By Caroline Matthews, National News Writer
On September 7, Equifax, a global solutions company, announced a cybersecurity breach that may potentially affect the sensitive personal data of approximately 143 million U.S. consumers. Hackers exploited a U.S website application vulnerability granting access to certain files, such as names, social security numbers, birth dates, addresses, and, in a few cases, driver license numbers. Furthermore, 209,000 credit card numbers and 182,000 litigation documents were compromised. The company was made aware of the unauthorized activity on July 29; an external cybersecurity firm was hired to conduct a complete forensic review to determine the latitude of the intrusion and the specific data compromised. At present, the investigation is ongoing and is expected to be complete within the coming weeks.
The company’s response, however, is under severe scrutiny. It has come to public attention that Equifax was made aware, by researchers at Cisco Systems Inc., of an online security vulnerability in their software that allowed hackers to break into servers containing personal consumer data on March 8th. Equifax has maintained that its technology experts worked to identify and patch the security flaws during March. However, in late July, the suspicious traffic described above was discovered on Equifax’s servers, and some areas of the company’s software still contained the security flaw. According to a press release, however, the security staff again attempted to address the vulnerability to no avail.
While the timeline of the security breach and Equifax’s ineffective security response have raised questions and distrust among the American public, it appears as though it is the least of the company’s worries. On September 18th, Bloomberg reported a federal investigation of questionable sale of stock of three Equifax executives before the official press release of the data breach went into effect. The investigation is rumored to include U.S. prosecutors in Atlanta, the Federal Bureau of Investigation, and the Securities and Exchange Commission (SEC).
According to the SEC’s documents on file, Chief Financial Officer and Corporate VP John Gamble Jr., President of U.S. Information Solutions Joseph Loughran III, and President of Workforce Solutions Rodolfo Ploder all sold large amounts of Equifax stock in early August—the time between the discovery of the hack and the time in which the hack was publicly announced. Equifax maintains that, “the three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.” Coincidentally, Gamble, Loughran and Ploder all sold 13%, 9% and 4% of their common stock holdings, respectively, amounting to nearly $1.8 million. This has led many investigators, among them members of the U.S. House and Senate, to believe this was a move by the executives to prevent the financial bite of the press release. Shares of Equifax (NYSE:EFX) lost nearly 34.5% of their value from the time of the press release on September 7 through close on Friday, falling steeply from $142.72 to $92.98.
In order to prove insider-trading violations by those who sell their shares of stock, prosecutors must unequivocally show evidence of the seller’s knowledge of material, non-public information prior to the transaction. Essentially, this means the information must have been likely to affect the company’s stock price and had not been disclosed to investors—but, more importantly, that the sellers had not been privy to the stock implications of their knowledge. Last week, a bipartisan group of U.S. senators requested the Department of Justice, the SEC and the Federal Trade Commission to investigate the executives’ stock sales.
A version of this article appeared in the Tuesday, September 26th print edition.
Contact Caroline at