Three high-ranking executives at Equifax, the massive credit assessment company, sold nearly $1.8 million worth of stock just days after the company detected a large-scale data breach, according to Bloomberg.
Equifax disclosed the hack Thursday after discovering the virtual infiltration July 29. The corporation says the trio of higher-ups — CFO John Gamble, president of U.S. information solutions Joseph Loughran, and president of workforce solutions Rodolfo Ploder — were unaware of the hacking incident. Regulatory filings show that Gamble sold $946,374 in shares, while Loughran and Ploder sold $584,099 and $250,458 in stock, respectively, Bloomberg reports.
“The stock sale certainly raises questions,” Dimitri Sirota, co-founder and CEO of BigID, an identity data protection software company, told The Daily Caller News Foundation. “Most US states have breach reporting requirements which means that at least the general counsel or the executive leadership would have to be informed and aware.”
Cyber criminals infiltrated the corporation’s website application and leaked personal information like names, birth dates, addresses, social security numbers, and for some, drivers licenses and credit card numbers, according to the credit reporting firm. Equifax services include providing customers with credit information, among others. It says it responded as soon as possible after identifying the “unauthorized access.”
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” chairman and CEO Richard F. Smith said in a press release. “I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
George Avetisov, CEO of HYPR, a biometric security firm, says the breach is not surprising due to the way Equifax manages its customers’ information.
“This breach is archetypical example of how centralizing sensitive data inevitably leads to an event of this magnitude,” Avetisov told TheDCNF. “When data is stored centrally, as it often still is, it’s not a matter of if, but when it will be breached.”
He suggests that companies and their respective security officers utilize the decentralized model in which data isn’t kept in large repositories, but across multiple systems.
“Decentralized authentication is already deployed across tens of millions of users in banking, insurance and payments,” said Avetisov. “The burden is on enterprises, not consumers, to explore these options.”
Alex Heid, a white hat hacker and chief research officer at SecurityScorecard, a company that monitors and grades the cybersecurity health of any organization, says so far the circumstances of the situation led to “a perfect storm.”
But not all the factors of the massive breach are yet known. The Payment Card Industry Data Security Standard (PCI DSS) requires File Integrity Monitoring (FIM), meaning Equifax is compelled by industry guidelines to constantly watch over the data. But the breach and leaks reportedly occurred for roughly two months before Equifax was able to discover it, which seems to show that monitoring was either not taking place, or was done so ineffectively.
Morey Haber, the vice president of technology at BeyondTrust, an American company that offers cybersecurity services, among others, says many questions remain.
“I hope they [facts] come to light soon,” Haber told TheDCNF, “and as with any larger breach involving payment and card data, it remains to be seen what monetary and punitive damages Equifax will face from the PCI council.”
Sirota said official investigators will likely want to launch a probe, but added the executives dumping of stocks “may have been a timed sale and purely coincidental.”
Send tips to email@example.com.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact firstname.lastname@example.org.