Former Equifax executive charged with insider trading for dumping nearly $1 million ahead of data breach

Former Equifax executive charged with insider trading for dumping nearly $1 million ahead of data breach
Former Equifax executive charged with insider trading for dumping nearly $1 million ahead of data...

Good. Equifax and its executives should be held accountable.

Except this isnt punishment for the breach. This is punishment for taking advantage of it.

Punish them for both.

which means he'll be nominated for a trump cabinet position any minute now

Let me take out my crystal ball. He will do less time in a minimum security prison, than a guy stealing a car will do in a max.

Agree. If you have a company that has people's personal info stored and you lose control of it, you need to be punished.

The position for head of the SEC is a tight race between this guy, Intel's CEO who sold a bunch of stock before spectre/meltdown became public knowledge, and Carl Icahn, who dumped $30 million in steel stock right before the tariffs were announced.

The best people, folks. This is a Kakistocracy.

What about all of the others who sold?

I'm happy to see this person be charged, but this is ONE person out of multiple.

Equifax Chief Financial Officer John Gamble sold shares worth nearly $950,000 on August 1. Joseph Loughran, Equifax's president for U.S. information solutions, sold shares worth about $685,000 on August 1 as well. And Rodolfo Ploder, president of workforce solutions, sold stock for just more than $250,000 on August 2.

The company found that none of those executives knew about the breach when they sold their stock.


Call me a skeptic, but it looks to me like he was just the minority fall-guy. I haven't followed this closely enough, so maybe I'm being ignorant here and these other 3 suspiciously timed sales by executives are innocent, but I have such a hard time believing this.

It doesn't matter. We are living in a world where people collect information on us for profit and don't ensure the necessary safeguards to protect the people they are harvesting it from. There need to be data security and retention requirements. Even if it is difficult this is probably one of the more important things to work on in the internet age. If it can't be fixed then we need another way of doing business.

He'll be pardoned by Trump and offered a position in the Administration most likely.

This. The US needs laws that protect data integrity and data privacy.

Currently, you could never have visited a Facebook-owned site/app and still be tracked by them. This has been rule illegal in the EU (original source is a TechCrunch article, but for some reason was removed from their site) but so far has no challenge in the States.

At this point, you could have an "anonymized" data profile attached to your IP/device/vendor ID, and it could be more accurate than if you actually personally provided answers to the questions that a vendor asks.

Anonymized data is only private/secure as long as it is; once it is on the open web– even for a moment– there are only a few pieces to be added to complete the puzzle for which human being is tied to which set of data.

In the case of Equifax and other breaches of explicitly PII (personally-identifiable information), this isn't even a problem for attackers because the data you have is the info you need to identify someone.

And steal their identity.

And ruin their credit history.

And vote as them.

Etc etc.

The best people, folks. This is a Kakistocracy.

That is evidence of a kleptocracy. The evidence of kakistocracy is Ben Carson, Kushner and Trump having any say.

A kakistocracy (/ˌkækɪsˈtɒkrəsi, -ˈstɒk-/) is a system of government which is run by the worst, least qualified, or most unscrupulous citizens

I'd say both definitions fit here.

It takes a special kind of stupid to think you won’t be caught doing this.

ahead of the data breach news or ahead of the data breach?

Fortunately, Trump can't pardon civil penalties, which is most likely what will happen here.

Just one? I thought several did this?

Also, Equifax is profiting off their own fuck up because they own lifelock or one of those identity theft companies. So can they be charged for that too?

Trump "can't" do a lot of things and yet here we are...

He was offered the CIO position after the other resigned after the breach. Sounds like they promoted a scapegoat to show "good faith" in cooperating with the SEC. They found about this in July and sold in November. It is ridiculous to think the chiefs of any company would not be aware of such an incident.

News. If you recall, the breach happened in July and wasnt made public until I think September

That would be like punishing the bank for getting robbed. If it can be found the bank failed to make an adequate effort to secure their vault they should be exposed to civil liability, but it was the bank robber who broke the law, not the bank.

