Tag Archives: Equifax

Insane: IRS awards $7.25M fraud-prevention contract to Equifax despite massive data breach

Equifax is a consumer credit reporting firm based in Atlanta, Georgia, the oldest of the three largest U.S. credit agencies (the other two are Experian and TransUnion). Founded in 1899, Equifax gathers and maintains information on over 800 million consumers and more than 88 million businesses worldwide.

On July 29, 2017, Equifax discovered that some time in May, someone(s) hacked into its online databases and stole the names, birth dates, Social Security numbers, addresses and driver’s license numbers of 143 million consumers in the United States — data that security experts have described as the crown jewels for identity thieves.

But Equifax kept this discovery quiet for 39 days before finally informing the public about it on September 7, 2017, admitting that 209,000 U.S. credit card numbers are also breached, as well as “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

After the company made known the breach, Equifax issued confusing instructions to consumers, which contained language that appeared aimed at limiting customers’ ability to sue. The company also tweeted out a link to a fake website instead of its own security site.

The Justice Department has also opened a criminal investigation into three Equifax executives — John Gamble, Rodolfo Ploder and Joseph Loughran — who sold almost $1.8 million of their company stock before the breach was publicly disclosed. See “Equifax executives sold $2M of their company shares 37 days before informing public of data breach“.

And yet, the IRS has seen fit to award Equifax a $7.25 million fraud-prevention contract — $7.25 million of taxpayers’ money!

Steven Overly and Nancy Scola report for Politico, Oct. 3, 2017, that a contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year.

According to the no-bid contract, the IRS will pay Equifax $7.25 million to help prevent fraud at the IRS by assisting in verifying taxpayer identity even as Congress is investigating Equifax for its massive security breach that exposed the personal information of as many as 145.5 million Americans.

A no-bid contract means that the IRS deems Equifax to be a “sole source order” — the only company capable of providing the service. The contract award was issued to prevent a lapse in identity checks while IRS officials resolve a dispute over a separate contract.

The IRS, which has suffered its own embarrassing data breaches as well as a tidal wave of tax-identity fraud, has taken steps to improve its outdated information technology with the help of $106.4 million that Congress earmarked for cybersecurity upgrades and identity theft prevention efforts. In a letter to IRS Commissioner John Koskinen, Senate Finance Chairman Orrin Hatch (R-Utah) questioned the agency’s security systems and said he was concerned that the IRS lacked the technology necessary “to safeguard the integrity of our tax administration system.”

Lawmakers on both sides of the aisle blasted the IRS decision:

  • Senate Finance Chairman Orrin Hatch (R-Utah) said in a statement: “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed,”
  • Senate Finance Comittee ranking member Ron Wyden (D-Ore.) said: “The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”

The IRS defended its decision in a statement:

“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems. At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation.”

~Eowyn

Please follow and like us:
error0
 

Equifax executives sold $2M of their company shares 37 days before informing public of data breach

Pay attention to the dates in this post.

Equifax is a consumer credit reporting firm, the oldest of the three largest U.S. credit agencies (the other two are Experian and TransUnion). Founded in 1899, Equifax gathers and maintains information on over 800 million consumers and more than 88 million businesses worldwide. Based in 1550 Peachtree St. NW, Atlanta, Georgia, Equifax is a global service provider with $2.7 billion in annual revenue and more than 9,000 employees in 14 countries. Equifax is listed on the New York Stock Exchange (NYSE).

On Thursday, September 7, 2017, Equifax said that on July 29, i.e., 39 days ago, the company discovered that some time in May, someone(s) hacked into its online databases and stole the names, birth dates, Social Security numbers, addresses and driver’s license numbers of 143 million consumers in the United States.

The company admitted that 209,000 U.S. credit card numbers are also breached, as well as “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”

But Equifax has not told the public how the data breach happened.

The next day, Sept. 8, speaking to Jeffrey Meuler, an analyst at RW Baird & Co., Equifax blamed the hacking on a flaw in the STRUTS open-source software used to run its online databases.

STRUTS is a widely available software system, created by the Apache Foundation, which is used by about 65% of Fortune 100 companies — including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and Showtime — and by the IRS.

STRUTS has been under attack by hackers since at least March, according to Ars Technica, which has reported on the software’s vulnerability. So Apache issued several patches or software fixes for its STRUTS system, but it’s unclear if the company had patched its systems since March. (New York Post)
Reporting for CNBC on Sept. 8, Todd Haselton and Yen Nee Lee discovered from filings to the Securities and Exchange Commission (SEC) that on August 1 and 2 — two days after the company had discovered the data breach, and 37 days before Equifax informed the public about the breach — three Equifax executives sold nearly $2 million in Equifax shares.

The three executives are:

  • Corporate vice president and chief financial officer John W. Gamble Jr. sold 6,500 shares at a price of $145.596, valued at $946,374, on August 1, 2017. (See the SEC’s Form 4, “Statement of Changes in Beneficial Ownership,” here.) In 2016, Gamble received $632K in salary, $759K in non-equity incentive plan compensation, $1.2M in stock awards, and $17K in all other compensation, totaling $2.7 million. He has an estimated net worth of $12.2 million. (Source: Bigwigs).
  • Workforce Solutions president Rodolfo O. Ploder sold 1,719 shares at a price of $145.70, valued at $250,458, on August 2, 2017. (See the SEC’s Form 4 here.) In 2016, Ploder received $500K in salary, $600K in non-equity incentive plan compensation, $785K in stock awards, and $105K in all other compensation, totaling $2 million. He has an estimated net worth of $19.8 million. (BigWigs).
  • Chief marketing officer and U.S. Information Solutions president Joseph Michael Loughran III sold 3,000 shares at a price of $33.60 (total value: $100,800) and 4,000 shares at a price of $146.0247 (total value: $584,099), on August 1, 2017. (See the SEC’s Form 4 here) He has an estimated net worth of $12.3 million. (BigWigs).

The total value of Equifax shares sold by Gamble, Ploder and Loughran 2 days after Equifax had discovered the data breach and 37 days before the company informed the public about the breach is $1.88 million.

In a statement, while admitting that the three executives had sold a “small percentage” of their shares, Equifax insists the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
B.S.!

Update (Sept. 13):

Threatening to sell the personal data they hacked, the criminals are demanding $2.6 million in ransom from Equifax. (ZeroHedge)

Update (Sept. 18):

Justice Department today begins a criminal probe into the three Equifax executives’ stock sales. (ZeroHedge)

~Eowyn

Please follow and like us:
error0