As many as 143m customers of Equifax, one of the three largest US credit agencies, had their information compromised in recent months after the company suffered a massive cyber security breach.
In July, before the incident was made public, three Equifax senior executives sold shares in the company worth almost $1.8m.
Chief financial officer John Gamble sold shares worth $946,374 and president of US information solutions Joseph Loughran exercised options to sell stock worth $584,099.
The president of workforce solutions Rodolfo Ploder also sold stock worth $250,458.
Ines Gutzmer, head of corporate communications for Equifax, insisted that the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares”.
Between mid-May and the end of July, cyber-criminals had access to the data of some of the company’s US, UK and Canadian customers.
The hackers were able to wade through personal information including birth dates, addresses, Social Security and credit card numbers by exploiting a “website application vulnerability”, Equifax said.
The company’s chairman and CEO Richard Smith said:
This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.
For now, Equifax has said it will work with regulators in the US, UK and Canada to deal with the consequences of the breach.
The company is also offering affected customers free credit monitoring and identity theft protection for a year.
Richard Parris, the chief executive of security company Intercede, told Verdict:
Companies like Equifax are supposed to be the bastions of customer data. Yet, as has worryingly become commonplace today, businesses are continuing to neglect how they protect customer data — and even their own data. Recent research we conducted found that 86 percent of systems administrators within major enterprises — those people that hold the keys to an organisation’s kingdom — are using basic password authentication to protect data.
Etienne Greeff, the co-founder of cybersecurity firm SecureData, agrees that Equifax failed to protect its customers, adding that the company is not doing enough to manage the consequences of the breach.
Today’s news on the hack against credit reporting firm Equifax is a textbook example of how not to handle a data breach effectively. Over half the population of America was put at risk, not to mention the vast number of credit cards that were compromised. Yet, despite the severe and far-reaching repercussions of the incident on customers, the reaction from the company has been lacklustre and worrying.
Verdict takes a look at some of the other companies and organisations which have fallen victim to big data hacks.
Yahoo was targeted in at least two separate cyber attacks in 2013 and 2014 that affected more than 1bn of its users’ accounts throughout the world.
“An unauthorised party” broke into the accounts, Yahoo said in a statement posted on its website at the time in what were “state-sponsored” attacks.
The hackers used “forged cookies” — bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit, according to Bob Lord, Yahoo’s chief information security officer.
2. Friend Finder Networks
In November 2016, adult dating and pornography site company Friend Finder Networks was hacked, exposing more than 412m accounts, making it one of the largest data breaches in history.
Email addresses, passwords, dates of last visits, browser information, IP addresses and site membership status were compromised.
Among the leaked account details were 78,301 US military email addresses, 5,650 US government email addresses and over 96m Hotmail accounts.
3. Anthem Inc
In 2015, the health insurer Anthem Inc suffered a data breach which compromised the social security numbers of about 80m customers.
The hackers accessed the information using “phishing” scam emails that were made to look like they were sent by Anthem, the second-biggest insurer in the US.
In the aftermath of the breach, Anthem president and CEO Joseph Swedish said:
Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join in your concern and frustration and I assure you that we are working around the clock to do everything we can to further secure your data.
4. Spambot accounts
Last month, more than 700m email addresses, as well as a number of passwords, were leaked because of a misconfigured spambot.
The data was available because the spammers failed to secure one of their servers.
However the damage was contained because the majority of the compromised email addresses were not linked to real accounts.
Many were incorrectly scraped from the web, while others had been the result of guesswork.
5. Deep Root Analytics
In June, nearly every registered American voter was left vulnerable to theft on a public Amazon cloud server by a marketing firm contracted by the Republican National Committee (RNC).
The huge cache of sensitive personal details relating to almost 200m US citizens was accessible to anyone on the internet for 12 days.
The information included birth dates, home addresses, telephone numbers and political views of nearly 62 percent of the US population.