We can't make being robbed against the law, but we can make laws dictating the minimum security standards, but even then being robbed isn't a crime. Being robbed may expose criminal negligence, but that still isn't the same thing as being punished extra for being robbed.

If Equifax, or any company, had actually performed due diligence and was using every appropriate security measure then it really wouldn't be their fault if they had still been hacked via a previously unknown exploit.

They won't be. They'll blame the hackers, the users, everyone except for the people actually responsible.

You left off the important part that he will still make money off the illegal act.

Not to mention totally unnecessary. Stock is higher today than it was before the breach...

Sure but he could sell it before the breach was revealed then buy it back up for cheap.

Well let's be honest - the hackers are responsible. I mean, they're the party the committed the crime of breaching the information.

With that said, Equifax is fully culpable as well for their insufficient security and inadequate response -- which is all compounded by the unique involuntary nature of their "product." We were all forced into being their product in order to live in society - so they have an even higher obligation than most to protect our information.

To me, the difference is that you have a choice to use a bank while Equifax for some baffling reason has access to your information and can sell it to you and others without your permission or ability to opt out.

And vote as them.

Ive been pondering who has the data from Equifax at this point and what they’re doing with it.

How practical/realistic would it be to vote as someone if you had everything but their IDs?

Could someone with this info absentee vote?

Was the guy who got 'caught' even an executive?

Lock him up!

Did the bank store my money without my permission? Because if the answer is no, then it's not comparable to Equifax.

So no, sounds like a fall guy. Probably does some easy time in club fed and then gets a consulting gig.

Something tells me this is going to be hell on his credit rating.

He also can't simply decide not to implement legislation he signs that he disagrees with, but he does.

Dude this is the part that's got me most heated about this incident.

I work in big data. 150 million people got doxxed. That's a lot of data.

One of two things happened.

Hackers broke in to Equifax, walked right up to the database servers, and in a matter of seconds identified the right data objects and queries to steal this data. They then copied a giant piece of data out of the company's network. This implies some level of collusion with multiple tech professionals in the organization. (How to authenticate, where the data is stored, how to get it, and someone in network security paid to look the other way while a fat chunk of data moved off his pipe).

Hackers broke in, wandered around for months trying different doors, running queries, and figured out how to best get the data then slowly moved it off the network. This means there likely wasn't a man in the middle but complete ineptitude by network security while criminals wandered around the building without a badge for months (digitally speaking) and no one asked who the hell they were.

The sheer level of negligence or criminalism for this to occur is mind blowing

I don't necessarily think they should be punished for outright losing control of the data. Breaches happen. However, they should be punished for not propey disclosing the breach to consumers, punished if it's found they didn't properly take precautions to prevent a breach, and fined for the harm it can and will do to all of us.

People have stolen tax returns with less.

You can be the best in the business and someone may still find a way to bypass your system. Better mouetrap, smarter mice, etc. What I'm saying is that if it's shown that they haven't put in the effort, time, and money to be as secure as they should have been; that's what they should be punished for.

Lose a Social Security number: $1000

Going to disagree with this one, because the solution is to dissolve SSNs.

They were made only to track social security payments, but because we lack a national ID system they get constantly abused as one.

Except its an awful ID system. Think about every login system you've ever used.. now remove the password step so that anyone with your username can impersonate you. Anyone you prove your identity to can then turn around and prove they are you. That's our current social security system.

We need an actual, modern, cryptographically secure national ID system, and we need it about 10 years ago.


This works as a plural possessive for other words in English, but for "its" an apostrophe at the end is never correct. You have "it's" for a conjunction of "it is", and all other cases which are not a conjunction it's simply "its". Yay, English!

No the best thing to do is to re-register people likely to vote for the other candidate in different states under different addresses and contact their original board of elections to have them stricken from the voter roll. Kind of like what Russia may have done or tried to do in 2016.

The others still appear to have not known about it.

