The Equifax Data Breach

Equifax Company is a consumer credit agency and was founded in 1899 in Atlanta, Georgia. Equifax dealt with credit monitoring and fraud prevention services. In September 2017, Equifax announced they have a cyber-security breach, and consumer’s data was taken by cybercriminals. The financial industry has in recent times increased the use of digital data and cloud computing to store consumers and business information. Data Breach involved any person who viewed personal information without authorization or found sensitive information that was not disposed of well. The use of digital data only increased the public awareness of data breach as more incident of a data breach was exposed. According to Cowley (2017), Equifax blames their open source server framework, Apache struts for the breach of information. Many of the consumers say that the software is not to blame, but that Equifax owns data breach detector was useless and did not protect their data.

The Impact of the Breach

The software may have been to blame for the breach, but also the administrators were responsible in checking whether the system was vulnerable to any attack. Earlier in the year, the company had reported a violation, and it did not do anything to update its system or try to prevent the breach. Equifax was also blamed on how they handled the situation as they did not disclose the breach until a month later. The breach occurred in July, but the information of the breach was released in September. The breach affected more than 143 million people as their personal information such as social security number, driving licenses number and addresses were exposed.

Methodology

The hackers were well aware of the Equifax systems vulnerabilities and were quick to exploit them. The criminals mainly leverage the perceived areas of vulnerabilities within the security system of the company in committing such a financial fraud of insurmountable impact. For instance, in the case scenario, the attackers mainly exploited the system application weaknesses on its CVE-2017-5638, Apache Struts. Equifax identified a defect in an open-source software package called Apache Struts as the technological crack that allowed hackers to heist Social Security numbers, birthdates, addresses and full legal names from a massive database maintained primarily for lenders. The hackers took a considerable period before gaining sufficient insights to commit the fraud (Cowley, 2017).

Data Leaked From the Breach

Equifax, Inc., on September 7, 2017, announced private company data, which also included upwards of 143 million social security numbers, was illegally accessed by hackers and that the data had potentially been made publicly available (Hoiberg, 2017). The Equifax data breach is unique to other data breaches mainly due to the nature and the form of data collection employed by the company. The vast majority of individuals who had their data exposed had never formally consented to a relationship with Equifax or even heard of the company before the cyber-attack that would forever change their lives. Equifax collects data from millions of Americans without the persons knowing that their data is collected and shared. The collected information is reported to various banks and financial institutions (Hoiberg, 2017). The files that the hackers obtained and accessed contained a vast amount of personal information of millions of Americans. The data is speculated to include several intimate details including names, social security numbers, and birthdates. However, it is also possible that the accessed information consists of a lot more data than the company announced mainly because of the data collected usually centers on financial dealings. Therefore, it is also possible that other sensitive information like credit card numbers and account numbers are possible in the hands of criminals.

Potential Risks to American Citizens

Business activities optimization is conducted to ensure that the businesses’ profits are maximized. Thus, fraud is also considered a risk like any other business risk and needs to be managed and mitigated. Companies can invest in counteractive measures, or invest in insurance. However, in the world of cyber security, there is yet to mushroom institutions that insure against data breaches. Equifax Inc. response to the data breach episode has already come in for condemnation, which has led to potentially expensive lawsuits and a possible congressional examination (“Nearly half of US citizens hit by massive Equifax breach,” 2017). The people who had their personal data leaked are now more likely to be exposed to episodes of fraud. ”Credit card companies are notorious for the poor security of their payment methods: particularly in the US, transactions normally do not require the customer to enter a PIN-code, and in-person transactions typically require no identification; sometimes not even a signature” (Lohstroh, 2018, p 3). Thus the data acquired can be used to accent fraudulent purchases that may lead to severe financial loses on the front of the individual. Also, leaked are Identification, Military, and Passport numbers as well as their expiry dates. Therefore, the leaked data can be used to monitor the movement and activities of an individual unlawfully.

Corporate Implications

Equifax was affected by the breach as the next day when the offence was announced publicly its share price dropped by 13%. The U.S justice department opened an investigation and learned that three executives had sold their shares on the day they discovered the breach. Equifax starts receiving lawsuits from consumers and businesses, and this affected its rapport with the business community. Majority of the business community that shared information with Equifax were left vulnerable. Consumers were also worried about what other information might have been stolen, and the company was not coming forward with that information.

Lessons Learned

The Equifax data storage and operations configuration were weak and flawed. Therefore, the hackers encountered a brittle and straightforward defense system that was ultimately unable to mitigate and prevent the data leakage of sensitive American Citizens’ data. The data breach was potentially possible because Equifax adopted potentially weak cybersecurity defense mechanisms that were ultimately unable to ensure the total safety of sensitive data (Office of Senator Elizabeth Warren, 2018). Equifax top executives also played a part through their ignorance. Equifax was initially notified and warned about the exposure to infiltration caused by the web application software Apache Struts, which was then used by the hackers to breach its system. The company’s management emailed the responsible department’s staff members to fix the problem but then failed to follow up and confirm that the fixes were made (Office of Senator Elizabeth Warren, 2018). Equifax also ignored various expert calls and warning on the risks that are associated with sensitive data. Thus, the company underinvested in cyber defense mechanisms which ultimately led to the most significant data breach in the history of cybersecurity.

References

Cowley, S. (2017). 2.5 Million More People Potentially Exposed in Equifax Breach. New York: New York Times.

Hoiberg, A. (2017). The Aftermath of the Equifax Hack and its Implications [Ebook] (1st ed., pp. 1-7). Retrieved from http://www.cs.tufts.edu/comp/116/archive/fall2017/ahoiberg.pdf

Lohstroh, M. (2018). Why the Equifax Breach Should Not Have Mattered [Ebook] (pp. 1-6). Retrieved from https://arxiv.org/pdf/1801.00129.pdf

Nearly half of US citizens hit by massive Equifax breach. (2017). Computer Fraud & Security, 2017(9), 1-3. doi: 10.1016/s1361-3723(17)30094-5

Office of Senator Elizabeth Warren. (2018). Bad Credit: Prepared by the Office of Senator Elizabeth Warren February 2018 UNCOVERING EQUIFAX’S FAILURE TO PROTECT AMERICANS’ PERSONAL INFORMATION [Ebook] (pp. 1-18). Retrieved from https://www.warren.senate.gov/files/documents/2018_2_7_%20Equifax_Report.pdf

O’Brien, A. S. (2017). Giant Equifax data breach: 143 million people could be affected. New York: CNN Tech.