Shares of Equifax dropped another 4% today, including after-hours, to $92.70. They’re now down 35%, or $50, from the happier era that ended at 5pm EST on September 7, with the confession that it had found out six weeks earlier that the most crucial personal data – “primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers” – of 143 million consumers had been stolen.
This was promptly followed by chaos and egregious missteps, such as trying to profit from its victims. So far, at 120.4 million shares outstanding as of June 30, the six trading days have cost investors $6 billion. No one cares about consumers. They’re just the product. But $6 billion matter.
Now heads are rolling. Oh no, not CEO Richard Smith. He is not leaving the company to spend more time with his family. Instead, Equifax announced Friday evening that it sacked two lower level executives. I mean, not sacked. Chief information officer, David Webb, and chief security officer, Susan Mauldin, “are retiring,” it said, “effective immediately.”
And they had it coming.
Much was made of Mauldin’s degrees in music. But for a person her age, and with as much corporate experience as she had, college is irrelevant. Gates, Jobs, and Zuckerberg didn’t even graduate from college. What matters is how they perform their work.
And they failed to patch a vulnerability in Apache Struts, an open-source and therefore free software. The vulnerability had been “identified in early March” but wasn’t patched. The hack occurred from May 13 through July 30, 2017.
According to Equifax Friday evening:
The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.
Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.
While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.