Equifax (along with TransUnion and Experian) is one of the three main U

Subject:BusinessPrice:4.89 Bought3

Share With

Equifax (along with TransUnion and Experian) is one of the three main U.S. credit bureaus,

which maintain vast repositories of personal

and financial data used by lenders to determine

credit-worthiness when consumers apply for a credit

card, mortgage, or other loans. The company handles

data on more than 820 million consumers and more

than 91 million businesses worldwide and manages a

database with employee information from more than

7,100 employers, according to its website. These data

are provided by banks and other companies directly

to Equifax and the other credit bureaus. Consumers

have little choice over how credit bureaus collect and

store their personal and financial data.

Equifax has more data on you than just about anyone

else. If any company needs airtight security for

its information systems, it should be credit reporting

bureaus such as Equifax. Unfortunately this has not

been the case.

On September 7, 2017 Equifax reported that from

mid-May through July 2017 hackers had gained

access to some of its systems and potentially the

personal

information of about 143 million U.S.

consumers, including Social Security numbers and

driver's license numbers. Credit card numbers for

209,000 consumers and personal information used in

disputes for 182,000 people were also compromised.

Equifax reported the breach to law enforcement and

also hired a cybersecurity firm to investigate. The

size of the breach, importance, and quantity of personal

information compromised by this breach are

considered unprecedented.

Immediately after Equifax discovered the breach,

three top executives, including Chief Financial

Officer John Gamble, sold shares worth a combined

$1.8 million, according to Securities and Exchange

Commission filings. A company spokesman claimed

the three executives had no knowledge that an

intrusion had occurred at the time they sold their

shares on August 1 and August 2. Bloomberg reported

that the share sales were not planned in

advance. On October 4, 2017 Equifax CEO Richard

Smith testified before Congress and apologized for

the breach.

The size of the Equifax data breach was second

only to the Yahoo breach of 2013, which affected data

of all of Yahoo's 3 billion customers. The Equifax

breach was especially damaging because of the

amount of sensitive personal and financial data

stored by Equifax that was stolen, and the role such

data play in securing consumers' bank accounts,

medical histories, and access to financing. In one

swoop the hackers gained access to several essential

pieces of personal information that could help attackers

commit fraud. According to Avivah Litan, a fraud

analyst at Gartner Inc., on a scale of risk to consumers

of 1 to 10, this is a 10.

After taking Equifax public in 2005, CEO Smith

transformed the company from a slow-growing

credit-reporting company (1-2 percent organic

growth per year) into a global data powerhouse.

Equifax bought companies with databases housing

information about consumers' employment histories,

savings, and salaries, and expanded internationally.

The company bought and sold pieces of data that enabled

lenders, landlords, and insurance companies to

make decisions about granting credit, hiring job seekers,

and renting an apartment. Equifax was transformed

into a lucrative business housing $12 trillion

of consumer wealth data. In 2016, the company generated

$3.1 billion in revenue.

Competitors privately observed that Equifax

did not upgrade its technological capabilities to

keep pace with its aggressive growth. Equifax appeared

to be more focused on growing data it could

commercialize.

Hackers gained access to Equifax systems containing

customer names, Social Security numbers, birth

dates, and addresses. These four pieces of data are

generally required for individuals to apply for various

types of consumer credit, including credit cards

and personal loans. Criminals who have access to

such data could use it to obtain approval for credit

using other people's names. Credit specialist and former

Equifax manager John Ulzheimer calls this is a

"nightmare scenario" because all four critical pieces

of information for identity theft are in one place.

The hack involved a known vulnerability in

Apache Struts, a type of open-source software

Equifax and other companies use to build websites.

This software vulnerability had been publicly identified

in March 2017, and a patch to fix it was released

at that time. That means Equifax had the information

to eliminate this vulnerability two months before the

breach occurred. It did nothing.

Weaknesses in Equifax security systems were

evident well before the big hack. A hacker was able

to access credit-report data between April 2013 and

January 2014. The company discovered that it mistakenly

exposed consumer data as a result of a "technical

error" that occurred during a 2015 software

change. Breaches in 2016 and 2017 compromised information

on consumers' W-2 forms that were stored

by Equifax units. Additionally, Equifax disclosed in

February 2017 that a "technical issue" compromised

credit information of some consumers who used

identity-theft protection services from LifeLock.

Analyses earlier in 2017 performed by four companies

that rank the security status of companies

based on publicly available information showed that

Equifax was behind on basic maintenance of websites

that could have been involved in transmitting

sensitive consumer information. Cyberrisk analysis

firm Cyence rated the danger of a data breach at

Equifax during the next 12 months at 50 percent.

It also found the company performed poorly when

compared with other financial-services companies.

The other analyses gave Equifax a higher overall

ranking, but the company fared poorly in overall

web-services security, application security, and software

patching.

A security analysis by Fair Isaac Corporation

(FICO), a data analytics company focusing on credit

scoring services, found that by July 14 public-facing

websites run by Equifax had expired certificates, errors

in the chain of certificates, or other web-security

issues. Certificates are used to validate that a user's

connection with a website is legitimate and secure.

The findings of the outside security analyses appear

to conflict with public declarations by Equifax

executives that cybersecurity was a top priority.

Senior executives had previously said cybersecurity

was one of the fastest-growing areas of expense for

the company. Equifax executives touted Equifax's

focus on security in an investor presentation that

took place weeks after the company had discovered

the attack.

Equifax has not revealed specifics about the attack,

but either its databases were not encrypted or

hackers were able to exploit an application vulnerability

that provided access to data in an unencrypted

state. Experts think—and hope—that the hackers

were unable to access all of Equifax's encrypted

databases to match up information such as driver license

or Social Security numbers needed to create a

complete data profile for identity theft.

