Short seller Carson Block victimized by Equifax hack, Sues for $500,000
Carson Block, the short-seller who exposed Sino-Forest and Huishan Dairy and made a ton of money doing so, missed out on the Equifax disaster. Not having divined what would happen, his firm Muddy Waters failed short Equifax shares before they collapsed 35% in six trading days.
But he didn’t miss out on the hack: He was one of the 143 million Americans whose data, including Social Security numbers, got stolen in the Equifax hack. And on Friday, he sued Equifax.
The lawsuit, reported by the Financial Times on Sunday, accuses Equifax of negligence in its failure to protect his personal identifying information from criminals, and of not disclosing the hack in a timely manner. He is seeking damages of at least $500,000 for the “stress, nuisance and annoyance” of having to deal with the consequences of the hack.
The suit notes that Equifax’s business revolves around being a “secure storehouse” for data and providing a clear financial profile of consumers that lenders and other businesses can rely on.
At a minimum, Equifax should have but didn’t patch a vulnerability in Apache Struts, an open-source framework for developing web applications in Java. The Apache Foundation disseminated a patch on March 6 but Equifax didn’t implement the update. ArsTechnica explains the omission:
Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up.
The hack occurred after mid-May. On Friday, Equifax said that it had finally patched the vulnerability on July 30, nearly five months after the update had become available, and a day after it had figured out that it had been hacked. This must have been one of the most glorious oh-shit moments in corporate history.
Block’s lawsuit names 11 senior executives at Equifax, including CEO Richard Smith. Two of the named people, chief information security officer Susan Mauldin and chief information officer David Webb, were sacked on Friday “effective immediately.”
The Financial Times:
According to the suit, Equifax should have known that its defenses were fragile, following two big breaches in 2016 alone. In one of those, in May, 430,000 names and other vital pieces of information were lost as a result of the company using “alarmingly poor” security for the generation of PINs from the last four digits of a social-security number and the four-digit year of birth.
Block isn’t the first one to sue. Within hours of the disclosure of the hack on September 7, law firm Olsen Daines PC along with class-action specialist Geragos & Geragos, filed a proposed class-action lawsuit in federal court in Portland, OR, against Equifax seeking $70 billion in damages nationally. It alleged that Equifax was negligent in failing to protect the data of the plaintiffs Mary McHill and Brook Reinhard. The complaint:
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers.”
“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
Earnings per share and financial engineering were clearly more important than investing in the security of consumer data to protect the core of its business. Equifax blew nearly $500 million on share repurchases in 2014 and 2015, though it didn’t repurchase any shares in 2016, according to its annual report. As of December 31, 2016, it was approved for additional share repurchases of $667 million. It might have used some of that authorization over the past few trading days to buy its own shares to keep them from plunging further.
Manipulating up the stock price via share repurchases seemed to be much more promising for executive bonuses than investing in the security of its IT system.
By September 11, the USA Today counted 23 proposed class-action lawsuits that had been filed against Equifax around the country. Plaintiffs’ lawyers are licking their chops. They have two angles of attack: shareholder lawsuits and consumer lawsuits. And there will be innumerable lawsuits from individuals, from small-claims suits to big ones like Carson Block’s. Equifax will blow a fortune on legal costs and settlements for years to come — on top of the fortune it will also have to spend to beef up its IT system.
This is the result of short-termism focused on earnings per share and share buybacks, while not investing to protect the core of its business. This is a decision the CEO and the board made. Heads should roll in both places. And it wouldn’t hurt to see a fearless prosecutor find a reason to lead some of the top folks out the door in handcuffs.
Third largest US bank reaches out to its customers to recommend a credit freeze. A mass Credit Freeze would have a huge impact. Read… Holy Moly, Now Wells Fargo Recommends a Credit Freeze in Equifax Hack
Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.