Recent hurricanes Harvey and Irman have caused massive destruction in Texas and Florida, respectively. And then we have Jose which may strike New York City. [Check Ventusky for the forecast map].
But none of these hurricanes have the potential to impact as many people as Hurricane Equifax, the massive breach of 143 million Americans’ personal information (Social Security numbers, credit card numbers, birthdates and other information).
According to the Washington Post, “The tale began on July 29, when the company’s security team detected suspicious network traffic associated with the software that ran its U.S. online-dispute portal. After blocking that traffic, the company saw additional “suspicious activity” and took the portal’s software offline.
At this point, Equifax’s retelling grows cloudy. The company said an internal review then “discovered” a flaw in an open-source software package called Apache Struts used in the dispute portal, which it then fixed with a software patch. It subsequently brought the portal back online.
But that vulnerability had been known publicly since early March 2017, and a fix was available shortly thereafter — facts that Equifax acknowledged in its Friday statement. The company did not say why the software used in the online-dispute portal hadn’t been patched earlier, although it claimed that its security organization was “aware” of the software flaw in March, and that it “took efforts” to locate and fix “any vulnerable systems in the company’s IT infrastructure.”
Three Equifax executives — not the ones who are departing — sold shares worth a combined $1.8 million just a few days after the company discovered the breach, according to documents filed with securities regulators.
Equifax shares have lost a third of their value since it announced the breach.
While the suspicious activity occured on July 29, Equifax did not report the incident until September 7. Although Equifax clearly understood the seriousness of the breach since 3 Equifax executive sold their shares a few days after discovering the breach. Thus far, Equifax has lost 35% of its share value.
Equifax Corporate Bonds took a hit as well. But the rise in their bond price after the breach was detected was primarily due to declining 10 year Treasury yields as opposed to something nefarious.
There were two disclosed insider trades immediately AFTER the July 29 breach detection (Gamble and Plodder). Chief Financial Officer John Gamble banked $946,374 on the sale and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.
While there is nothing suspicous about Equifax bond price decline, there is something really odd about the Equifax put option at a 135 strike price that traded on August 21. At $0.75 too!
I have no idea who purchased these profitable put options (at unusally large volume for Equifax) since it was before the revelation of a data breach on September 7th. But the trades stick out like a sore thumb.
Equifax’s likely defense.