No fucking way they didn't know.

4 slaps on the wrist!

There should be a statutory damage law for these breaches with different amounts based on the type of data that was lost and whether they were negligent. There should be a private right of action and a right of class-action that overrides any pre-dispute arbitration agreement but ideally the CFBP should be empowered to seek the damages on behalf of the victims.

Lose email, addresses minor stuff: $100

Lose a credit card number: $250

Lose private financial or tax information: $500

Lose a Social Security number: $1000

Lose sensitive medical data: $10,000

If Equifax owed each of us $500 for their giant breach, they would be bankrupt and heading for liquidation. That would change the entire industry here in the US in terms of increased responsibility for these mostly avoidable breaches.

They do. Jeff Skilling of Enron lost "everything" (~$45 million). He's still apparently worth $500k. Though he may be more of an exception.

Rich people tend to get the best lawyers.

Thank you for that definition

There is no such thing as being perfectly secure. You could be as secure as is known to be possible, and someone could still find a way through. You shouldn’t be punished for that.

You should be punished for your response to the problem, and how much effort you put into preventing it.

That doesn't make any sense... he has no pardon authority over civil penalties. He has no say in this. And it's an independent agency.

I'm the one who made the joke, and I just had to check to make sure I didn't accidentally get it right.

Short answer: I was joking. Jay Clayton is the head of the SEC. Doesn't appear that he has been involved in insider trading, but he does have ties to Russia (BIG surprise there!)

Legally, these executives can sell if they had planned to do so previously (and filed the requisite paperwork beforehand). Basically you tell the government “I’m going to sell 1000 shares in 6 months time” and you’re in the clear when those are sold even if you have insider info that would lead you to sell. Presumably that’s what happened here.

I’m just surprised for any punishment at all. I’m glad some laws still exist. I was fully expecting him to get promoted or brought into this administration

Read the article. This is a different guy than was previously discussed. This guy sold just under $1MM in stock before news broke, which saved him some $100,000 due to the fall in stock price. The others still appear to have not known about it.

I would presume if he dumped it before the breach itself he would have been charged as an accessory to the hack, rather than just insider trading

A friendly reminder that the breach was something that would have been solved had someone bothered to use the patch that was sent out for the software months in advance of the breach.

I think in some cases, this one included, it would be fairly easy to prove negligence. They did nothing about a security flaw in Apache for months after it was discovered. 0 day vulnerability patching should be critical and mandatory for a company that handles public privacy data like Equifax.

they dont seize illegally obtained funds? even after being charged?? thats fucking obscene

Well this is heartening

You can literally say that about any crime. You can only get punished if you are caught... that's pretty much the definition

The best way to do it would be to prove that it could be done and had been done to throw doubt onto the election and hold another election (to suppress overall turnout) or suspend them in favor of a favorable outcome.

The title is a bit misleading. The breach happened, they knew about it and he sold. Then they notified the public. Will be a very easy case to prove without a 10B5 in place with his trader.

Breaches happen? That's absolutely unacceptable when it's sensitive personal data. The company has proven it is incapable of the responsibility, and severe punishment should be administered. There HAS to be a serious consequence as motivation to force companies to take security seriously when they are dealing with that kind of data. A slap on the wrist fine means more breaches absolutely will happen guaranteed, that's basically encouraging repeat offenses.

Equifax should be fucking dismantled, instead they'll end up profiting from this.

You don't have to punish an individual for something like that unless you can prove they were negligible with the data. In other words, if they don't take the necessary precautions, not using the latest safeguards/software etc. We need a national security standard that companies have to follow and those that don't get fined, as well as the execs who caused the negligence.

Yes, this is why I think these incidents should generally be treated as strict liability (no finding of fault necessary) by Federal law and have statutory damages.

The burden should be on Equifax to prove they did everything a responsible company should given the data they hold. The reality is that since they have near-zero liability for the loss and the economic damage falls mostly on the victims of their negligence, they have no economic incentive to do better.