Disgraced credit-monitoring company Equifax, which has seen its stock drop by nearly 40% since disclosing what will likely be remembered as one of the most damaging data breaches in US history, eliciting dozens of class-action lawsuits, calls for investigations by at least one state attorney general, and requests from multiple Congressional committees for more information about the exact timeline of when Equifax learned about the hack, and when it was disclosed – because somewhere between those two events, several of the company’s executives, including its CFO, cashed out of some $2 million in stock and options.

In the latest humiliating blow to a company that failed at its only job – safeguarding Americans’ sensitive personal and financial data – famed short-seller Carson Block has announced that he has decided to sue the company over its “abysmal” handling of the hack.

And here’s the kicker: He doesn’t even have an open short position against the company. In other words: There’s no profit motive here. Block – like millions of Americans - is just really, really pissed.

Here’s the Financial Times:

“Veteran short-seller Carson Block has launched a private lawsuit against Equifax, accusing the credit-reporting company of an “abysmal” handling of one of the worst cyber security incidents in history. Equifax said on September 7 that its systems were breached by criminals in a raid that went on for more than two months — an admission that has prompted a flood of regulatory inquiries, dozens of private lawsuits and a more than one-third collapse in the company’s share price. The data of up to 143m Americans was compromised, the company said, along with up to 400,000 people in the UK. One of those was Mr Block, whose suit filed on Friday accuses Equifax of negligence in failing to safeguard and protect his personal identifying information from criminals, as well as a failure to disclose the breach in a timely fashion.”

Apparently, Block has learned that his personal information was compromised in the hack because he’s suing for personal damages. He has also accused the company of failing to disclose the breach in a timely fashion. The company’s CEO, Rick Smith, who is expected to deliver Congressional testimony early next month, has said that the company at first believed the hack was relatively minor."

According to the FT, the famed short sellers is seeking $500,000 in damages, a paltry sum considering Muddy Waters reportedly produced double-digit returns last year.

“Mr Block’s firm, Muddy Waters, has no short position that would benefit from a fall in the stock. In the suit, filed in the Northern District of California, San Francisco division, he seeks damages of at least $500,000 for the “stress, nuisance and annoyance” of dealing with issues stemming from the breach. The suit notes that Equifax’s business revolves around being a “secure storehouse” for data and providing a clear financial profile of consumers that lenders and other businesses can rely on. According to its own description, Equifax organises, assimilates and analyses data on more than 820m consumers and more than 91m businesses worldwide. Equifax could not be reached for comment at the time of publication.”

As the FT explains, hackers gained access to the company’s systems by exploiting a vulnerability in Apache Struts, a popular open-source framework for developing web applications in the Java programming language. On Friday, Equifax said that it had patched the hole on July 30, one day after it had detected strange activity on its servers. But cybersecurity experts note that the fix had been available since March, when the Apache Foundation put out an update which had been widely disseminated in tech circles. In short, the company’s cybersecurity experts committed an unforced error by neglecting to invest the meager resources required to patch the fix.

Amid the firestorm of controversy that has engulfed the company in the aftermath of the hacking disclosure, Equifax has actively tried to cover up the fact that Susan Mauldin, Equifax’s chief information security officer, and the person who was responsible for keeping the highly confidential and secret information of over 100 million Americans, has zero security or technology credentials…in fact, she was a music major at the University of Georgia.

Smith, Mauldin and nine other executives are named in Block’s lawsuit. Mauldin, Equifax said, would retire immediately from the company on Friday, along with David Webb, chief information officer.

According to the suit, Equifax should’ve been more careful following two big breaches in 2016. In one of those, 430,000 names and other vital pieces of information were lost as a result of the company using “alarmingly poor” security for the generation of PINs from the last four digits of a social-security number and the four-digit year of birth.

Of course, with North Dakota Democrat Heidi Heitkamp calling for a criminal investigation into securities fraud, Block’s lawsuit for a meager half a million is probably the least of the company’s worries…

