Equifax – What Were They Thinking?

Or rather, what do you hope the Equifax board was thinking in March, May, July, and September?

We have the timeline of the perceived facts of the Equifax breach.  We know what the company announced publicly. But it makes us wonder what the Equifax Board was thinking?  What do we wish they were discussing as they became aware of each of these events? 

Early March

In early March, Equifax notified individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal between April 17, 2016 and March 29, 2017. This gave the hackers potential access to employee W2s. After the breach, Equifax also made notification to attorneys general – in states requiring such notifications – including Maryland and New Hampshire.
Let’s assume the board was notified. Based on the information available, we can assume that they must have discussed some rudimentary questions:

• Do we know what systems and data were affected?
• How did the attackers get into the system, and has the vulnerability been fixed?
• Is the incident contained?
• Do we have a communications plan for the affected customers?
• Are the right people empowered to make the right decisions around reporting requirements, remediation, etc.?
  

We assume that the Board asked a few questions, took the incident seriously, and felt the company had it all managed appropriately.  We can only hope that the discussions turned forward looking. The Board should have been talking about the strength of the incident response and business continuity plans in preparation for what they should have assumed would be an additional incident. 

July 29

Hackers exploited a vulnerability in Equifax’s web application framework that managed credit-related disputes filed by consumers. This exposed personal details including names, addresses, Social Security numbers, and sometimes driver’s license numbers for 143 million people in the United States. There was also the potential compromise of credit card numbers for 209,000 consumers and additional personal information relating to credit disputes for 182,000 more people.
We are confident that the Board was notified.  So what do we hope they discussed at their emergency Board meeting?

• How did the attackers gain access to our systems?
• Has the vulnerability been fixed? Is it contained?
• Was this related to the March event?
• What’s the potential business impact?
• When and how do we go to the public?
  

While we don’t know what happened behind closed doors, it’s clear that the Board must have taken this seriously and covered these and other key questions. 

August 1 & 2

SEC filings show that Equifax’s Chief Financial Officer, John Gamble Jr., Workforce Solutions President, Rodolfo Ploder, and U.S. Information Solutions President, Joseph Loughran offloaded company stock valued at $1.8 million. It is alleged that these three senior executives had no knowledge of the breach.
So what do we think board members thought of this move?  Let’s just ask if you would want your Directors’ and Officers’ (D&O) liability tied to leadership who made this sort of decision? While the company claims that these three leaders had no knowledge of the July breach, it doesn’t pass the sniff test. Directors are charged with asking the right questions and understanding the answers. It is hard to fathom that the Board didn’t discuss this very act and have serious concerns about the judgment of these leaders as well as the potential accusations of insider trading.

September 7

The day arrived to tell 143 million U.S. customers about the massive hack.  One has to wonder, however, how the Board agreed that is was a smart idea to make this announcement on a Friday afternoon.  They cannot have thought that the public and media would sweep this under the rug just because it was a Friday – usually a slow news day. One of the most important strategic decisions a Board and company leadership faces following a cyber incident is deciding when and how to notify customers, shareholders, and business partners. This should have been a significant conversation that should have resulted in a different decision.

September 14

It is a week later and another Friday announcement – the “retirement” of the CIO and CISO.  One would assume that there was an emergency Board meeting between September 7th and 14th.  So what was discussed?  Clearly as the class action suits were mounting, the number of media reports was soaring, and the pressure was intensifying, the Board needed to take action.  While it’s not at all uncommon for someone to get fired or replaced in the heat of the moment post cyber incident, it is shocking that Equifax decided on such a soft message of a “retirement.”

September 26

With the punches still rolling, Equifax Chairman and CEO, Richard F. Smith, follows the suit of the CIO and CISO and retires. Paulino do Rego Barros Jr., previous APAC President, has been tapped to fill in as interim CEO.