Credit-reporting company Equifax shocked investors, and more than a third of America, when it announced on Thursday afternoon that hackers had breached its data systems, compromising the personal information of approximately 143 million U.S. consumers. The information accessed "primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers." In other words, pretty much everything that should have been hidden behind an n-number of firewalls, is now available to the dark net's highest bidder.
The company, which in delightful irony offers credit-monitoring and identity-theft protection products to "guard consumers’ personal information", said that it had learned of the incident on July 29, 2017, at which point it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review: based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. Oddly enough, it took shareholders and over a third of America, more than a month longer to learn that all their personal data may have been compromised.
As if 143 million leaked social security numbers wasn't enough, Equifax said that criminals also accessed credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers. But wait, there's more: the company also identified unauthorized access to limited personal information for certain UK and Canadian residents.
The good news, is that according to Equifax, "this issue has been contained." The bad news is that, well, as many as 143 million social security numbers have been hacked. So no, it's not contained.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”
In a Q&A posted on the company's website, the management team revealed what's really important with the following question and answer:
Does this cybersecurity incident impact your capital allocation priorities going forward?
Our capital allocation priorities are unchanged at this time. As we have previously indicated, our investment priorities in order of importance are: (1) internal investment; (2) dividends; (3) acquisition; and (4) share repurchase. We do, however, expect to increase our capital spending in an effort to further accelerate IT infrastructure, systems and data security and resiliency improvement actions.
Oh, good, because a hack involving 143 million SSNs is one of those cases where capex probably should have taken precedence over stock buybacks. Don't worry though, because as it explains in the same quesionnaire, "Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers."
Uhm, after this... what customers?
After falling as much as 12% in the after hours, EFX stock stabilized... then fell as much as 19%.
And now the best news: with Putin clearly behind this hack - as "all 17 intelligence agencies", WaPo and NYT will shortly "confirm" - the US economy is about to undergo a renaissance as hundreds of millions of (unsolicited) purchases prompt a golden age for US retailers while sending Amazon market cap into the $1 trillions... even if the shipping address for said purchases happen to be small, frigid villages deep in the Russian taiga.
Full statement from Equifax here.
In appears there was a reason why EFX decided to hold on to the hacking news a little longer than seems reasonable. As Bloomberg reports, "three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."
The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.
Surely, it was all purely a coincidence, even though had they waited until today, their proceeds would be well over 10% lower...