Equifax Data Breach Incident

Posted: August 26th, 2021

Equifax Data Breach Incident

Name

Institutional Affiliation

Course

Instructor’s Name

Date

Executive Summary

Equifax Inc. is an international technology, analytics, and datum company, which give credit reports to other organizations. The headquarters of Equifax is located in Georgia, Atlanta. On September 7, 2017, Equifax reported that hackers stole personal financial information from around one-hundred-and-fifty million individuals, making it the most massive cybersecurity breach (Wang & Johnson, 2018). Hackers had access to personal information such as home addresses, birthdates, phone numbers, full names, driver’s license numbers, and social security numbers for consumers (Zou, Mhaidli, McCall, & Schaub, 2018). Additionally, around 209,000 credit card numbers were also breached. The unprecedented Equifax breach happened from mid-May through July 2017, but it was discovered on July 29, 2017. Equifax believed that cybercriminals accessed this personal information through a vulnerability in the website application platform. Predictions after Equifax breach were that customers and regulators outrage would drive changes to the credit-reporting firm (Safi, 2020). However, nothing of substance has happened since then. Initially, Equifax’s stock endured an underlying hit but was mostly recovered. Currently, Equifax is still receiving substantial United States contracts. 

Table of Contents

Executive Summary. 2

Equifax Background Information. 3

Identity Theft and Consumer Data Breach. 3

The 2017 Equifax Breach. 3

Reasons for the Breach. 4

Response and Criticisms. 4

Short term Preventive Strategies. 4

Proposed Long-Reforms and Recommendations. 5

Ensure Consumers have Control of Their Credit Reports. 5

Improve Breach Notification. 6

Conclusion. 6

References. 7

Equifax Data Breach

Equifax Background Information

Equifax Inc. is one of the major credit bureaus, also known as credit reporting agencies (CRAs), in the United States of America (Fleishman, 2018). The task of CRAs is to create credit reports, which gives a detailed summary of a person’s credit history. For instance, the reports include how individuals have kept up with credit card and loan payment. Credit reporting agencies never collect data from individuals but organizations such as landlords, employers, banks, and credit card companies. When individuals apply for credit, the lender will get information from one of credit reporting agencies such as Equifax to check whether they have debts repaying history. Similarly, landlords and employers may demand a credit report to decide whether to rent or hire. Therefore, in people’s lives, credit reports play an essential role.

Identity Theft and Consumer Data Breach

The data breach issues at Equifax had extended for a while since the company had sordid poor cybersecurity history. In May 2016, hackers stole the salary and tax information of over 431,000 persons (Wang & Johnson, 2018). In October 2015, another credit reporting agency known as Experian was hacked. Approximately fifteen million records of T-Mobile clients, including identification numbers, birthdates, SSN, home addresses, and names, were stolen. In March 2013, TransUnion, Experian, and Equifax exposed celebrities’ credit reports. On another example, the Office of Personnel Management data breach compromised personal information like biometric identifiers in 2015. Therefore, the frequency and scope of information breaches had increased over the years.

Identity theft is one of the main reasons why these companies are hacked. Furthermore, identity theft can derail an individual’s financial future. Cybercriminals who can access other people’s identifiable information can return obtain credit cards, open bank accounts, and borrow loans with this information. In 2016, 225 instances of identity theft were reported in the United States (Wang & Johnson, 2018). Approximately 29% of the cases included the use of someone else personal information in committing a tax felony. While over 32% committed credit card fraud using the breached data.

The 2017 Equifax Breach

In March 2017, a vulnerability was exposed in the Apache Struts running on Equifax’s online dispute platform by unidentified individuals (Fleishman, 2018). Thus, hackers managed to breach the Equifax database. The cybercriminals started to exploit the vulnerability and extract personal information from the Equifax’s data systems. Equally, the hackers used different approaches to hide their IP addresses and other traces likeunnoticed database queries in the Equifax systems.On July 29, 2017, the attackers abused the weakness involved with the Apache Struts Web Framework, therefore, enabling them to execute commands on the affected Equifax network systems and database. 

Equifax waited for about a month and a half to unveil the break to the public. On September 7, 2017, Equifax claimed that the cybersecurity breach on their company was unprecedented and the largest in history. Cybercriminals exploited online application portal and collected the credit card numbers, Social security numbers, driver’s license home addresses, birth dates, and names of Equifax clients (Zou, Mhaidli, McCall, & Schaub, 2018). Hence, there is currently no proof of the unapproved activities on the main commercial or consumer credit reporting databases.

