Read the Equifax Data Breach case and write a paper answering the following the following three questions:
- Discuss the moral issues in this case and whether Equifax’s actions constitute a moral failing.
- Should companies like Equifax be compelled to announce data breaches to the public within a certain time frame (e.g., 72 hours after discovery)? What would be the downside of legalizing such a requirement?
- In your opinion, why was security so lax at Equifax and how can this laxity be remedied?
The Equifax Data Breach Case
Page 1 of 4
Equifax, along with Experian and TransUnion, is one of the “Big Three” credit reporting agencies
in the United States. All three companies offer credit monitoring services as their core business.
There are many regulations and restrictions governing the collection and use of credit data, but
these companies have enjoyed stable sales and profits for many years. Equifax is based in
Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide
and maintains data on 820 million consumers.
All three agencies exchange data with banks and other financial company’s that extend credit.
They develop “credit scores” for how well consumer has handled his or her credit and debt
obligations. This score and the accompanying credit report detailing a person’s credit history are
then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and
others who rely on this information when they make loans, issue credit cards, or offer
consumers mortgages and home equity loans. It Is also used by banks to check this information
before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion
have most likely compiled credit histories for nearly every adult U.S. citizen.53
In early September 2017, Equifax announced that hackers had gained illicit access to the
personal information of 143 million people. The data included social security numbers, birth
dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card
numbers. The total number expanded to 148 million by March 201ij. The pilfering of social
security numbers was particularly worrisome since that number in the wrong hands creates
opportunities for identity theft and other types of fraud.
The Equifax data breach is one of the three worst data breaches- in U.S. history along with
Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September
2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when
500,000 million records were compromised. Several months later, in December, 2016, Yahoo
informed its users of another newly discovered data breach. That breach occurred in 2013 and
affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is considered more damaging because social security
numbers and birth dates were involved. As one security expert observed, “This data is the key to
everyone’s files and interactions with financial services, government, and health care.”
After the announcement was made, the credit reporting agency was heavily criticized for
waiting until September 7th to reveal this data breach to the public. This breach took place in
March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the
company decided to withhold this information from the public until it was able to verify the
scope of the breach, Thus, Equifax’s public announcement did not happen until 6 weeks after
the company had learned about the incident and 4 months after the hackers had pene-trated
the Equifax network.
The Equifax Data Breach Case
Page 2 of 4
Cause of the Data Breach
Not long before the data hack announcement, the CEO of Equifax, Rick Smith, reaffirmed his
company’s commitment to cybersecurity. In answer: to a question at a mid-August breakfast
meeting Smith said protecting consumer data was a “huge priority” for, the company. However;
according to several cyber risk analysis companies, weakness and flaws were observed in the
Equifax network well before this dangerous data breach occurred. The company had long been
considered an attractive target for Identity thieves because of Its defective cybersecurity
But exactly what went wrong at Equifax? The breach was enabled by a security flaw in a
program called Apache Struts, a widely used web application development software product.
Through that software bug, hackers gained access to the software underlying the Equifax online
dispute portal and from there accessed the internal company databases. Hackers were able to
send data to a server that was equipped to take advantage of the software flaw. It was the
digital equivalent of popping open a side window to sneak into a building.
Apache issued a patch for the problem as-soon as It was discovered. The U.S. Security
Readiness Team, which is part of the Department of Homeland Security, sent out a public alert
on March 8, 2017 about the software flaw. On March 9; Equifax’s Global Threats and
Vulnerability Management (GTVM) team released in internal notice declaring the urgent need to
install the patch for any Apache Struts applications. The GTVM alerted its programmers and
developers that the patch should be installed as soon as possible and no later than 48 hours
from receipt of its March 9 memo.
However, Equifax did not patch the Apache Struts software flaw until August, 4 months later
and well after the fatal intrusion occurred. There were two problems, First Equifax’s chief
developer for the online dispute portal, which used the hacked Apache application, was not on
the GTVM memo distribution list. Second, in response to the alert about the Apache Struts
problem, Equifax scanned its network to Identify the vulnerable versions of this program. But
the scanning tool did not perform a thorough search at every level of the network and did not
identify the vulnerable version of the Apache Struts application that was used for the online
dispute portal. Part of the problem was the company’s failure to maintain a comprehensive and
up-to-date information technology (IT) inventory. Without that inventory, the scanning tools
could not be properly directed to find all the instances of the Apache Struts vulnerability.
In contrast to Equifax, both of its rivals, TransUnion and Experian, received the same alert from
Homeland Security and the same patch from Apache Struts. Both companies patched vulnerable
versions of the software within days of receiving the patch and neither suffered a data breach
because of this security flaw.
The Equifax Data Breach Case
Page 3 of 4
The 2015 Security Audit
Critics of Equifax have said that Its IT and security capabilities have not kept pace with Its lofty
ambitions. CEO Smith had transformed Equifax from a credit reporting agency into a data giant
by purchasing other companies with databases that tracked information about consumers’
employment history, salaries, and so forth. Equifax was becoming data-analytics company. But
Smith and his executive team concentrated more on data collection and processing and not so
much on securing that data.
As a result, Equifax lagged behind basic security maintenance, despite the fact that the data of
credit firms tends to attract many opportunistic hackers. Security ratings companies sounded
the alarm, but no one· at Equifax seemed to be listening, In April 2017, the cyber risk analysis
firm, Cyence, rated the likelihood of a dangerous data breach at Equifax during the next 12
months at 50%. Also, according to Cyence, in their peer group of 23 companies the credit
reporting agency was second to last. Security Scorecard ranked Equifax “in the middle of the
pack” among financial services companies. The reason for the low score was the use of older
software and tardiness in installing patches. And Fair Isaac Corp gave Equifax a 550 FICO score
on a scale that ranges from 300 to 850. The score considers hardware, network security, and
Equifax appeared to be blindsided by the breach and allegations of its weak security
infrastructure that followed its announcement to many dismayed consumers who found out
that their personal information may have been stolen. But the company had ample warning
that its security system was vulnerable and in need of improvement.
ln 2015, an internal security audit was conducted to review the state of cybersecurity and the
company’s current policies. The audit exposed salient cybersecurity flaws and deficiencies in the
Equifax network. The report concluded current patch and configuration management controls
are not adequately designed to ensure Equifax systems are securely configured and patched in a
timely manner. The audit called attention to Equifax’s failure to confirm the successful
implementation of patches. According to the audit, most Equifax systems are not patched in a
timely manner. The audit report also underscored many vulnerabilities in the company’s IT
systems. The report cited 1,000 vulnerabilities on externally facing systems and 7,500 on
internal systems spread across 22,000 host servers. Despite these findings, there were no
follow-up audits after the disappointing 2015 report.
After the breach and the consumer backlash it generated, there were predictions that regulators
would impose strict new rules on the credit reporting industry. But no new regulations have
been implemented in the United States. There are still no federal laws mandating notification of
data breaches within a certain time frame. Equifax had to endure only minimal adverse
consequences, but it has budgeted an additional $200 million for IT security. The Consumer
Financial Protection Bureau, the agency responsible for the protection and security of consumer
The Equifax Data Breach Case
Page 4 of 4
data, initiated no punitive actions against Equifax. The Federal Trade Commission also refrained
from taking any enforcement action against this credit-reporting company.