Read the Equifax Data Breach case and write a paper answering the following the following three questions:
- Discuss the moral issues in this case and whether Equifax's actions constitute a moral failing.
- Should companies like Equifax be compelled to announce data breaches to the public within a certain time frame (e.g., 72 hours after discovery)? What would be the downside of legalizing such a requirement?
- In your opinion, why was security so lax at Equifax and how can this laxity be remedied?
The answer to the first question is worth 34 points, and both questions two and three are worth 33 points each. Review the attached grading rubric to determine the requirements for answering each question.
The Equifax Data Breach Case Page 1 of 4 Equifax, along with Experian and TransUnion, is one of the "Big Three" credit reporting agencies in the United States. All three companies offer credit monitoring services as their core business. There are many regulations and restrictions governing the collection and use of credit data, but these companies have enjoyed stable sales and profits for many years. Equifax is based in Atlanta and its long history traces back to 1913. It employs over 10,400 employees worldwide and maintains data on 820 million consumers. All three agencies exchange data with banks and other financial company’s that extend credit. They develop "credit scores" for how well consumer has handled his or her credit and debt obligations. This score and the accompanying credit report detailing a person's credit history are then sold to banks, credit unions, retail credit card Issuers, auto lenders, mortgage lenders, and others who rely on this information when they make loans, issue credit cards, or offer consumers mortgages and home equity loans. It Is also used by banks to check this information before issuing bank credit cards such as Visa or MasterCard. Equifax, Experian, and TransUnion have most likely compiled credit histories for nearly every adult U.S. citizen.53 In early September 2017, Equifax announced that hackers had gained illicit access to the personal information of 143 million people. The data included social security numbers, birth dates, phone numbers, email addresses, driving license numbers, and, in some cases, credit card numbers. The total number expanded to 148 million by March 201ij. The pilfering of social security numbers was particularly worrisome since that number in the wrong hands creates opportunities for identity theft and other types of fraud. The Equifax data breach is one of the three worst data breaches- in U.S. history along with Yahoo and Marriott. The Marriott data h ck of 2018 affected 500 million users. In September 2016, Yahoo revealed a serious data security breach that had occurred 2 years earlier when 500,000 million records were compromised. Several months later, in December, 2016, Yahoo informed its users of another newly discovered data breach. That breach occurred in 2013 and affected more than 1 billion Yahoo users. However, despite the magnitude of the Yahoo and Marriott breaches, the Equifax data breach is considered more damaging because social security numbers and birth dates were involved. As one security expert observed, "This data is the key to everyone's files and interactions with financial services, government, and health care." After the announcement was made, the credit reporting agency was heavily criticized for waiting until September 7th to reveal this data breach to the public. This breach took place in March 2017 and went undetected for. almost 3 months. It was discovered in late July, but the company decided to withhold this information from the public until it was able to verify the scope of the breach, Thus, Equifax's public announcement did not happen until 6 weeks after the company had learned about the incident and 4 months after the hackers had pene-trated the Equifax network. The Equifax Data Breach Case Page 2 of 4 Cause of the Data Breach Not long before the data hack announcement, the CEO of Equifax, Rick Smith, reaffirmed his company’s commitment to cybersecurity. In answer: to a question at a mid-August breakfast meeting Smith said protecting consumer data was a "huge priority" for, the company. However; according to several cyber risk analysis companies, weakness and flaws were observed in the Equifax network well before this dangerous data breach occurred. The company had long been considered an attractive target for Identity thieves because of Its defective cybersecurity practices. But exactly what went wrong at Equifax? The breach was enabled by a security flaw in a program called Apache Struts, a widely used web application development software product. Through that software bug, hackers gained access to the software underlying the Equifax online dispute portal and from there accessed the internal company databases. Hackers were able to send data to a server that was equipped to take advantage of the software flaw. It was the digital equivalent of popping open a side window to sneak into a building. Apache issued a patch for the problem as-soon as It was discovered. The