question archive Equifax (along with TransUnion and Experian) is one of the three main U
Equifax (along with TransUnion and Experian) is one of the three main U
Subject:BusinessPrice: Bought3
Equifax (along with TransUnion and Experian) is one of the three main U.S. credit bureaus,
which maintain vast repositories of personal
and financial data used by lenders to determine
credit-worthiness when consumers apply for a credit
card, mortgage, or other loans. The company handles
data on more than 820 million consumers and more
than 91 million businesses worldwide and manages a
database with employee information from more than
7,100 employers, according to its website. These data
are provided by banks and other companies directly
to Equifax and the other credit bureaus. Consumers
have little choice over how credit bureaus collect and
store their personal and financial data.
Equifax has more data on you than just about anyone
else. If any company needs airtight security for
its information systems, it should be credit reporting
bureaus such as Equifax. Unfortunately this has not
been the case.
On September 7, 2017 Equifax reported that from
mid-May through July 2017 hackers had gained
access to some of its systems and potentially the
personal
information of about 143 million U.S.
consumers, including Social Security numbers and
driver's license numbers. Credit card numbers for
209,000 consumers and personal information used in
disputes for 182,000 people were also compromised.
Equifax reported the breach to law enforcement and
also hired a cybersecurity firm to investigate. The
size of the breach, importance, and quantity of personal
information compromised by this breach are
considered unprecedented.
Immediately after Equifax discovered the breach,
three top executives, including Chief Financial
Officer John Gamble, sold shares worth a combined
$1.8 million, according to Securities and Exchange
Commission filings. A company spokesman claimed
the three executives had no knowledge that an
intrusion had occurred at the time they sold their
shares on August 1 and August 2. Bloomberg reported
that the share sales were not planned in
advance. On October 4, 2017 Equifax CEO Richard
Smith testified before Congress and apologized for
the breach.
The size of the Equifax data breach was second
only to the Yahoo breach of 2013, which affected data
of all of Yahoo's 3 billion customers. The Equifax
breach was especially damaging because of the
amount of sensitive personal and financial data
stored by Equifax that was stolen, and the role such
data play in securing consumers' bank accounts,
medical histories, and access to financing. In one
swoop the hackers gained access to several essential
pieces of personal information that could help attackers
commit fraud. According to Avivah Litan, a fraud
analyst at Gartner Inc., on a scale of risk to consumers
of 1 to 10, this is a 10.
After taking Equifax public in 2005, CEO Smith
transformed the company from a slow-growing
credit-reporting company (1-2 percent organic
growth per year) into a global data powerhouse.
Equifax bought companies with databases housing
information about consumers' employment histories,
savings, and salaries, and expanded internationally.
The company bought and sold pieces of data that enabled
lenders, landlords, and insurance companies to
make decisions about granting credit, hiring job seekers,
and renting an apartment. Equifax was transformed
into a lucrative business housing $12 trillion
of consumer wealth data. In 2016, the company generated
$3.1 billion in revenue.
Competitors privately observed that Equifax
did not upgrade its technological capabilities to
keep pace with its aggressive growth. Equifax appeared
to be more focused on growing data it could
commercialize.
Hackers gained access to Equifax systems containing
customer names, Social Security numbers, birth
dates, and addresses. These four pieces of data are
generally required for individuals to apply for various
types of consumer credit, including credit cards
and personal loans. Criminals who have access to
such data could use it to obtain approval for credit
using other people's names. Credit specialist and former
Equifax manager John Ulzheimer calls this is a
"nightmare scenario" because all four critical pieces
of information for identity theft are in one place.
The hack involved a known vulnerability in
Apache Struts, a type of open-source software
Equifax and other companies use to build websites.
This software vulnerability had been publicly identified
in March 2017, and a patch to fix it was released
at that time. That means Equifax had the information
to eliminate this vulnerability two months before the
breach occurred. It did nothing.
Weaknesses in Equifax security systems were
evident well before the big hack. A hacker was able
to access credit-report data between April 2013 and
January 2014. The company discovered that it mistakenly
exposed consumer data as a result of a "technical
error" that occurred during a 2015 software
change. Breaches in 2016 and 2017 compromised information
on consumers' W-2 forms that were stored
by Equifax units. Additionally, Equifax disclosed in
February 2017 that a "technical issue" compromised
credit information of some consumers who used
identity-theft protection services from LifeLock.
Analyses earlier in 2017 performed by four companies
that rank the security status of companies
based on publicly available information showed that
Equifax was behind on basic maintenance of websites
that could have been involved in transmitting
sensitive consumer information. Cyberrisk analysis
firm Cyence rated the danger of a data breach at
Equifax during the next 12 months at 50 percent.
It also found the company performed poorly when
compared with other financial-services companies.
The other analyses gave Equifax a higher overall
ranking, but the company fared poorly in overall
web-services security, application security, and software
patching.
A security analysis by Fair Isaac Corporation
(FICO), a data analytics company focusing on credit
scoring services, found that by July 14 public-facing
websites run by Equifax had expired certificates, errors
in the chain of certificates, or other web-security
issues. Certificates are used to validate that a user's
connection with a website is legitimate and secure.
The findings of the outside security analyses appear
to conflict with public declarations by Equifax
executives that cybersecurity was a top priority.
Senior executives had previously said cybersecurity
was one of the fastest-growing areas of expense for
the company. Equifax executives touted Equifax's
focus on security in an investor presentation that
took place weeks after the company had discovered
the attack.