Equifax management stated that although the

hack potentially accessed data on approximately 143

million U.S. consumers, it had found no evidence of

unauthorized activity in the company's core credit

reporting databases. The hack triggered an uproar

among consumers, financial organizations, privacy

advocates, and the press. Equifax lost one-third of

its stock market value. Equifax CEO Smith resigned,

with the CSO (chief security officer) and CIO departing

the company as well. Banks will have to replace

approximately 209,000 credit cards that were stolen

in the breach, a major expense. Lawsuits are in the

works.

Unfortunately the worst impact will be on consumers

themselves, because the theft of uniquely

identifying personal information such as Social

Security numbers, address history, debt history, and

birth dates could have a permanent effect. These

pieces of critical personal data could be floating

around the Dark Web for exploitation and identity

theft for many years. Such information would help

hackers answer the series of security questions

that are often required to access financial accounts.

According to Pamela Dixon, executive director of

the World Privacy Forum, "This is about as bad as it

gets." If you have a credit report, there's at least a 50

percent chance or more that your data were stolen in

this breach.

The data breach exposed Equifax to legal and

financial challenges, although the regulatory environment

is likely to become more lenient under the

current presidential administration. It already is too

lenient. Credit reporting bureaus such as Equifax are

very lightly regulated. Given the scale of the data

compromised, the punishment for breaches is close

to nonexistent. There is no federally sanctioned

insurance or audit system for data storage, the way

the Federal Deposit Insurance Corporation provides

insurance for banks after losses. For many types of

data, there are few licensing requirements for housing

personally identifiable information. In many

cases, terms-of-service documents indemnify companies

against legal consequences for breaches.

Experts said it was highly unlikely that any

regulatory body would shut Equifax down over this

breach. The company is considered too critical to the

American financial system. The two regulators that

do have jurisdiction over Equifax, the Federal Trade

Commission and the Consumer Financial Protection

Bureau, declined to comment on any potential punishments

over the credit agency's breach.

Even after one of the most serious data

breaches in history, no one is really in a position

to stop Equifax from continuing to do business

as usual. And the scope of the problem is much

wider. Public policy has no good way to heavily

punish companies that fail to safeguard our

data. The United States and other countries have

allowed the emergence of huge phenomenally

detailed databases full of personal information

available to financial companies, technology companies,

medical organizations, advertisers, insurers,

retailers, and the government.

Equifax has offered very weak remedies for consumers.

People can go to the Equifax website to see

if their information has been compromised. The

site asks customers to provide their last name and

the last six digits of their Social Security number.

However, even if they do that, they do not necessarily

learn whether they were affected. Instead,

the site provides an enrollment date for its protection

service. Equifax offered a free year of credit

protection service to consumers enrolling before

November 2017. Obviously, all of these measures

won't help much because stolen personal data will

be available to hackers on the Dark Web for years

to come. Governments involved in state-sponsored

cyberwarfare are able to use the data to populate

databases of detailed personal and medical information

that can be used for blackmail or future attacks.

Ironically, the credit-protection service that Equifax

is offering requires subscribers to waive their legal

rights to seek compensation from Equifax for their

losses in order to use the service, while Equifax goes

unpunished. On March 1, 2018, Equifax announced

that the breach had compromised an additional 2.4

million more Americans' names and driver's license

numbers.

Harmful data breaches keep happening. In almost

all cases, even when the data concerns tens or

hundreds of millions of people, companies such as

Equifax and Yahoo that were hacked continue to operate.

There will be hacks—and afterward, there will

be more. Companies need to be even more diligent

about incorporating security into every aspect of

their IT infrastructure and systems development activities.

According to Litan, to prevent data breaches

such as Equifax's, organizations need many layers of

security controls. They need to assume that prevention

methods are going to fail.

Sources: Selena Larson, "Equifax Says Hackers Stole More than

Previously Reported," CNN, March 1, 2018; AnnaMaria Andriotis

and Michael Rapoport, "Equifax Upends CEO's Drive to Be a Data

Powerhouse," Wall Street Journal, September 22, 2017; AnnaMaria

Andriotis and Robert McMillan, "Equifax Security Showed Signs of

Trouble Months Before Hack," Wall Street Journal, September 26,

2017; AnnaMaria Andriotis and Ezequiel Minaya, "Equifax Reports

Data Breach Possibly Affecting 143 Million Consumers," Wall Street

Journal, September 7, 2017; Tara Siegel Bernard and Stacy Cowley,

"Equifax Hack Exposes Regulatory Gaps, Leaving Customers

Vulnerable," New York Times, September 8, 2017; Farhad Manjoo,

"Seriously, Equifax? This Is a Breach No One Should Get Away

With," New York Times, September 8, 2017; Eileen Chang, "Why

Equifax Breach of 143 Million Consumers Should Freak You Out,"

thestreet.com, September 8, 2017; Tara Siegel Bernard, Tiffany

Hsu, Nicole Perlroth, and Ron Lieber, "Equifax Says Cyberattack

May Have Affected 143 Million Customers," New York Times,

September 7, 2017; and Nicole Perlroth and Cade Metz, "What We

Know and Don't Know About the Equifax Hack," New York Times,

September 14, 2017.

8-13 Identify and describe the security and control weaknesses discussed in this case.

 

8-14 What management, organization, and technology

factors contributed to these problems?

 

8-15 Discuss the impact of the Equifax hack.

 

8-16 How can future data breaches like this one be

prevented? Explain your answer.