Overview of the Equifax Data Breach

✅ Paper Type: Free Essay	✅ Subject: Information Technology
✅ Wordcount: 4050 words	✅ Published: 8th Feb 2020

Reference this

Share this: Facebook Twitter Reddit LinkedIn WhatsApp

Equifax is a worldwide datum, analytics, and technology company that provides credit reporting to other institutions and Equifax’s headquarters are located in Atlanta, Georgia. The CEO is Mark Begor and the Chief Information Security officer is Jamil Farshchi (Equifax, 2019a).

On September 7, 2019, Equifax announced that hackers stole personal financial data from approximately 150 million people. This cybersecurity incident is one of the largest in history. According to (Harmer, 2017), thieves had access to personal data such as social security numbers, full names, birthdates and addresses for 150 million Equifax customers throughout the United States (Ng & Musil, 2017). The illegal data access occurred from mid-May through July 2017. The cybersecurity breach was discovered on July 29, 2017, but hackers had full access to the personal data from mid-May until the end of July 2017. The company indicated that cybercriminals gain access to files via a website application vulnerability (Harmer, 2017).

Get Help With Your Essay

If you need assistance with writing your essay, our professional essay writing service is here to help!

Essay Writing Service

Equifax history and background

Equifax Inc. is a credit reporting company founded in Atlanta, GA, in 1899 and presently is one of the three leading credit-reporting companies. By the 1920s, Equifax expanded and had offices throughout the United States and Canada. By the 1960s, Equifax was one of the country’s major credit bureaus who responsibilities are to determine the credit-worthiness and to provide information on income and of millions of American and Canadian citizens Equifax (2019a). Equifax collected and analyzed data for more than 820 million consumers and over 91 million businesses around the world. The current CEO of Equifax is Mark Begor and has been serving as the chief executive offer since April 16, 2018; Begor took over for Richard Smith who retired after the massive data breach in 2017. Richard served as the chairman and CEO from 2005 to 2017.

Equifax became very successful under Smith’s realm, and he transformed Equifax into one of the most successful data collection and data analysis services companies with a net worth as of $14.9 billion as of May 03, 2019 (Macrotrends, 2019). However, Smith understood the importance of the sensitive data his company was collecting and the potential risk to beaches if hackers were not controlled. Smith invested millions into cyber-security to mitigate the potential loss of data to hackers. However, Equifax started facing data security issues after the resignation of his CSO, and several other top cybersecurity employees left Equifax in 2013.

One of the major security breaches occurred in the company in 2017, in a brazen cyberattack, somebody had stolen sensitive personal information from more than 150 million people, nearly half the population of the U.S. The information included Social Security numbers, driver’s license numbers, information from credit disputes and other personal details (Ng & Musil, 2017).

Summary

Equifax a global credit-reporting agency was breached in 2017 and hackers stole personal financial data from approximately 150 million people. This cybersecurity incident is one of the largest in history. According to (Harmer, 2017), thieves had access to personal data such as social security numbers, full names, birthdates and addresses for 150 million Equifax customers throughout the United States (Ng & Musil, 2017).

This case study focuses on What, Why, Who, How and suggests possible prevention of the breach and Equifax response to the cyber security breach and summarizes the mistakes taken but in mostly relating to a failure to use recognized security practices and a lack of internal controls and regular security reviews.

What went wrong?

According to U.S. Government Accountability Office Equifax reported that on March 2017, unidentified individuals exposed a vulnerability in Apache Struts running on Equifax’s online dispute portal website and the hackers were able to obtain access to the Equifax data system (GAO, 2018). On May of 2017, the attackers began exploiting the vulnerability and started to extract data containing private information from Equifax’s information systems. According to Equifax, the attackers used several techniques to hide their exploit of the Equifax systems and the database queries they conducted. On July 29, 2017, the hackers exploited the vulnerability involved with the Apache Struts Web Framework, giving them the capacity to execute commands on all of Equifax affected database and network systems (GAO, 2018)

From mid-May through July 29, 2017, hackers had unlawful access to Equifax credit-report databases in which they had access to over 150 million personally identifiable information of people in the U.S. and Canada. However, Equifax waited a total of six weeks to disclose the breach to the public on September 7, 2017, and stated that the cybersecurity breach was one of the largest in history. According to Berghel (2017), hackers exploited a web site application vulnerability, and the hackers retrieved the names, birth dates, addresses, Social Security numbers, driver’s license, and credit card numbers from Equifax customers (Harmer, 2017). As of today, there is currently no evidence of unauthorized activity on core consumer or commercial credit reporting databases (Symanovich, 2018).

