Equifax Breach: A Grassy Knoll Conspiracy?
by Sam Richter
By now you've probably heard of the giant data breach at the credit reporting agency Equifax. The company reports that, from May through July, identity thieves stole the personal information - including social security numbers - of 143 million US consumers. Security experts are in an uproar, and consumers are rightfully very worried about what's next.
In response, Equifax is offering all those impacted one free year of credit monitoring. All a person has to do is visit this site to determine if he/she is a possible victim. If yes, Equifax will automatically enroll each impacted individual into Equifax ID Patrol™, normally priced at $16.95 per month (their Premium service is $19.95 per month).
In a related story, it was revealed that three Equifax executives sold $2 million in stock prior to the data breach announcement. The executives claim that the sale was a planned sale and the timing was a coincidence. Many are reasonably skeptical.
When I first read the breach story, I was angry. When I read the stock-sale story, I was appalled.
As I was reviewing various breach-related articles, I stumbled upon an unrelated article that grabbed my attention. It shared how in October 2017, the National Archives is going to release all of the documents related to President Kennedy's assassination. Will we finally learn the truth about the missing Zapruder frames? To that end, what is really stored in Area 51?
As my mind was racing wondering if there actually is a secret "for-POTUS-eyes-only" book at the Library of Congress, I received an email from my fellow speaker/author/technology guru-colleague, Beth Ziesenis. Beth shared two interesting tid-bits about the Equifax story:
"1) If you sign up for their free monitoring through TrustedID, the very fine print says that you're giving up your right to participate in a class-action suit (you would have to arbitrate)."
"2) If you do check the site (to see if you've been a victim), it very well may be inaccurate. My check yesterday didn't say yes or no. Today I checked again and it said I was compromised. But then I put a fake last name and social info into the site, and Equifax also said it was likely compromised."
Then I received another email from one of the world's top cyber-security experts, Michael Bazzell. Michael and Justin Carroll recorded a superb podcast about the breach and what it means, and in the discussion, they too reiterated what Beth shared. NOTE: Michael and Justin highly recommend that all US consumers put a credit freeze on their accounts and they've produced a very helpful guide on how to do it.
Now I admit, my conspiracy-theory brain was probably running amok based on the timing of Beth's email and Michael's supporting podcast. Yet, when I considered the possibilities, the puzzle pieces started to fit together until I formed my own "Grassy-Knoll" Equifax theory:
1) Equifax company executives sell stock a few weeks before the breach is announced.
2) The breach occurred between May and July. As there has not been a huge number of reported cases of ID theft since that time, maybe the company knows this is a "big nothing" and although they are required by law to share information related to the breach, they know that actual consumer data that could do damage was never exposed.
3) The day of the breach announcement, Equifax's stock tanked nearly 15%. Yet none of the executives care because they already sold.
4) Over the next few weeks, let's assume that 100 million consumers - or 70% of those impacted - sign up for a free year of Equifax ID Patrol. Although the retail cost is $16.99 per month, the actual cost to Equifax to offer the service is almost nothing as the infrastructure already exists. There are some incremental technology costs, certainly, yet my hunch is it's pennies to add a new customer.
5) Slowly over the coming months executives start buying back stock at deflated prices.
6) There are some class action lawsuits. But not many as the 100 million who sign up for the service cannot participate. Other lawsuits are thrown out because no plaintiff can prove damages as per #2 above, Equifax knows that no identifiable information was actually stolen.
7) Equifax has legal bills and government fines. Let's assume they total $250 million - a huge amount. The stock continues to sink. But insiders aren't worried and purchase more stock at deflated prices. Besides being a tax-deductible expense, the $250 million is really nothing because...
8) A year from now, when 100 million people are done with their free monitoring, they are feeling good about the service because their IDs weren't nefariously used (see #2 above). All of these folks are offered a "good-will discount" to continue with Equifax ID Patrol for only $10 per month. Nearly 25% of consumers take the company up on its offer.
9) Equifax has now generated $250 million in recurring monthly revenue, or $3 billion per year - nearly doubling their 2016 total revenue.
10) The company stock goes through the roof. Insiders who bought on the low sell on the high and make millions.
Crazy? I thought so too. That's a lot of planning with too much risk. Yet the more I read the 10 points above, the more I thought that it's actually possible, and really not too difficult to implement.
Or maybe it was just a massive data breach, the stock sales were purely coincidental, and Equifax executives are really good people doing all they can under tremendous pressure to mitigate the consumer risk, and to preserve the future of their company.
What do you think? Massive breach? Or a massive conspiracy? Please leave a comment below.