Therefore, according to Safi (2020)existence of a single outdated web server software can cause the breach, concealed after 76 days later. Over nine-thousand database unseen queries were made by hackers. This was due presence of expired security certificates which have by thenfailed touphold a network-data inspection across the Equifax systems.  The outdated network-data inspection framework was the reason hackers breached to over forty-eight databases that contained decoded credentials, which were used in accessing the internal Equifax databases. Thus, a lack of timely response in addressing or maintaining the company database system up to date resulted in increased cybersecurity threats.

Reasons for the Breach

The central consent was that the Equifax information was breached to be sold on the Dark Web (Fleishman, 2018). The Dark Web platforms contain many website portals having a concealed Internet Protocol addresses. Moreover, the Dark Web is utilized most prominently as the illegal market or underground black market. Therefore, in this case, criminals are allowed to trade, sell or buy personal data, credit card data besides engaging in distribution of child pornography.

The Equifax data breach started with an amateur hacker who knew the website vulnerability but could not extract enormous data (Zou, Mhaidli, McCall, & Schaub, 2018). Later, the security vulnerabilities were sold or sharedwith advanced illegal hackers with potential connection with the Chinese or the Russians governments. Equifax’s security policies and practices were dissatisfactory, and its frameworks were obsolete with an unpatched Apache Struts server (Wang & Johnson, 2018). Thus, if essential safety efforts were implemented like fixing the weak systems, the breach of data in 2017 would have been avoided.

Response and Criticisms

A single Information Technology expert was to blame for not updating an essential patch to combat the website application portal. Nonetheless, several factors were identified by Equifax that had encouraged hackers to breach and extract information from its systems. Hence, the main four factors are data governance, detection and segmentation as well as detection, and absence of identification.

Largely, the main reason that caused Equifax to be hacked was the inability to detect the unpatched Apache Struts servers, according to Safi (2020). Likewise, Equifax could not identify the cyber criminal’s ability to interface with the server and exfiltration of the information due to an outdated digital certificate. The digital certificate was responsible for scanning any software that would create malicious traffic.  Additionally, the Equifax database server was not appropriately segmentized; hence, this permitted hackers to access many other databases (Hooper, 2018). The lack of sufficient data Governance with regulations on private information storage approaches also contributed. Hence, several passwords and usernames were recovered by cybercriminals to access decrypted accreditations that permitted them to run commands in the database.

Short term Preventive Strategies

The lack of limitations on the database queries frequency allowed the hackers to perform around nine-thousand commands, which are more than the standard operations (Zou, Mhaidli, McCall, & Schaub, 2018). Thus, there is need to install a comprehensive strategy capable of integrating secure approaches into the development and deployment of the systems. For example, using DevOps security might have recognized the Apache weakness before it was hacked. On the other hand, no security techniques, strategies, or tools that are available could have vetoed the attack. No home security framework will keep a decided hacker out; thus, cybersecurity is a continuous fight with lawbreakers (Fleishman, 2018). If an association with high cybersecurity levels and responsibility such as Equifax can never keep personal information safe; then, what expectation do less security-cognizant associations had? Regardless of whether a break cannot be forestalled; ideally, the effect can be minimized. Hence, some of the short-term security measures that should be implemented by the company include;

At Equifax, the system-level remediation approaches should be applied in addressing the data breach factors and concerns (Whittaker, 2018).For instance, to identify vulnerable servers, address concerns, and work towards building a secure environment. Therefore, Equifax has to strategically implement advanced management protocols to patch and identify software vulnerability.

Moreover, Equifax should ensure that malicious activities will be detected early to slow the attack down. Authorities at Equifax claim to develop new strategies to protect applications and data; thus, they implemented new instruments for continual checking of system traffic.Further, to improve segmentation between company gadgets that never or rarely communicate. Equifax has executed extra controls to monitor communication at the outer limit of the organization’s systems and included limitations in traffic between internal servers(Whittaker, 2018). Finally, Equifax has to implement new security control structures for accessing specific networks and applications. Thus, this will address the current data governance problem.

Additionally, Equifax should actualize an endpoint security measure to identify misconfigurations, assess possible signs of compromise, and send automated notifications to the company database administrators (Whittaker, 2018). Further, Equifax has to implement an advanced governance structure that consistently communicate the risk responsiveness to the senior management and board directors.  Therefore, the strategy requires the Chief Information Security Officer to legitimately report to the Chief Executive Officer.

