Consumer credit reporting firm Equifax announced Thursday it suffered a data breach, after attackers gained system access by exploiting a website application vulnerability. Equifax discovered the breach on July 29 and, following an investigation, found the unauthorized access occurred from Mid-May through July. This is the third cyberattack on the credit reporting agency since 2015 and one largest of personally sensitive information, according to a New York Times report.
The breach affected approximately 143 million U.S. consumers, compromising 209,000 credit-card numbers, 182,000 personally identifying dispute documents and an unknown number of birth dates, addresses and Social Security and driver’s license numbers, according to the announcement.
Days before the hack was made public, three company senior executives — including the CFO — sold a total of $1.8 million worth of company shares, according to Bloomberg. Equifax claims the trio had not been made aware of the breach on company data. Company shares dropped 13% after news of the intrusion broke.
Cybersecurity is a huge priority for businesses, especially as the scale of attacks continues to grow. The Nyetya cyberattack cost Maersk $300 million in lost revenue, and "WannaCry" ransomware hit 200,000 targets in 150 countries; the largest hacks of 2016 crippled many organizations.
If a cybersecurity risk has the potential to affect investors, U.S. Securities and Exchange Commission (SEC) requires companies to disclose information about it immediately. This July, the SEC issued a filing to investigate Yahoo timing of breach disclosures. Whereas Equifax took just over a month to publicly disclose the breach, Yahoo took years.
Equifax was quick to set up credit monitoring and create a portal for potentially impacted consumers. But that does not lessen the impact of the data breach, which exposed very sensitive personal and financial information. The potential combination of compromised driver's license and social security numbers could serve as a hotbed for identity theft.
Equifax CEO Richard Smith was quick to recognize the company must do more for security, promising it has already worked to increase investments. But the reality is major breaches can be career-ending for executives, especially if not handled properly.
Executives selling shares just prior to the data breach revelation is particularly questionable. Cyberattacks impact companies' bottom line, and trading around the time of disclosure looks suspicious. Organizations are sure to continue suffering data breaches, but many need to learn how to better handle the crises. Transparency, quick disclosure and response are best ways for companies to uphold their reputation.