Equifax has not revealed specifics about the attack,
but either its databases were not encrypted or
hackers were able to exploit an application vulnerability
that provided access to data in an unencrypted
state. Experts think—and hope—that the hackers
were unable to access all of Equifax's encrypted
databases to match up information such as driver license
or Social Security numbers needed to create a
complete data profile for identity theft.
Equifax management stated that although the
hack potentially accessed data on approximately 143
million U.S. consumers, it had found no evidence of
unauthorized activity in the company's core credit
reporting databases. The hack triggered an uproar
among consumers, financial organizations, privacy
advocates, and the press. Equifax lost one-third of
its stock market value. Equifax CEO Smith resigned,
with the CSO (chief security officer) and CIO departing
the company as well. Banks will have to replace
approximately 209,000 credit cards that were stolen
in the breach, a major expense. Lawsuits are in the
works.
Unfortunately the worst impact will be on consumers
themselves, because the theft of uniquely
identifying personal information such as Social
Security numbers, address history, debt history, and
birth dates could have a permanent effect. These
pieces of critical personal data could be floating
around the Dark Web for exploitation and identity
theft for many years. Such information would help
hackers answer the series of security questions
that are often required to access financial accounts.
According to Pamela Dixon, executive director of
the World Privacy Forum, "This is about as bad as it
gets." If you have a credit report, there's at least a 50
percent chance or more that your data were stolen in
this breach.
The data breach exposed Equifax to legal and
financial challenges, although the regulatory environment
is likely to become more lenient under the
current presidential administration. It already is too
lenient. Credit reporting bureaus such as Equifax are
very lightly regulated. Given the scale of the data
compromised, the punishment for breaches is close
to nonexistent. There is no federally sanctioned
insurance or audit system for data storage, the way
the Federal Deposit Insurance Corporation provides
insurance for banks after losses. For many types of
data, there are few licensing requirements for housing
personally identifiable information. In many
cases, terms-of-service documents indemnify companies
against legal consequences for breaches.
Experts said it was highly unlikely that any
regulatory body would shut Equifax down over this
breach. The company is considered too critical to the
American financial system. The two regulators that
do have jurisdiction over Equifax, the Federal Trade
Commission and the Consumer Financial Protection
Bureau, declined to comment on any potential punishments
over the credit agency's breach.
Even after one of the most serious data
breaches in history, no one is really in a position
to stop Equifax from continuing to do business
as usual. And the scope of the problem is much
wider. Public policy has no good way to heavily
punish companies that fail to safeguard our
data. The United States and other countries have
allowed the emergence of huge phenomenally
detailed databases full of personal information
available to financial companies, technology companies,
medical organizations, advertisers, insurers,
retailers, and the government.
Equifax has offered very weak remedies for consumers.
People can go to the Equifax website to see
if their information has been compromised. The
site asks customers to provide their last name and
the last six digits of their Social Security number.
However, even if they do that, they do not necessarily
learn whether they were affected. Instead,
the site provides an enrollment date for its protection
service. Equifax offered a free year of credit
protection service to consumers enrolling before
November 2017. Obviously, all of these measures
won't help much because stolen personal data will
be available to hackers on the Dark Web for years
to come. Governments involved in state-sponsored
cyberwarfare are able to use the data to populate
databases of detailed personal and medical information
that can be used for blackmail or future attacks.
Ironically, the credit-protection service that Equifax
is offering requires subscribers to waive their legal
rights to seek compensation from Equifax for their
losses in order to use the service, while Equifax goes
unpunished. On March 1, 2018, Equifax announced
that the breach had compromised an additional 2.4
million more Americans' names and driver's license
numbers.
Harmful data breaches keep happening. In almost
all cases, even when the data concerns tens or
hundreds of millions of people, companies such as
Equifax and Yahoo that were hacked continue to operate.
There will be hacks—and afterward, there will
be more. Companies need to be even more diligent
about incorporating security into every aspect of
their IT infrastructure and systems development activities.
According to Litan, to prevent data breaches
such as Equifax's, organizations need many layers of
security controls. They need to assume that prevention
methods are going to fail.
Sources: Selena Larson, "Equifax Says Hackers Stole More than
Previously Reported," CNN, March 1, 2018; AnnaMaria Andriotis
and Michael Rapoport, "Equifax Upends CEO's Drive to Be a Data
Powerhouse," Wall Street Journal, September 22, 2017; AnnaMaria
Andriotis and Robert McMillan, "Equifax Security Showed Signs of
Trouble Months Before Hack," Wall Street Journal, September 26,
2017; AnnaMaria Andriotis and Ezequiel Minaya, "Equifax Reports
Data Breach Possibly Affecting 143 Million Consumers," Wall Street
Journal, September 7, 2017; Tara Siegel Bernard and Stacy Cowley,
"Equifax Hack Exposes Regulatory Gaps, Leaving Customers
Vulnerable," New York Times, September 8, 2017; Farhad Manjoo,
"Seriously, Equifax? This Is a Breach No One Should Get Away
With," New York Times, September 8, 2017; Eileen Chang, "Why
Equifax Breach of 143 Million Consumers Should Freak You Out,"
thestreet.com, September 8, 2017; Tara Siegel Bernard, Tiffany
Hsu, Nicole Perlroth, and Ron Lieber, "Equifax Says Cyberattack
May Have Affected 143 Million Customers," New York Times,
September 7, 2017; and Nicole Perlroth and Cade Metz, "What We
Know and Don't Know About the Equifax Hack," New York Times,
September 14, 2017.
8-13 Identify and describe the security and control weaknesses discussed in this case.
8-14 What management, organization, and technology
factors contributed to these problems?
8-15 Discuss the impact of the Equifax hack.
8-16 How can future data breaches like this one be
prevented? Explain your answer.