Summary

The GAO 2017 report confirms that a single web server with outdated software led to the breach, which went concealed for 76 days. Hackers made more than 9,000 database queries that when unseen due to an expired security certificate failure to keep a network-data inspection system up to date according to (Whittaker, 2019; GAO, 2018). The network-data inspection system had not worked for over ten months before staff noticed. Moreover, the hackers had accessed to overs 48 databases that contained unencrypted credentials that they used to access other internal databases (Krebs, 2019; Whittaker, 2019; GAO, 2018).

Why did it occur?

Hackers exploited a web site application vulnerability, and the hackers stole the names, Social Security numbers, birth dates, addresses, and credit card numbers from Equifax customers Berghel (2017). As of today, there is currently no evidence of unauthorized activity on core consumer or commercial credit reporting databases (Symanovich, 2018).

The main consensus was that the Equifax data was stolen to be sold on the Dark Web according to Fleishman, (2018). The Dark Web consists of many thousands of website whose IP addresses are concealed, and the Dark Web is used most conspicuously for the underground black market. To allow criminals to buy, sell and trade credit card data, personal information, and child pornography (Fleishman, 2018).

According to Fazzini, (2019) the most plausible theory is that the breach started with a low-level hacker who may have found the vulnerability but was not knowledgeable enough to extract a large amount of data. This hacker most likely shared or sold information about the security vulnerability to more accomplished hackers whose affiliation was probably with the Russian or Chinese government (Fazzini, 2019).

Summary

A House Oversight Committee concluded that Equifax’s security practices and policies were dissatisfactory and its systems were out-of-date with an unpatched Apache Struts server that was over five-years-old. The committee found that if just simple necessary security measures were taken such as patching the vulnerable systems that this action would have prevented its massive data breach in 2017. Fortunately, there is no evidence of unauthorized activity on consumer or commercial credit reporting databases, and there has not been any attempt to sell the data on the Dark Web (Symanovich, 2018; Fleishman, 2018).

Who was responsible?

According to the CEO, Richard Smith at a House Energy and Commerce Committee indicated that a single IT technician was at fault for they did not update a required patch to the vulnerable web application software (Krebs, 2019). However, according to Krebs, (2019) Equifax identified several factors that had facilitated the hackers’ access to its network and the extraction of information from its databases. These four main factors are (a) lack of identification, (b) detection, (c) segmentation, and (d) data governance (Fazzini, 2019; GAO, 2018).

The most obvious reason that the breach happened was that Equifax was unable to identify the unpatched Apache Struts server where the breach occurred. The second reason was that Equifax could not detect the hackers’ capacity to connect with the server and exfiltration of the data because of an expired digital certificate to network scanning software that sole purpose was to detect malicious traffic (GAO, 2018; Berghel, 2017). Moreover, the hacked database server lacked proper segmentation that allowed hackers to easily access other databases within the Equifax network (Fazzini, 2019). The last contributing factor was the lack of adequate data Governance with rules on storing of private data. Many usernames and passwords were retrieved by the hackers having access to unencrypted credentials that allowed the intruders to run queries more database (GAO, 2018; Berghel, 2017)

Summary

While the former CEO tried to blame, the entire beach on single IT technician the analysis of the data shows that a combination of several factors contributed to the worst breach in modern history. The committee found that if just simple necessary security measures were taken such as patching the vulnerable systems that this action would have prevented its massive data breach in 2017.

How to prevent such a breach from occurring in the future?

Specifically, the lack of restrictions on the frequency of database queries allowed the attackers to execute approximately 9,000 such queries—many more than would be needed for normal operations.

Possibly a more comprehensive approach to integrating secure practices into its application development and deployment.

