This essay has been submitted by a student. This is not an example of the work written by professional essay writers.
Uncategorized

Equifax Security Breach

Admin 22 Apr 2024

Pssst… we can write an original essay just for you.

Any subject. Any type of essay. We’ll even meet a 3-hour deadline.

GET YOUR PRICE

writers online

Equifax Security Breach

Background

Business Name and History

Equifax is a consumer reporting agency (CRA) that experienced a data breach in 2017 (mid-May to July), which compromised millions of credit holders’ data (Kenny, 2018). Equifax was founded in 1899, and it offers its services to consumers, governments, corporations, and financial institutions (HSGAC, 2019). The organization operates in 24 nations, where some are located in areas outside North America, such as Europe, Asia Pacific, and Latin America (Wang & Johnson, 2018). Equifax computes and stores information of over 81 million business firms and 820 million customers. In furtherance, the company’s database contains information about over 7,1000 workers (HSGAC, 2019). Prior to the 2017 cyberattack, the CRA experienced a data breach in 2016 that exposed the salary and tax information of many consumers (Smith & Mulrain, 2017).

Industry

Equifax belongs to the credit reporting industry. The organization is among the largest credit bureaus in the US, alongside the TransUnion and Experian (HSGAC, 2019). The credit bureaus receive information from financial institutions, mortgage lenders, credit unions, and banks. Therefore, credit holders do not have the discretion to determine how their personal data is used. The organizations in the current industry collect and sell credit records regarding the person’s borrowing and repayment of loans without his/her consent.

Software or Applications Involved

The attackers stole the consumers’ identifiable data by capitalizing on a vulnerability in the firm’s website application. The breach affected Apache Struts’ web-application software in the organization (Smith & Mulrain, 2017). The web application had a weakness that allowed hackers to access the agency’s network.

Timing

Time was a crucial factor in the current data breach. Equifax had over two months to implement appropriate measures and protect the consumers. On March 7, 2017, the Apache Struts developer noticed its software’s vulnerability, issued a warning, and dispatched a patch to relevant users (HSGAC, 2019). On March 8, 2017, the US Computer Emergency Readiness Team notified Equifax and other CRA firms, which include TransUnion and Experian, regarding the vulnerability and the patch (HSGAC, 2019). Equifax sent a directive to its IT managers to implement the patch the following day. On March 15, 2017, the IT personnel scanned the entire system, but they did not identify any vulnerability, including the very web portal that was hacked (Fruhlinger, 2020). Consequently, Equifax did not apply any patch. Ultimately, the attackers used the software’s vulnerability to intrude Equifax’s network in May 2017 (Smith & Mulrain, 2017). The attack could be avoided if the company had applied the patch on time.

Besides the patch, the agency failed to renew its SSL certificates on time. The agency failed to renew one of its SSL certificates for about ten months, and this system allowed the attackers to access the system without being detected (HSGAC, 2019). As such, Equifax would have detected the intrusion early and minimize the damage if its SSL certificate was updated.

Breach/Compromise

The attackers used the vulnerabilities in the company’s configuration and patch management systems. The organization used the Apache Struts’ web-application software, which was exploited by the attackers. The company had not patched and updated the Apache Stratus platform based on both its control policies and alert from the government promptly. The weakness of the Apache Stratus allowed the hackers to easily access the company’s system through a complaint web portal in May 2017 (Smith & Mulrain, 2017). After accessing the dispute portal, the cybercriminals send commands and queries to other systems, allowing them to remove PII within those sections. The cybercriminals navigated other servers due to the inadequate segmentation of the system. In furtherance, the hackers also obtained passwords and usernames in plain texts, which enabled them to move to other databases (Fruhlinger, 2020).

The cybercriminals exfiltrated data from the system via an encrypted connection without being detected for several months. This was possible because the organization had not renewed one of its internal security systems’ encryption certificates (Fruhlinger, 2020). The expired certificate made the Equifax unable to decrypt and investigate the incoming traffic within the complaint portal. It took the organization about 78 days to detect the intrusion (HSGAC, 2019). Overall, the systems attacked include the Apache Stratus and the company’s PII databases.

Exfiltration

The attackers exfiltrated personal information from a plethora of credit holders from countries where Equifax operated. According to Smith and Mulrain (2017), the breach affected data of approximately 143 million individuals. The data included names, addresses, birth dates, as well as Social Security and driving license numbers. In furtherance, the data leakage compromised credit card data of about 209,000 individuals. Additionally, 182,000 people had their credit dispute documents affected (Smith & Mulrain, 2017). The breach was not restricted to the US boundaries only. Some citizens from Canada and the UK were victims as well (Smith & Mulrain, 2017). The above situation posed a security threat to the consumers, given some of them could not if their data was compromised. A large percentage of the victims did not interact with the companies before. The situation is associated with the credit bureaus’ operation where some data is collected from financial institutions without the organization interacting with individual consumers. Therefore, the case may have significant harm as some individuals may be unaware of whether the breach affected them. The attackers obtained the information by gaining access to the Equifax’s network. The cybercriminals were able to access unencrypted passwords and usernames, which enhanced further access into other databases.