U.S. Security Readiness Team, which is part of the Department of Homeland Security, sent out a public alert on March 8, 2017 about the software flaw. On March 9; Equifax’s Global Threats and Vulnerability Management (GTVM) team released in internal notice declaring the urgent need to install the patch for any Apache Struts applications. The GTVM alerted its programmers and developers that the patch should be installed as soon as possible and no later than 48 hours from receipt of its March 9 memo. However, Equifax did not patch the Apache Struts software flaw until August, 4 months later and well after the fatal intrusion occurred. There were two problems, First Equifax’s chief developer for the online dispute portal, which used the hacked Apache application, was not on the GTVM memo distribution list. Second, in response to the alert about the Apache Struts problem, Equifax scanned its network to Identify the vulnerable versions of this program. But the scanning tool did not perform a thorough search at every level of the network and did not identify the vulnerable version of the Apache Struts application that was used for the online dispute portal. Part of the problem was the company's failure to maintain a comprehensive and up-to-date information technology (IT) inventory. Without that inventory, the scanning tools could not be properly directed to find all the instances of the Apache Struts vulnerability. In contrast to Equifax, both of its rivals, TransUnion and Experian, received the same alert from Homeland Security and the same patch from Apache Struts. Both companies patched vulnerable versions of the software within days of receiving the patch and neither suffered a data breach because of this security flaw. The Equifax Data Breach Case Page 3 of 4 The 2015 Security Audit Critics of Equifax have said that Its IT and security capabilities have not kept pace with Its lofty ambitions. CEO Smith had transformed Equifax from a credit reporting agency into a data giant by purchasing other companies with databases that tracked information about consumers' employment history, salaries, and so forth. Equifax was becoming data-analytics company. But Smith and his executive team concentrated more on data collection and processing and not so much on securing that data. As a result, Equifax lagged behind basic security maintenance, despite the fact that the data of credit firms tends to attract many opportunistic hackers. Security ratings companies sounded the alarm, but no one· at Equifax seemed to be listening, In April 2017, the cyber risk analysis firm, Cyence, rated the likelihood of a dangerous data breach at Equifax during the next 12 months at 50%. Also, according to Cyence, in their peer group of 23 companies the credit reporting agency was second to last. Security Scorecard ranked Equifax “in the middle of the pack" among financial services companies. The reason for the low score was the use of older software and tardiness in installing patches. And Fair Isaac Corp gave Equifax a 550 FICO score on a scale that ranges from 300 to 850. The score considers hardware, network security, and web services Equifax appeared to be blindsided by the breach and allegations of its weak security infrastructure that followed its announcement to many dismayed consumers who found out that their personal information may have been stolen. But the company had ample warning that its security system was vulnerable and in need of improvement. ln 2015, an internal security audit was conducted to review the state of cybersecurity and the company's current policies. The audit exposed salient cybersecurity flaws and deficiencies in the Equifax network. The report concluded current patch and configuration management controls are not adequately designed to ensure Equifax systems are securely configured and patched in a timely manner. The audit called attention to Equifax's failure to confirm the successful implementation of patches. According to the audit, most Equifax systems are not patched in a timely manner. The audit report also underscored many vulnerabilities in the company's IT systems. The report cited 1,000 vulnerabilities on externally facing systems and 7,500 on internal systems spread across 22,000 host servers. Despite these findings, there were no follow-up audits after the disappointing 2015 report. Epilogue After the breach and the consumer backlash it generated, there were predictions that regulators would impose strict new rules on the credit reporting industry. But no new regulations have been implemented in the United States. There are still no federal laws mandating notification of data breaches within a certain time frame. Equifax had to endure only minimal adverse consequences, but it has budgeted an additional $200 million for IT security. The Consumer Financial Protection Bureau, the agency responsible for the protection and security of consumer The Equifax Data Breach Case Page 4 of 4 data, initiated no punitive actions against Equifax. The Federal Trade Commission also refrained from taking any enforcement action against this credit-reporting company.