Trou­bles for Equifax deepen amid new dis­clo­sure on breach

Houston Chronicle - - BUSINESS - By Ken Sweet and Michael Liedtke

NEW YORK — Credit agency Equifax traced the theft of sen­si­tive in­for­ma­tion about 143 mil­lion Amer­i­cans to a soft­ware flaw that could have been fixed well be­fore the bur­glary oc­curred, fur­ther un­der­min­ing its cred­i­bil­ity as the guardian of per­sonal data that can eas­ily be used for iden­tity theft.

Equifax iden­ti­fied a weak­ness in an open-source soft­ware

pack­age called Apache Struts as the tech­no­log­i­cal crack that al­lowed hack­ers to heist So­cial Se­cu­rity num­bers, birth­dates, ad­dresses and full legal names from a mas­sive data­base main­tained pri­mar­ily for lenders.

The dis­clo­sure, made late Wed­nes­day, cast the At­lantabased com­pany’s dam­ag­ing se­cu­rity lapse in an even harsher light. The soft­ware prob­lem was de­tected in March and a rec­om­mended soft­ware patch was re­leased shortly af­ter­ward. Equifax said the data­base in­tru­sion be­gan in May and con­tin­ued un­til July.

Se­cu­rity ex­perts said Equifax had more than enough op­por­tu­nity to block in­trud­ers by seal­ing the se­cu­rity hole. “There is no ex­cuse for not fol­low­ing ba­sic cy­ber­se­cu­rity

hygiene,” said Nate Fick, CEO of the se­cu­rity firm Endgame. “Some heads should def­i­nitely roll for this; it’s only a ques­tion of how many.”

The com­pany didn’t re­spond to in­quiries on Thurs­day.

Equifax was al­ready un­der fire for not dis­clos­ing the break-in un­til Sept. 7 — nearly six weeks af­ter the com­pany dis­cov­ered it— as well as for its han­dling of con­sumer in­quiries about their ex­po­sure whether their per­sonal in­for­ma­tion had been com­pro­mised and how they could pro­tect their iden­ti­ties.

On Thurs­day, Sen. Charles Schumer, D-New York, called for the res­ig­na­tions of CEO Richard Smith and Equifax’s en­tire board of di­rec­tors un­less the com­pany of­fers con­sumers more com­pre­hen­sive iden­tity-theft pro­tec­tion for the next decade. So far, Equifax is merely of­fer­ing free credit mon­i­tor­ing for a year. It’s also tem­po­rar­ily waiv­ing fees for peo­ple who freeze their credit records to pre­vent iden­tity thieves from de­fraud­ing them.

‘Malfea­sance’

“What has tran­spired over the past sev­eral months is one of the most egre­gious ex­am­ples of cor­po­rate malfea­sance since En­ron,” Schumer said, in­vok­ing the name of the no­to­ri­ous Hous­ton com­pany that ma­nip­u­lated en­ergy mar­kets and even­tu­ally went bank­rupt in 2001.

In­vestors are clearly con­cerned about Equifax’s fate. The com­pany’s stock has lost nearly a third of its value since it dis­closed the breach. Three Equifax ex­ec­u­tives, in­clud­ing the com­pany’s chief fi­nan­cial of­fi­cer, pre­served a sig­nif­i­cant chunk of their wealth by sell­ing stock worth a com­bined $1.8 mil­lion just af­ter man­age­ment learned of the breach, but well be­fore the pub­lic was no­ti­fied.

Equifax said last week that the of­fi­cials didn’t know about the breach at the time of those sales. But many sen­a­tors want the Se­cu­ri­ties and Ex­change Com­mis­sion and the Jus­tice De­part­ment to ex­am­ine whether Equifax man­agers vi­o­lated in­sid­er­trad­ing laws when they sold af­ter the com­pany found out it was hacked.

FTC in­ves­ti­ga­tion

In an­other sign of the storm swirling around Equifax, the Fed­eral Trade Com­mis­sion took the un­usual step of an­nounc­ing it has opened a probe into the com­pany’s prac­tices.

The FTC is not the only author­ity look­ing into the breach. The Con­sumer Fi­nan­cial Pro­tec­tion Bu­reau pre­vi­ously an­nounced its own in­ves­ti­ga­tion, and the House Fi­nan­cial Ser­vices Com­mit­tee plans to hold hear­ings on the breach in early Oc­to­ber when Smith is sched­uled to tes­tify. Politi­cians from both ma­jor par­ties are call­ing for ad­di­tional in­ves­ti­ga­tions by Con­gress or the De­part­ment of Jus­tice, rais­ing the pos­si­bil­ity of crim­i­nal charges.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.