoming one of the highest profile data breaches in history in which the credit information and services company Equifax compromised up to 143 million Americans’ personal and financial information, new details about the company’s previous SEC comment letter and response bring to light the long-standing severity of the situation. All of this as those affected struggle to regain security and peace of mind.
On September 7, 2012 – five years ago, to the day of Equifax’s major breach disclosure – an SEC comment letter was sent stating, “We note you disclose that disruptions to your information technology networks and infrastructure may be vulnerable to damage, disruptions, or shutdowns due to various events, including cyber-attacks and other security breaches.”
In its September 24, 2012 response Equifax told the SEC, “We collect and store sensitive data, including intellectual property, proprietary business information, the propriety business information and personally identifiable information of our customers, employees, consumers, and providers…The secure operation of these networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy.”
The company went on to admit in the response that, “Although we have not experienced any material breach of cybersecurity, if one or more of such events occur, this potentially could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access could subject us to litigation, significant losses, regulatory fines, penalties or reputational damage…Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur.”
As is customary with such cybersecurity incidents, Equifax announced late on Sept. 15 the departure – in the form of early retirement – for two of its top executives. Susan Mauldin, the company’s top security officer and Chief Technology Officer, David Webb. Mauldin, and her college music degree, had faced severe criticism the past week for lacking many of qualifications considered by experts to be essential for such a post. She is replaced by Russ Ayers, an Equifax technology executive, and Webb is to be replaced by Mark Rohrwasser, an Equifax international technology operations employee. Both positions being filled by internal promotion is likely to raise eyebrows.
The U.S. Justice Department has already opened an investigation into the three executives who sold stock before the data breach was disclosed and is determining whether any criminal prosecution is warranted. The executives, John Gamble, Joseph Loughran and Rodolfo Ploder, sold nearly $1.8 million in Equifax shares on Aug. 1, but the company has maintained that none of them were aware of the breach and the three continue to hold their positions in the company.
Government officials are also questioning the amount of time it took for the company to disclose the hack. The company supposedly became aware of the problem on July 29 but did not disclose the breach to the public until Sept. 7. This has led many, including member Rep. Ted Lieu, a Democrat from California and a member of the House Foreign Affairs and Judiciary Committees, to question “the muddled patchwork of 48 different state laws that governs when and how companies are required to report data breaches.”
Lieu said he is planning to introduce new legislation that will also address the company’s ability to “enact their forced arbitration clauses in the event of a data breach.” This arbitration clause was originally sited by the company in an attempt to stop the barrage of litigation that is sure to follow such a massive cybersecurity incident.
Additionally, the company has come under fire for failing to fix a months-old bug through a patch that was readily available to fix the hole – allowing hackers to gather the estimated 143 million Americans’ personal information.
The company wrote in an updated statement, “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
With Equifax stock down 30 percent since the disclosure of the breach, many are wondering when the bleeding will stop – with some predicting that the shares could fall as low as $50 per share to about one-third of its pre-breach value.