On March 8, 2017, the U.S. Department of Homeland Security notified Equifax, the credit reporting agency, that software used in its website contained a serious vulnerability. According to the prepared congressional testimony of Richard Smith, then Equifax’s CEO, the company recognized the significance of the warning but failed to apply the necessary patch.
On May 13, exactly as the company had been warned, hackers used the known vulnerability to gain access to Equifax’s vast storehouse of consumer credit information. Equifax didn’t notice the ongoing hack until July 29. After a day of observing the hackers in operation, Equifax took the vulnerable web application offline. (This is all according to Smith’s prepared testimony, which was presumably tailored to make him look good.)
On Friday, Aug. 25, Equifax executives received an email informing them of a “VERY large breach opportunity,” a peculiarly cheery euphemism for the disaster. The following Monday, the chief information officer of an Equifax unit, Jun Ying, searched the web to learn what effect the news of a prior hack had on another company’s share price, according to a civil complaint filed against him by the Securities and Exchange Commission and a parallel criminal indictment. After learning the other company’s share price dipped on the news, Ying allegedly exercised all his vested stock options and sold 6,800 shares of Equifax stock that very day, reaping $950,000.
On Sept. 7, Equifax announced the breach, revealing that the personal identifying information of some 143 million Americans – names, Social Security numbers, birthdates, addresses, and in some cases driver’s license numbers – had been acquired by criminals. Equifax’s stock price took an immediate hit. If Ying had waited until the breach was publicly known, his proceeds would have been $117,000 less, according to the SEC.