Potential Effects on the Persons Involved

The above breach has several effects on the individuals whose data was compromised. First, the individuals may experience financial impacts that can last for years due to their stolen Social Security numbers (SSNs). According to Smith and Mulrain (2017), the harmful effects of the loss of the SSNs in Equifax’s breach can go for a hundred years, the time when all the victims have died.  Cybercriminals can use the number to commit a broad spectrum of financial crimes. The criminals can use the number to apply for medical care, which can lead to inaccurate medical records. Another impact comprises the use of the personal identification number to commit tax fraud. The above situation can bring significant stress as the victims negotiate with the IRS regarding tax fraud. In addition, attackers can interfere with the victim’s financial accounts and investments during instances of account takeovers. The situation forces the average consumer to actively track his financial details for decades (Smith & Mulrain, 2017). Overall, the above cyberattack can have long-lasting impacts on the victim’s life, including the education of children, mortgage, and retirement. The affected individuals can use significant resources and time to dispute identity theft activities, which have negatively impacted their credit files.

Impacts on Business

The event had detrimental impacts to Equifax in the form of reputation and legal implications. Many individuals who were affected by the incident sued the organization for its negligence on cybersecurity. Numerous parties that presented lawsuits against Equifax include consumers, credit unions, and the Securities and Exchange Commission (Kenny, 2018). According to Fruhlinger (2020), the country had incurred a cost of 1.4 billion dollars in cleaning up the harms, inclusive its expenditure for improving the data security systems. The reputation of the company was tainted due to its ineffective handling of the incident. Moody’s rating firm reduced Equifax’s financial score in June 2019. In July 2019, Equifax spent over 1.38 billion dollars to compensate customer claims, as part of its resolution with the Federal Trade Commission. The company would pay 125 dollars to each party that suffered due to the cyberattack (Fruhlinger, 2020). Overall, the breach has significant negative impacts on the organization’s financial status.

Lessons Learned

Several lessons can be learned from the Equifax’ management of the breach. The cyberattack revealed the importance of network segmentation for data-centric organizations. After the attackers accessed the web portal, they were able to retrieve data from other repositories because Equifax did not segment its network based on the relevant environments (HSGAC, 2019). The segmentation would have prevented the hackers from accessing other systems after intruding one environment.

Second, data-centric organizations must continuously measure their security controls to understand any vulnerabilities and address them promptly. As discussed by the HSGAC (2019), before the breach, Equifax had conducted its audit in 2015. Although the results indicated some defects in the organization’s configuration and patch management, Equifax did not take any strategy to tackle them.

Lastly, organizations should implement written policies regarding known vulnerabilities and ensure that administrators strictly abide by them. Equifax did not have a written policy for monitoring its security certificates, and this extended the length of the breach period (HSGAC, 2019). As such, the above strategy requires the business firms to ensure that all their security certificates are up to date. The policy can help in ensuring that the organization meets the relevant certification standards.

In summary, Equifax negligence on resolving some known vulnerabilities in its data security contributed to and exacerbated the leakage. The IT team failed to remediate vulnerabilities promptly, including installing patches throughout the organization’s network. The current situation teaches the importance of segmenting networks and writing policies clearly so that staff can follow them.

 

 

References

Fruhlinger, J. (2020). Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact? CSO Online, International Data Group. Retrieved from https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html

Kenny, C. (2018). The Equifax data breach and the resulting legal recourse. Brook. J. Corp. Fin. & Com. L.13, 215-238.

Smith, M., & Mulrain, G. (2017). Equi-Failure: The national security implications of the Equifax hack and a critical proposal for reform. Journal of National Security Law & Policy9, 549-588.

US Senate Committee on Homeland Security & Governmental Affairs, HSGAC. (2019). How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach. Hsgac.senate.gov. Retrieved from https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf

Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the Equifax data breach. Issues in Information Systems19(3), 150-159.

 

  Remember! This is just a sample.

Save time and get your custom paper from our expert writers

 Get started in just 3 minutes
 Sit back relax and leave the writing to us
 Sources and citations are provided
 100% Plagiarism free
GET CUSTOM ESSAY
Copyright © 2019
error: Content is protected !!
×
Hi, my name is Jenn 👋

In case you can’t find a sample example, our professional writers are ready to help you with writing your own paper. All you need to do is fill out a short form and submit an order

Check Out the Form
Need Help?
Dont be shy to ask