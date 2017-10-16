Hackers control all of our sensitive personal information, thanks to Equifax (NYSE:EFX).

The breach was thought to impact 143M American consumers, or roughly 44% of the US population... those were the figures that were widely reported. A month later the company revised its estimate up 2.5M. But more importantly, minors account for a quarter of the population, and two of 10 US adults are either “credit invisible” or “commercially unscorable” according to the CFPB. Their report from 2015 suggested that 189M Americans had scorable records.

So this is no exaggeration, backed by numbers: if you’re an American with a credit history your data was likely compromised.

The scale of potential market disruption from such a massive breach has become the elephant in the tent for a full-blown Equifax circus. From execs dumping a couple million worth of shares just days after the breach – and long before it was publicly disclosed – to revelations that their security practices included credentials like admin:admin and ignoring critical software updates.

Something Phishy Going On

Thanks to a supreme Twitter feed I was aware of the Equifax announcement almost immediately on September 7, and went right to their homepage. I clicked on the red banner at the top for more details. Then, I frantically messaged family and friends to make sure they didn’t follow the instructions on equifaxsecurity2017.com.

Amazing...

So they got owned… then hacked again to redirect to a phishing site?

Nope, equifaxsecurity2017.com was in fact the URL the company chose. That night I searched for similar domains and found a number of them available.

Upon reading that cyber specialist Mandiant – a FireEye (NASDAQ:FEYE) subsidiary – was managing incident response, I abandoned the idea of registering one for teaching purposes and went with screenshots instead.

Thus, it might have been harder to explain why I found this decision out of sync with good security practices, if it wasn't for Nick Sweeting. Not only did he buy a similar domain (securityequifax2017.com) and design the site like the official one, Equifax actually tweeted his URL out to customers on multiple occasions. If he were a malicious actor he could have easily gathered personal information from unsuspecting visitors to the spoof site; perhaps even required them to save a copy of the "TrustedID Agreement," which would be bundled with goodies to infect and exploit their systems too.

Miscellaneous Mishandlings

Equifax alleges that it discovered the monumental breach on July 29. Seeing a daunting fire needed to be put out, they apparently just started lighting more of them and setting themselves ablaze.

The fact that key figures in the company, including CFO John Gamble, made unscheduled sales of shares on the 1st and 2nd of August is deeply troubling. Equifax gave a statement dismissing concerns, suggesting the relative sizes of the trades were not substantial and those individuals "had no knowledge that an intrusion had occurred." For CFO Gamble, however, the near million-dollar transaction represented 13% of his stake, presumably more than half his 2016 equity compensation. The CIO and CEO knew of the breach by July 31 so why Gamble was not informed days later and no intervention took place is curious at best. While avoiding hasty judgments, it's not unreasonable to conclude Equifax's approach to the issue opened a door to additional liability.

Shortly following news of CEO Richard Smith's resignation we also learned he might be eligible for a retirement package of over $18M, on top of his salary for the past nine months and with equity vesting milestones ahead. Surely that doesn't seem commensurate with the quality of management recently. If they had immediately disclosed the breach and adlibbed a response mistakes would be more forgivable. People debate whether "40 days and 40 nights" was just a way of saying a long time in the Bible – stalling that much to announce a hack of this magnitude is a very long time. And during that period, another baffling incident may have transpired: Fortune reports Equifax's August acquisition of identity protection firm ID Watchdog was completed "without revealing at that time that its systems had been penetrated."

The Grand Finale

Surprise! It only gets worse from here. At least, that's how I'm playing EFX.

Several authors at Seeking Alpha have attempted to forecast the negative financial impact to Equifax as a result of this disaster. But even the bears generally neglect the possible severity of further fallout. As of now the data has only been ex-filtrated – if weaponized it could wreak havoc. Not just with traditional measures, but in ways not being discussed: how many of our web accounts are secured by some combination of name, DOB, SSN, address, and/or phone number? I'd be happy to be wrong but logic dictates there will be some subsequent attack(s), and I expect EFX to get battered in response.

If Equifax has to collapse it will. My own target is much more conservative, but too big to fail sentiment is misguided. The economic domino effect produced by several behemoth US banks going bust has no comparison here. Instead, this volatile US political climate sets the tone for Equifax to be made an example of, with industry wide ramifications.

Last month the stock reached an all time high of $147.02, a 24% jump from the end of 2016. Since the disclosure and subsequent selloff, EFX has seen a sustained recovery, and is currently down less than 8% YTD. I bought put contracts around $110 and will want to see strong resistance before $120, which would surpass the 50% retracement level and represent a 2017 gain. With so many moving parts and sources of uncertainty it's a fool's errand to call a precise price, but double digits making a return wouldn't surprise me.

Equifax had a name change from Retail Credit back in 1975 to improve its image. Today, it’s hard to imagine anything that can save the company’s credibility. Simply surviving entails weathering the storms from PR blunders, suspicious activities, epic security failures, and the consequences of the hack itself. Going back to business as usual is not a viable option, because business as usual turned out to be thoroughly inadequate on multiple fronts. At a minimum security will need to be prioritized in a quantifiable way going forward, therefore fundamentals and valuations must reflect that.