2. WOULD YOU INVEST IN THIS BUSINESS?
Things looked good for the leadership of Equifax:
a $17 billion market value, and praise for innovation.
Share Price since start of 2017
3. HOW DID THINGS LOOK A WEEK AGO?
Things looked good for the leadership of Equifax:
a $17 billion market value, and praise for innovation.
4. VIEW FROM THE INSIDE = DISTINGUISHED!
John J. Kelley III
Mr. Kelley achieved a rating of “Distinguished” on his
individual objectives for 2016. These objectives included:
• Directing and improving the effectiveness and efficiency of the
Company’s regulatory and government relations operations
• Continuing to improve business unit support and alignment.
• Continuing to refine and build out the Company’s global
security organization.
Mr Kelley received $2.8m compensation including performance
bonus, an 8% increase on the previous year.
Mr Kelley’s contract guarantees a $758,000 pension contribution
if terminated for cause, or $11.3m if terminated without cause.
Senior management were confident.
They were getting results. “Distinguished” results… .
5. VIEW FROM THE OUTSIDE = VULNERABLE!
John J. Kelley III
But what could hackers see?
The above shows vulnerabilities visible from outside.
6. HOW WAS TEAMWORK IN THE MIDDLE?
John J. Kelley III
Equifax says their CFO (above) wasn’t told in a timely way about the breach.
Which is unfortunate, as he sold some shares a few days later… .
Were cyber
vulnerabilities
always reviewed
in a timely way
by the Board?
Was there a plan
for informing
senior execs
about material
cyber incidents?
7. WHAT DID THEY KNOW, WHEN DID THEY KNOW IT?
May 16th Equifax now believes it was breached before this date
July 29th Equifax managers discovered the data breach
August 2nd Equifax CFO sold 13% of his shares in Equifax
Sept 5th Equifax consultants register domains like equihax.com,
(to prevent some of the fraud that often follows a
breach announcement: criminal phishers spoofing its
domain to get money & data by fraud)
Sept 7th Equifax announces “cybersecurity incident” (after
markets close, and 41 days after breach discovered)
Breach
Identified
Trading
Preparation
Notification
Is 41 days fast enough? When should the CFO be told?
Did Equifax’s leaders pull together to fix things?
9. HOW DID THEY ANNOUNCE? TO WHAT RESPONSE?
Breach affects 143 million people = half the USA
Social Security number, credit card numbers,
home address and birth dates among data lost.
Allegedly, data taken via open-source software,
Apache Struts (for building web applications).
(Two thirds of Fortune 100 companies are using
Apache Struts.)
10. Breach affects 143 million people = half the USA
Social Security number, credit card numbers,
home address and birth dates among data lost.
Allegedly, data taken via open-source software,
Apache Struts (for building web applications).
(Two thirds of Fortune 100 companies are using
Apache Struts.)
Social media reacts within seconds.
HOW DID THEY ANNOUNCE? TO WHAT RESPONSE?
11. AND HOW GOOD WAS THE HELP THEY ANNOUNCED?
Some browsers blocked access
to the site, as it looked like a
scam. (The site wasn’t registered
to Equifax, & its certificates didn’t
perform proper revocation).
The site runs WordPress, which
isn’t very secure.
Frustrations: On Sept 8th the site
told many users to check back on
13th to see if they were affected.
12. THEIR GESTURE OF CREDIT MONITORING
Free credit monitoring is offered on site.
Conflict of interest? Some complain the
monitoring services is owned by Equifax,
and is often used to sell other services.
Legal Conflict? Those who accept the
credit monitoring seem to automatically
give up their right to sue Equifax.
A credit freeze is recommended by many
experts (eg Brian Krebs).
13. PERHAPS A CREDIT FREEZE WOULD BE SAFER??
Credit freeze is offered
on by Equifax.
But create new risks.
The PIN offered to many
thousands of consumers
who now freeze their
credit is the date and
time the freeze was
requested.
15. SOME RISKS THE 143 MILLION INDIVIDUALS NOW FACE
Tax Refund Fraud Loan Account Fraud
Credit Card Fraud Benefits Fraud
16. WOULD YOU INVEST IN THIS BUSINESS?
Things looked good for the leadership of Equifax:
a $17 billion market value, and praise for innovation.
Share Price since start of 2017
17. ANY SUGGESTIONS?
If you were Mark L. Feidler, what would you have done differently?
We’d love to hear your thoughts – please follow us and comment on:
www.linkedin.com/company/cyber-rescue-alliance