Equifax, as everyone knows now, proved inept at securing the most sensitive personal and financial data of as many as 143 million Americans. But it turns out the company was exceptionally good at protecting news of the hack from getting out.
The credit-reporting bureau was, it seems, able to keep that news from top executives, the board and eventually the public for far longer than other corporate victims. LinkedIn confirmed a 2012 hack just three days after the social network found out about it. Target confirmed its huge hack in 2014 seven days after it was discovered, and a day after rumors, spread by cybersecurity bloggers, had begun circulating that the retailer’s customers’ credit card information had been breached. At Equifax, however, the company was able to keep that information safe from the public for 39 days. And you say former CEO Richard Smith isn’t deserving of a $7.6 million stock bonus?
The timing is important. It is human nature to want to hide bad news for as long as possible, but it is absolutely toxic for confidence in publicly traded corporations, which most often trumpet the virtues of transparency. Any delay in disclosure naturally raises suspicion about what a company might be trying to hide. And when it comes to the breach of consumers’ most vital personal information, the delay risks real damage, regardless of any best intentions. In Equifax’s case, its tardiness compounded a host of problems it might have been able to avoid.
At a congressional hearing on the hack on Tuesday, Smith said Equifax had 225 cybersecurity experts on its payrolls worldwide, none of whom were able to prevent the breach. Yet the company has one general counsel, John J. Kelley, who also appears to have overseen security for the firm, as well as a board that, put nicely, liked to keep its schedule light.
Understandably, much of the questioning at the hearing on Tuesday was about when Smith and the rest of his executive team knew about the hack and whether they kept that information from the public longer than they should have. Smith said that he became aware some kind of cybersecurity event on July 31, but, he says, he didn’t know that consumer information was stolen. Given what his company does, he could have probably guessed what hackers were after.
A day later, three top executives, including the company’s chief financial officer, started selling shares. They, according to Smith, didn’t know about the hack. Kelley, the company’s top lawyer, and, once again, also the head of corporate security, signed off on the stock sales although he had been made aware of suspicious cyber activity on July 30. It wasn’t until two weeks later, in the afternoon, that Smith’s crack team of 225 cybersecurity experts were able to report back to the CEO that its consumer database had been hacked. That’s important, because just that morning, conveniently before his hack briefing, Smith gave a rosy speech about the company and how it understood the importance of cybersecurity.
Smith says it was still another two days before he was 100 percent sure that consumer data had been compromised. The board wasn’t made aware until five days later and then presumably decided collectively that consumers didn’t have a right to know for 15 more days. And that was after, as Bloomberg has reported, someone at Equifax alerted LifeLock about the hack so that Equifax’s partner could profit from it. Nice work all around.
It’s important to understand that what happened at Equifax was not just a technological failure but more important a failure of management and corporate governance. Questions about why Equifax was so tardy in telling the victims about the egregious breach are a start, but the company still has lot more questions to answer and changes to make before shareholders and the public in general can trust it again.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
To contact the editor responsible for this story:
Daniel Niemi at [email protected]