Such as using Security DevOps, this may have identified the Apache vulnerability before it was exploited. Alternatively, nothing will work. Possibly no security tools or strategies that are even available at this point could have prevented the breach. No home security system is going to keep a determined burglar out, cybersecurity is an ongoing battle with criminals, and there is no magic security bullet for organizations.

If an organization with the level of cybersecurity responsibility that Equifax must follow to cannot keep data safe, then what hope do less security-conscious organizations have? Even if a breach cannot be prevented, the overall impact hopefully can be minimized with ways to slow the attack down.

Summary

Explicitly, Equifax officials stated that system-level remediation measures were implemented to address the factors that led to the breach. For example, to work toward addressing concerns about identifying vulnerable servers, Equifax reportedly is implementing a new management process to identify and patch software vulnerabilities and confirm that vulnerabilities have been addressed. Also, to help ensure that detection of malicious activity is not hindered in the future, Equifax officials said they had developed new policies to protect data and applications and implemented new tools for continuous monitoring of network traffic. Further, to improve segmentation between devices that do not need to communicate, Equifax officials stated that they have implemented additional controls to monitor communications at the outer boundary of the company’s networks and added restrictions on traffic between internal servers. Finally, to help address data governance issues, the officials said they were implementing a new security controls framework and tighter controls for accessing specific systems, applications, and networks.

In addition to these measures, Equifax stated that they implemented a new endpoint security tool to detect misconfigurations, evaluate potential indications of compromise, and automatically notify system administrators of identified vulnerabilities. Further, Equifax officials reported that the company had implemented a new governance structure to regularly communicate risk awareness to Equifax’s board of directors and senior management. The new structure requires the company’s Chief Information Security Officer to report directly to the Chief Executive Officer.29 Officials said this should allow for greater visibility of cybersecurity risks at top management levels.

Conclusion

Predictions following the breach were that regulators and consumer outrage would force significant changes to the credit-reporting industry. Instead, almost nothing of substance has occurred since the unprecedented breach. Equifax’s stock took an initial hit, but it has mostly recovered. It continued to receive substantial government contracts.

Consumer Union, publishers of Consumer Reports, noted in an editorial on its site today, “Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before.”

In conclusion, the best course of action for the EU is to implement an approach to competition law which incorporates certain data protection concepts. This integrated approach would serve as a complement to the already existing and robust bodies of competition and data protection law in the EU, and would provide another layer of protection for both consumers and companies. If implemented correctly it could lessen the risk of harm of data breach events to consumers, and lessen the risk of penalties faced by large companies controlling large amounts of vulnerable consumer data. The integrated approach is optimal because of its relatively low cost to implement while offering significant gains to all interested parties: the consumers, the business community, and the government. The main point of contact between businesses and the government where this approach can be put to use is during the process of merger review. Additionally, the courts would have the option of reviewing and taking into consideration the data protection policies of companies subject to review as a result of anticompetitive challenges, as was the case with Asnef-Equifax. (Altmayer, 2018)

CHAPTER 2 Part Two Assignment

Introduction

Complete the Big Machine Learning module in Linux Academy, including the Exercise, Quiz, and then complete the Practice Exam for Google Cloud. Take screenshots to verify completion and scores.

Google Cloud Big Table

This is a test.

Assignment Requirements

Option #1: Cloud Breach of U.S. Company/Google Cloud (Linux Academy)

Part 1: Identify a significant cloud breach of a U.S. company. Produce an 8-10 page critical evaluation of your chosen breach, review and analyze the breach along the following dimensions: a. what went wrong? b. Why did it occur? c. Who was responsible? d. How could it have been prevented? What could be done to stop such an event from happening in the future?

Part 2: Complete the Big Machine Learning module in Linux Academy, including the Exercise, Quiz, and then complete the Practice Exam for Google Cloud. Take screenshots to verify completion and scores.

Compile Part 1 and Part 2 into a single Word document and submit by the posted due date. Review the rubric below for specific grading criteria.

