It’s become a familiar observation in many a political or corporate scandal — and the two sometimes overlap — that “the coverup was worse than the crime.” (The name Clinton might spring to mind in one context or another.)
In the case of Georgia-based credit agency Equifax, it’s possible that from what we know right now, the coverup IS the crime.
As has been reported this past week by every major news organization, a security breach, which Equifax has attributed to a software system provided by a web service named Apache Struts, allowed hackers access to personal information — names, addresses, Social Security numbers, birth dates and more — of a staggering 143 million Americans.
The implications would be dire enough if the issue were simply a matter of a technical breakdown, or the human error of a security lapse. But disclosures about how long Equifax kept the problems under wraps should prompt some serious questions about more serious culpability.
According to an Associated Press report, the software problem that eventually led to the breach was discovered in March. Apache Struts issued a statement Thursday that it had provided a “patch” shortly thereafter, and that "the Equifax data compromise was due to their failure to install the security updates provided in a timely manner."
Whatever the details of that timeline, there’s not much ambiguity about this one: Equifax said the hacking of Americans’ personal data began in May and continued until July … and was disclosed 10 days ago. That’s a month and a half after the company discovered it.
“There is no excuse for not following basic cybersecurity hygiene,” Nate Fick, CEO of Endgame, a Virginia-based cybersecurity agency, told AP. “Some heads should definitely roll for this; it’s only a question of how many.”
As if the belated disclosure weren’t bad enough, Equifax initially responded to individual consumer concerns about their personal information security by charging them a fee to freeze their credit. (That fee was soon waived, no doubt after some internal version of “Seriously?” was circulated through the executive suites.)
But major damage might already have been done: The breach “means they've got everything,” Eric Artrip, plaintiff attorney for several of what will no doubt be many class action filings, told Huntsville, Ala., TV station WHNT. “They've got our home address. They've got our Social Security numbers. They've got our date of birth, who we are married to if we are, who our kids are and where we live."
Aside from what tens of millions of Americans are in jeopardy of losing, there’s this detail of what a trio of Equifax bigwigs gained: ABC News reports that three top executives sold almost $1.8 million in Equifax stock after the hack was discovered — and before it was disclosed. Whatever the strict legal definition of “insider trading,” that would have to meet any common-sense standard. It would qualify for quite a few other definitions and descriptions as well, none of them flattering and some of them unprintable.
(Since disclosure of the breach, AP reports, the value of Equifax stock has dropped by nearly a third. Equifax said last week the executives were unaware of the breach when they sold the stock.)
For at least 143 million obvious — and in most cases voting — reasons, the Equifax saga has Washington’s rapt attention. Sen. Chuck Schumer, D-N.Y., called it “one of the most egregious examples of corporate malfeasance since Enron,” and the Federal Trade Commission is investigating company practices, as is the Consumer Financial Protection Bureau. The House Financial Services Committee has announced it will hold hearings on the matter early next month.
As is always the reality of the situation and too seldom the subject of the discussion, the decisions that led to these consequences were made by human beings with names and titles and — presumably — responsibilities. Not for the first or last time, that presumption will be, perhaps sorely, tested.