{"id":654,"date":"2017-11-07T05:30:43","date_gmt":"2017-11-07T05:30:43","guid":{"rendered":"https:\/\/securitycurve.com\/?p=654"},"modified":"2017-11-07T05:30:43","modified_gmt":"2017-11-07T05:30:43","slug":"equifax-flat-earth-report-or-just-incompetence","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=654","title":{"rendered":"Equifax: Flat earth report?  Or just epic incompetence?"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-large lazyload\" data-src=\"https:\/\/i.ytimg.com\/vi\/TNV1U34p6jk\/hqdefault.jpg\" width=\"480\" height=\"360\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 480px; --smush-placeholder-aspect-ratio: 480\/360;\" \/>Ah Equifax. For connoisseurs of human folly, it is truly the gift that keeps on giving.<\/p>\n<p>Today <a href=\"https:\/\/investor.equifax.com\/news-and-events\/news\/2017\/11-03-2017-124511096\">we have a report from Equifax<\/a>, commissioned by their board, that concludes that those executives that sold their shares just a few short days after the breach were all totally innocent of any wrongdoing.\u00a0 Yes, yes, nothing to see here.\u00a0 It&#8217;s all good, they conclude.<\/p>\n<p>From the report:<\/p>\n<blockquote><p>The Special Committee&#8217;s report, which is attached, concludes that &#8220;none of the four executives had knowledge of the incident when their trades were made, that preclearance for the four trades was appropriately obtained, that each of the four trades at issue comported with Company policy, and that none of the four executives engaged in insider trading.&#8221; As part of the review process, the Special Committee conducted dozens of interviews, and reviewed more than 55,000 documents including emails, text messages, phone logs and other records.<\/p><\/blockquote>\n<p>Now, some out there are &#8220;calling shenanigans.&#8221;\u00a0 I get that.\u00a0 It&#8217;s pretty suspicious looking &#8212; and we know that <a href=\"http:\/\/www.ajc.com\/business\/timeline-the-hacking-equifax\/U06rkYrFjPY4NWJ7B0uhuI\/\">their CEO knew about it<\/a>.\u00a0 So it&#8217;s strains credulity that these other folks were clue-free.\u00a0 But,\u00a0&#8220;flat earth&#8221; possibility aside, I actually think it&#8217;s possible that what the report describes could be the case.\u00a0 I also don&#8217;t think that&#8217;s great news for Equifax.<\/p>\n<p>Here&#8217;s what I mean.\u00a0 Since the beginning of this, I&#8217;ve held that there are two options with respect to the stock sales: 1) Equifax has four crooked execs, or 2) Equifax is rife with such epic incompetence that key executives had literally no clue that one of the biggest disclosures of customer data <strong>ever\u00a0<\/strong>took place until long long after the fact.\u00a0\u00a0Is the discovery that the answer is &#8220;epic incompetence&#8221; really all that much better?\u00a0 If the answer was &#8220;illegal shenanigans from crooked execs&#8221;, they could fire those people, we as a society could send them to jail, and Roberto&#8217;s your uncle.\u00a0 As it stands, we have a systemic problem in Equifax that is cultural, systemic, and pervasive.<\/p>\n<p>Why do I say it&#8217;s &#8220;epic incompetence&#8221;?\u00a0 A few reasons.\u00a0 First, the CFO literally was not informed about the breach.\u00a0 Likewise, their internal counsel &#8211; who ultimately provided the approval for these transactions in the first place &#8211; was out of the loop of this breach.\u00a0 The person whose business line this all impacted (US products)? Also not informed. They all apparently learned about it at the leadership retreat on August 22nd.\u00a0 Must have been a hell of a retreat.\u00a0 Look, I&#8217;m not saying that you have to send engraved stationary to everyone in the world when a breach happens &#8212; but you would expect something in the way of a notification chain.<\/p>\n<p>Say for the sake of argument that you found out that your company disclosed the most intimate financial information of millions of people.\u00a0 Who would you inform?\u00a0 Who would be on the short list for such a notification?\u00a0 Who would you expect would find out about it within, say, the first month or so?\u00a0 I&#8217;m thinking CFO and legal counsel would be up there.\u00a0 Say you were going to have a breach notification exercise.\u00a0 Would you include these folks?\u00a0 I would.\u00a0 Equifax apparently did not.\u00a0 These folks didn&#8217;t find out until later &#8211; like way, way, way later.<\/p>\n<p>Either way you slice it, it&#8217;s not great news for them &#8211; or us.\u00a0 Because keep in mind that they are still collecting data on you.\u00a0 They also likely still have major, systemic security issues.\u00a0 Major cultural issues don&#8217;t get fixed overnight &#8211; so it&#8217;ll be a while before their act is fully cleaned up &#8211; and in the meantime, data about us continues to be at risk.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ah Equifax. For connoisseurs of human folly, it is truly the gift that keeps on giving. Today we have a report from Equifax, commissioned by their board, that concludes that those executives that sold their shares just a few short days after the breach were all totally innocent of any wrongdoing.\u00a0 Yes, yes, nothing to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[47],"class_list":["post-654","post","type-post","status-publish","format-standard","hentry","category-security","tag-equifax"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=654"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/654\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}