Proposed Long-Reforms and Recommendations

After the Equifax breach, relevant strategies must be considered to reform not only to address the mishandling and secret profiling of personal data but also to all the credit reporting agencies (Hedley & Jacobs, 2017). The time has come to change the defaults and let people control their personal information and credit reports.  In the short-term, Americans must have easy and free access to their credit information and decide how and when to disclose it. Equifax should establish viable protections such as necessities for a brief revelation of any information break. The United States government must not only end the utilization of the SSN as an identifier but also endorse the use of innovation to reduce collecting of personal information. Hence, some of the recommendations include;

Ensure Consumers have Control of Their Credit Reports

Credit Reporting Agencies should offer free credit thaws and freezes, which will change the default for report disclosure to be accessed by third parties; rather than the current measures that permit anybody to pull somebody’s credit report (Zou, Mhaidli, McCall, & Schaub, 2018). Therefore, CRAs should build up a credit freeze for all disclosure, with smooth and free access for individuals.

Also, Credit Reporting Agencies ought to provide easy access and free monitoring to credit history. Currently, American laws permit individuals to access free credit reports. However, the procedure is bulky, and some people take advantage (Hedley & Jacobs, 2017). Thus, Equifax must ensure a rationalized market that would guarantee people to have equal access and much information as possible.

The United States of America’s government should require obligatory expose of algorithms, and secret scores used utilized by CRAs. Algorithmic straightforwardness is critical to responsibility. Lack of guidelines requires the divulgence of these mystery scores, records, and the vital information and calculations after which they are based.

Improve Breach Notification

The United States of America’s government should set a national benchmark in giving data breach notifications (Hedley & Jacobs, 2017). These approaches aim to confine the mutilation of any breach. Equally, the government standard must make adequate and immediate warning of impacted regulators and personal users. Organizations are progressively communicating with information victims through automated emails and texts and on social media within a few hours after the breach. For instance, Hooper (2018) suggests that the federal government should command reasonable information safety efforts. Hence, Brief breach notifications are essential to deal with data breach issues.

Consequently, individuals affected by the breach of information must be given higher priorities and private action rights. Equifax requires users to consent to contracts with discretion conditions that stop these individuals from suing the company. Therefore, CRAs must be precluded from utilizing these intervention understandings to prevent people from acting against improper disclosure, data breach, and misuse of their information.

Under the Gramm-Leach-Bliley Act, the current information security prerequisites must be extended to CRAs (Hooper, 2018). The Act accommodates oversight of financial firm privacy and security activities by seven regulatory institutions. Therefore, CRAs hold more touchy individual information than a considerable lot of the other monetary foundations consolidated, and it looks terrible for those organizations to be absolved from the guidelines.

Conclusion

The best strategy for the United States of America is to actualize a way to deal with rivalry law, which includes specific information protection measures. Hence, this integrated strategy would help influential rivalry agencies, complement the existing regulations, and advance protection data laws. Furthermore, this would provide essential protection to companies and consumers in the case of a data breach. If implemented strategically, it could minimize or reduce the risks of breaches.  The integrated approach is ideal because of its generally minimal effort to actualize while offering critical additions to every single invested individual: the government, the business community, and the consumers.

References

Fleishman, G. (2018, September 7). Equifax data breach, one year later: Obvious errors and no real changes, a new report says. Fortune. https://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/

Hedley, D., & Jacobs, M. (2017). The shape of things to come: The Equifax breach, the GDPR, and open-source security. Computer Fraud & Security, 2017(11), 5-7. https://doi.org/10.1016/s1361-3723(17)30080-5

Hooper, L. (2018). More states, federal actions are taken to reverse ACA’s market reforms. OT Practice. https://doi.org/10.7138/otp.2018.2308.cb

Safi, R. (2020). The Equifax Data Breach: A Corporate Social Responsibility Perspective and Insights from Tweets for Cybersecurity Incident Management.

Wang, P., & Johnson, C. (2018). CYBERSECURITY INCIDENT HANDLING: A CASE STUDY OF THE EQUIFAX DATA BREACH. Issues in Information Systems, 19(3).

Whittaker Z. (2018, December 10). Equifax breach was ‘entirely preventable’ had it used necessary security measures, says House report – TechCrunch. TechCrunch. https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/

Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). “I have Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. In the Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018) (pp. 197-216).