Assignment Rubric

Requirements	30.0 to >24.0 pts The project includes all of the required components, as specified in the assignment.	30.0 pts
Content	30.0 to >24.0 pts Demonstrates strong or adequate knowledge of cloud management and breaches; correctly represents knowledge from the readings and sources.	30.0 pts
Evaluation of Cloud Breach	40.0 to >32.0 pts Shows reliable or acceptable combination and evaluation of the selected cloud breach, including what went wrong, why the breach occurred, and who was responsible.	40.0 pts
Preventative Problem Solving	40.0 to >32.0 pts Demonstrates secure or adequate thought and insight in problem-solving regarding preemptive measures that could have been applied to prevent the cloud breach and advice from preventing a similar reoccurrence.	40.0 pts
Sources	15.0 to >12.0 pts Must provide a minimum of five scholarly citations.	15.0 pts
Application of Source Material	15.0 to >12.0 pts Sources well or sufficiently are chosen to deliver substance and perspectives on the issue; information from the course linked correctly to the source material.	15.0 pts
Linux Academy Exercises and Quizzes	60.0 to >48.0 pts Includes screenshots indicating successful completion of all of the required exercises, quizzes, and exams as specified in the assignment	60.0 pts
Organization	20.0 to >16.0 pts The project is organized, well composed, and in proper essay arrangement including an introduction, body, and conclusion. Conforms to project requirements.	20.0 pts
Grammar and Style	20.0 to >16.0 pts Having a sturdy sentence and paragraph structure. Slight errors in grammar and spelling; appropriate writing style; clear and concise with no unsupported comments.	20.0 pts
Demonstrates proper use of APA style	30.0 to >24.0 pts The project checks proper APA formatting, according to the CSU-Global Guide to Writing and APA, with no more than one significant error.	30.0 pts

References

Altmayer, O. (2018). The tipping point – reevaluating the Asnef-Equifax separation of competition of data privacy law in the wake of the 2017 Equifax data breach. Northwestern Journal of International Law & Business, 39(1), 37–58.
Berghel, H. (2017). Equifax and the Latest Round of Identity Theft Roulette. Computer, 50(12), 72–76.
Demarco, E., & Mason, B. (2017). The Equifax data breach and its consequences. The RMA Journal, 100(3), 80.
Equifax. (2019b). Corporate Leadership. Retrieved from http://www.equifax.com/about-equifax/corporate-leadership/
Equifax (2019a). About us. Retrieved from http://www.equifax.com/about-equifax
Fazzini, K. (2019, February 13). The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme. Retrieved from http://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html
Fleishman, G. (2018, September 8). Equifax data breach, one year later: Obvious errors and no real changes, new report says. Retrieved from http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/
GAO. (2018). Actions are taken by Equifax and federal agencies in response to the 2017 breach. United States Government Accountability Office, 1-35. Retrieved from https://www.gao.gov/assets/700/694158.pdf
Gressin, S. (2017, September 8). The Equifax data breach: What to do. Retrieved from http://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
Harmer, B. (2017). In Equifax data breach, three hard lessons in risk. Computerworld Hong Kong. Retrieved from https://csuglobal.idm.oclc.org/login?url=https://search-proquest-com.csuglobal.idm.oclc.org/docview/1946725340?accountid=38569
Hennig, N. (2018). Security. Library Technology Reports, 54(3), 8. Retrieved from https://csuglobal.idm.oclc.org/login?url=https://search-proquest-com.csuglobal.idm.oclc.org/docview/2020766618?accountid=38569
Krebs, B. (2019, December 18). A Chief Security Concern for Executive Teams. Retrieved from https://krebsonsecurity.com/tag/equifax-breach/
Moore, T. (2017). On the harms arising from the Equifax data breach of 2017. International Journal of Critical Infrastructure Protection, 19, 47–48.
Ng, A., & Musil, S. (2017, September 7). Equifax data breach may affect nearly half the US population. Retrieved from http://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/
Primoff, W., & Kess, S. (2017). The Equifax Data Breach: What CPAs and Firms Need to Know Now? The CPA Journal, 87(12), 14–17.
Symanovich, S. (2018). Equifax data breach affects millions of consumers. Here’s what to do. Retrieved from https://www.lifelock.com/learn-data-breaches-equifax-data-breach-2017.html
Whittaker, Z. (2019, February 1). Equifax breach was ‘entirely preventable’ had it used basic security measures, says House report. Retrieved from http://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/