Case Study: The Equifax Data Breach

Equifax, along with Experian and TransUnion, is one of the “Big Three” credit reporting agencies in the United States. All three companies offer credit monitoring services as their core business. There are many regulations and restrictions governing the collection and use of credit data, but these companies have enjoyed stable sales and profits for many years. Equifax is based in Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide and maintains data on 820 million consumers.

All three agencies exchange data with banks and other financial companies that extend credit. They develop “credit scores” for how well a consumer has handled his or her credit and debt obligations. This score and the accompanying credit report detailing a person’s credit history are then sold to banks, credit unions, retail credit card issuers, auto lenders, mortgage lenders, and others who rely on this information when they make loans, issue credit cards, or offer consumers mortgages and home equity loans. It is also used by banks to check this information before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion have most likely compiled credit histories for nearly every adult U.S. citizen.

In early September 2017, Equifax announced that hackers had gained illicit access to the personal information of 143 million people. The data included social security numbers, birth dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card numbers. The total number expanded to 148 million by March 2018. The pilfering of social security numbers was particularly worrisome since that number in the wrong hands creates opportunities for identity theft and other types of fraud.

The Equifax data breach is one of the three worst data breaches in U.S. history along with Yahoo and Marriott. The Marriott data hack of 2018 affected 500 million users. In September 2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when 500,000 million records were compromised. Several months later, in December, 2016, Yahoo informed its users of another newly discovered data breach. That breach occurred in 2013 and affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and Marriott breaches, the Equifax data breach is considered more damaging because social security numbers and birth dates were involved. As one security expert observed, “This data is the key to everyone’s files and interactions with financial services, government, and health care.

After the announcement was made, the credit reporting agency was heavily criticized for waiting until September 7 to reveal this data breach to the public. The breach actually took place in March 2017 and went undetected for almost 3 months. It was discovered in late July, but the company decided to withhold this information from the public until it was able to verify the scope of the breach. Thus, Equifax’s public announcement did not happen until 6 weeks after the company had learned about the incident and 4 months after the hackers had penetrated the Equifax network.

Cause of the Data Breach
Not long before the data hack announcement, the CEO of Equifax, Rick Smith, reaffirmed his company’s commitment to cybersecurity. In answer to a question at a mid-August breakfast meeting Smith said that protecting consumer data was a “huge priority” for the company. However, according to several cyber risk analysis companies, weaknesses and flaws were obvious in the Equifax network well before this dangerous data breach had occurred. The company had long been considered an attractive target for identity thieves because of its defective cybersecurity practices.

But exactly what went wrong at Equifax? The breach was enabled by a security flaw in a program called Apache Struts, a widely used web application development software product. Through that software bug, hackers gained access to the software underlying the Equifax online dispute portal and from there accessed the internal company databases. Hackers were able to send data to a server that was equipped to take advantage of the software flaw. It was “the digital equivalent of popping open a side window to sneak into a building.”

Apache issued a patch for the problem as soon as it was discovered. The U.S. Security Readiness Team, which is part of the Department of Homeland Security, sent out a public alert on March 8, 2017 about the software flaw. On March 9, Equifax’s Global Threats and Vulnerability Management (GTVM) team released an internal notice declaring the urgent need to install the patch for any Apache Struts applications. The GTVM alerted its programmers and developers that the patch should be installed as soon as possible and no later than 48 hours from receipt of its March 9 memo.

However, Equifax did not patch the Apache Struts software flaw until August, 4 months later and well after the fatal intrusion occurred. There were two problems. First, Equifax’s chief developer for the online dispute portal, which used the hacked Apache application, was not on the GTVM memo distribution list. Second, in response to the alert about the Apache Struts problem, Equifax scanned its network to identify the vulnerable versions of this program. But the scanning tool did not perform a thorough search at every level of the network and did not identify the vulnerable version of the Apache Struts application that was used for the online dispute portal. Part of the problem was the company’s failure to maintain a comprehensive and up-to-date information technology (IT) inventory. Without that inventory, the scanning tools could not be properly directed to find all the instances of the Apache Struts vulnerability.

In contrast to Equifax, both of its rivals, TransUnion and Experian, received the same alert from Homeland Security and the same patch from Apache Struts. Both companies patched vulnerable versions of the software within days of receiving the patch and neither suffered a data breach because of this security flaw.

The 2015 Security Audit
Critics of Equifax have said that its IT and security capabilities have not kept pace with its lofty ambitions. CEO Smith had transformed Equifax from a credit reporting agency into a data giant by purchasing other companies with databases that tracked information about consumers’ employment history, salaries, and so forth. Equifax was becoming a “global data-analytics company.” But Smith and his executive team concentrated more on data collection and processing and not so much on securing that data.

As a result, Equifax lagged behind basic security maintenance, despite the fact that the data of credit firms tends to attract manyopportunistic hackers. Security ratings companies sounded the alarm but no one at Equifax seemed to be listening. In April 2017, the cyber risk analysis firm, Cyence, rated the likelihood of a dangerous data breach at Equifax during the next 12 months at 50%. Also, according to Cyence, in their peer group of 23 companies the credit reporting agency was second to last. Security Scorecard ranked Equifax “in the middle of the pack” among financial services companies. The reason for the low score was the use of older software and tardiness in installing patches. And Fair Isaac Corp gave Equifax a 550 FICO score on a scale that ranges from 300 to 850. The score takes into account hardware, network security, and web services.

Equifax appeared to be blindsided by the breach and allegations of its weak security infrastructure that followed its announcement to many dismayed consumers who found out that their personal information may have been stolen. But the company had ample warning that its security system was vulnerable and in need of improvement.

In 2015, an internal security audit was conducted to review the state of cybersecurity and the company’s current policies. The audit exposed salient cybersecurity flaws and deficiencies in the Equifax network. The report concluded “current patch and configuration management controls are not adequately designed to ensure Equifax systems are securely configured and patched in a timely manner.” The audit called attention to Equifax’s failure to confirm the successful implementation of patches. According to the audit, “most Equifax systems are not patched in a timely manner.” The audit report also underscored a large number of vulnerabilities in the company’s IT systems. The report cited 1,000 vulnerabilities on externally facing systems and 7,500 on internal systems spread across 22,000 host servers. Despite these findings, there were no follow-up audits subsequent to the disappointing 2015 report.

Epilogue
After the breach and the consumer backlash it generated, there were predictions that regulators would impose strict new rules on the credit-reporting industry. But no new regulations have been implemented in the United States. There are still no federal laws mandating notification of data breaches within a certain time frame. Equifax had to endure only minimal adverse consequences, but it has budgeted an additional $200 million for IT security. The Consumer Financial Protection Bureau, the agency responsible for the protection and security of consumer data, initiated no punitive actions against Equifax. The Federal Trade Commission also refrained from taking any enforcement action against this credit-reporting company.

Questions:

What is your opinion on US Goverment still not creating a law and finding a feasible solution to this problem ? Does the US big corporations are the ones lobbying for no change? why?

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.