+1 (208) 254-6996 [email protected]

2 pages

Read the Equifax Data Breach case and write a paper answering the following the following three questions:

Don't use plagiarized sources. Get Your Custom Essay on
Internet Research Assignment #3
Just from $13/Page
Order Essay
  1. Discuss the moral issues in this case and whether Equifax’s actions constitute a moral failing.
  2. Should companies like Equifax be compelled to announce data breaches to the public within a certain time frame (e.g., 72 hours after discovery)? What would be the downside of legalizing such a requirement?
  3. In your opinion, why was security so lax at Equifax and how can this laxity be remedied?


The Equifax Data Breach Case

Page 1 of 4

Equifax, along with Experian and TransUnion, is one of the “Big Three” credit reporting agencies

in the United States. All three companies offer credit monitoring services as their core business.

There are many regulations and restrictions governing the collection and use of credit data, but

these companies have enjoyed stable sales and profits for many years. Equifax is based in

Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide

and maintains data on 820 million consumers.

All three agencies exchange data with banks and other financial company’s that extend credit.

They develop “credit scores” for how well consumer has handled his or her credit and debt

obligations. This score and the accompanying credit report detailing a person’s credit history are

then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and

others who rely on this information when they make loans, issue credit cards, or offer

consumers mortgages and home equity loans. It Is also used by banks to check this information

before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion

have most likely compiled credit histories for nearly every adult U.S. citizen.53

In early September 2017, Equifax announced that hackers had gained illicit access to the

personal information of 143 million people. The data included social security numbers, birth

dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card

numbers. The total number expanded to 148 million by March 201ij. The pilfering of social

security numbers was particularly worrisome since that number in the wrong hands creates

opportunities for identity theft and other types of fraud.

The Equifax data breach is one of the three worst data breaches- in U.S. history along with

Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September

2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when

500,000 million records were compromised. Several months later, in December, 2016, Yahoo

informed its users of another newly discovered data breach. That breach occurred in 2013 and

affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and

Marriott breaches, the Equifax data breach is considered more damaging because social security

numbers and birth dates were involved. As one security expert observed, “This data is the key to

everyone’s files and interactions with financial services, government, and health care.”

After the announcement was made, the credit reporting agency was heavily criticized for

waiting until September 7th to reveal this data breach to the public. This breach took place in

March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the

company decided to withhold this information from the public until it was able to verify the

scope of the breach, Thus, Equifax’s public announcement did not happen until 6 weeks after

the company had learned about the incident and 4 months after the hackers had pene-trated

the Equifax network.

The Equifax Data Breach Case

Page 2 of 4

Cause of the Data Breach

Not long before the data hack announcement, the CEO of Equifax, Rick Smith, reaffirmed his

company’s commitment to cybersecurity. In answer: to a question at a mid-August breakfast

meeting Smith said protecting consumer data was a “huge priority” for, the company. However;

according to several cyber risk analysis companies, weakness and flaws were observed in the

Equifax network well before this dangerous data breach occurred. The company had long been

considered an attractive target for Identity thieves because of Its defective cybersecurity


But exactly what went wrong at Equifax? The breach was enabled by a security flaw in a

program called Apache Struts, a widely used web application development software product.

Through that software bug, hackers gained access to the software underlying the Equifax online

dispute portal and from there accessed the internal company databases. Hackers were able to

send data to a server that was equipped to take advantage of the software flaw. It was the

digital equivalent of popping open a side window to sneak into a building.

Apache issued a patch for the problem as-soon as It was discovered. The U.S. Security

Readiness Team, which is part of the Department of Homeland Security, sent out a public alert

on March 8, 2017 about the software flaw. On March 9; Equifax’s Global Threats and

Vulnerability Management (GTVM) team released in internal notice declaring the urgent need to

install the patch for any Apache Struts applications. The GTVM alerted its programmers and

developers that the patch should be installed as soon as possible and no later than 48 hours

from receipt of its March 9 memo.

However, Equifax did not patch the Apache Struts software flaw until August, 4 months later

and well after the fatal intrusion occurred. There were two problems, First Equifax’s chief

developer for the online dispute portal, which used the hacked Apache application, was not on

the GTVM memo distribution list. Second, in response to the alert about the Apache Struts

problem, Equifax scanned its network to Identify the vulnerable versions of this program. But

the scanning tool did not perform a thorough search at every level of the network and did not

identify the vulnerable version of the Apache Struts application that was used for the online

dispute portal. Part of the problem was the company’s failure to maintain a comprehensive and

up-to-date information technology (IT) inventory. Without that inventory, the scanning tools

could not be properly directed to find all the instances of the Apache Struts vulnerability.

In contrast to Equifax, both of its rivals, TransUnion and Experian, received the same alert from

Homeland Security and the same patch from Apache Struts. Both companies patched vulnerable

versions of the software within days of receiving the patch and neither suffered a data breach

because of this security flaw.

The Equifax Data Breach Case

Page 3 of 4

The 2015 Security Audit

Critics of Equifax have said that Its IT and security capabilities have not kept pace with Its lofty

ambitions. CEO Smith had transformed Equifax from a credit reporting agency into a data giant

by purchasing other companies with databases that tracked information about consumers’

employment history, salaries, and so forth. Equifax was becoming data-analytics company. But

Smith and his executive team concentrated more on data collection and processing and not so

much on securing that data.

As a result, Equifax lagged behind basic security maintenance, despite the fact that the data of

credit firms tends to attract many opportunistic hackers. Security ratings companies sounded

the alarm, but no one· at Equifax seemed to be listening, In April 2017, the cyber risk analysis

firm, Cyence, rated the likelihood of a dangerous data breach at Equifax during the next 12

months at 50%. Also, according to Cyence, in their peer group of 23 companies the credit

reporting agency was second to last. Security Scorecard ranked Equifax “in the middle of the

pack” among financial services companies. The reason for the low score was the use of older

software and tardiness in installing patches. And Fair Isaac Corp gave Equifax a 550 FICO score

on a scale that ranges from 300 to 850. The score considers hardware, network security, and

web services

Equifax appeared to be blindsided by the breach and allegations of its weak security

infrastructure that followed its announcement to many dismayed consumers who found out

that their personal information may have been stolen. But the company had ample warning

that its security system was vulnerable and in need of improvement.

ln 2015, an internal security audit was conducted to review the state of cybersecurity and the

company’s current policies. The audit exposed salient cybersecurity flaws and deficiencies in the

Equifax network. The report concluded current patch and configuration management controls

are not adequately designed to ensure Equifax systems are securely configured and patched in a

timely manner. The audit called attention to Equifax’s failure to confirm the successful

implementation of patches. According to the audit, most Equifax systems are not patched in a

timely manner. The audit report also underscored many vulnerabilities in the company’s IT

systems. The report cited 1,000 vulnerabilities on externally facing systems and 7,500 on

internal systems spread across 22,000 host servers. Despite these findings, there were no

follow-up audits after the disappointing 2015 report.


After the breach and the consumer backlash it generated, there were predictions that regulators

would impose strict new rules on the credit reporting industry. But no new regulations have

been implemented in the United States. There are still no federal laws mandating notification of

data breaches within a certain time frame. Equifax had to endure only minimal adverse

consequences, but it has budgeted an additional $200 million for IT security. The Consumer

Financial Protection Bureau, the agency responsible for the protection and security of consumer

The Equifax Data Breach Case

Page 4 of 4

data, initiated no punitive actions against Equifax. The Federal Trade Commission also refrained

from taking any enforcement action against this credit-reporting company.

Order your essay today and save 10% with the discount code ESSAYHELP