Did Equifax execs sell stock before data breach news broke because they knew? U.S. Senators want to know

Originally published at: https://boingboing.net/2017/09/11/equifax-scam.html

…

Corporate Death Penalty

…just sayin’…

I doubt there will be any written evidence. These people may be sociopaths running a privacy-invading business storing personal data which may have considerable errors, and with a cavalier attitude to security, using a web interface running on OSS (STRUTS) to which they have not contributed - but they aren’t stupid.

If they didn’t know, then they aren’t doing their jobs.

Senators want to know why they weren’t tipped off so they could also sell.

I’m sure those Equifax execs will get a stern talking to. They might even be slightly embarrassed for a day. It may even get to the point where for a brief moment all those ill-gotten millions of dollars they get to keep wouldn’t seem worth it to them.

Yes, it’s that serious.

What has the Congress so upset is that they weren’t cut in on the deal.

“What was so funny on the way to the bank?”

I don’t see why Congress needs to investigate. The SEC needs to investigate, thoroughly. If they can nail Martha Stewart they ought to be able to nail these guys

Well, if Congress investigates then they can find that these upstanding job creators and trickers down of wealth did nothing wrong.

If the SEC investigates, then the hand that feeds the congresscritters may get bitten.

If they get fired by Equifax, they can always get a job at Wells Fargo.

did anyone call the police?

We are talking about the likely malfeasance of natural persons here; so the corporate death penalty would hardly be the correct response. Humans, even homo economicus, require different techniques.

(though, I have to admit, dissolving the chief financial officer and returning him to the shareholders is an idea not without promise… I’ll definitely have to consider it.)

Crocodile tears, all the way to the bank.

Apache Struts? Noted the patch (at this, late, moment!)…also FireEye, tho. didn’t hear comment from that direction.
Thrilled to hear Congress read back its BS-ometer and subpoena same persons directly (to wait 60d. for their report of course!) as followthrough, though. Let Lindsey Graham squeeze the brunch incommunicado on toast from them. Also fine: can bring own toast.

They do need to investigate, but guilt isn’t a forgone conclusion. The SEC has durable trade program you can enter into during a normal trade window that is allowed to make trades for you during the restricted trade window, but only based on preprogrammed instructions relying only on public values. So for example “as long as the stock value is over $300/share sell 50% of the shares I just vested this month”. The big requirement for this sort of program is that you can only alter it during open trade windows.

So if you had one of these set up during an open trade window and at the time you set it up didn’t have any knowledge of the hack (or other material inside information) and you later found out about the hack during a closed trade window I think it would be illegal to cancel the trade!

I’m not a lawyer though, and only briefly read about this program when deciding not to opt into one. So I may be missing critical details. Also we don’t actually know that is what happened, just that it is a way in which this could have been legal.

The current chair of the SEC is a Trump appointee, and was previously a lawyer for several Wall Street firms. I wouldn’t count on him putting a high priority on this without some nudging from Congress.

It isn’t 100% certain - it’s possible it was a high level phish - but someone in Equifarce apparently tried to blame Apache. Perhaps, as well as not contributing to the project, they also didn’t read the Apache license.

It wouldn’t be surprising at all if there are multiple mechanisms that differ in various subtle ways; but per NPR

“Bloomberg, which first located the filings, reports that “none of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.””

I’m not an SEC whisperer, so I can’t be entirely sure whether or not we are talking about the same thing; but Bloomberg’s report was “these are specifically not trades made under the innnocent explanation”; and Equifax’ assertions have been “Oh, our CFO, US Information Solutions President, and Workforce Solutions President just didn’t know about the breach when they sold that stock”; which is the sort of…questionable…excuse that seems like something you wouldn’t resort to if you had a nice, solid, “Yes, the timing looks bad; but the paperwork planning out these trades was filed 18 months ago and is all on the up-and-up” explanation to point to.

I find the “blame struts” development sort of depressing. Aside from the "Great, somebody is going for the ‘commie FOSS caused the problem’ deflection; it is very difficult to think well of somebody running a nontrivial IT system who would consider “a single component failed; and that’s why the entire thing exploded into a heap of epic fail” to be even close to an acceptable excuse.

With the possible exception of people who have the luxury of formally verifying absolutely every nook and cranny(which isn’t most of them, few to none in commercial contexts), there’s an unavoidable element of (depressingly empirical, for a business that is supposed to be about finite state machines) testing, monitoring, redundancy, defense in depth, etc.

Perhaps some hacker deciding to strut Equifaxes stuff was the proximate cause; but no operation of their magnitude and sensitivity can possibly make a plausible excuse from just the proximate cause of an intrusion(especially given how long it went undetected). Things do get compromised; but not trusting untrustworthy elements is part of the job of putting together a system that isn’t too broken to live.