Chat with us, powered by LiveChat IstheEquifaxHacktheWorstEver-andWhy.pdf - STUDENT SOLUTION USA

Is the Equifax Hack the Worst Ever—and Why? Case Study

Equifax (along with TransUnion and Experian) is one of the three main U.S. credit bureaus, which

maintain vast repositories of personal and financial data used by lenders to determine creditworthiness

when consumers apply for a credit card, mortgage, or other loans. The company handles data on more

than 820 million consumers and more than 91 million businesses worldwide and manages a database

with employee information from approximately 11,000 employers, according to its website. These data

are provided by banks and other companies directly to Equifax and the other credit bureaus. Consumers

have little choice over how credit bureaus collect and store their personal and financial data.

Equifax has more data on you than just about anyone else. If any company needs airtight security for its

information systems, it should be credit reporting bureaus such as Equifax. Unfortunately this has not

been the case.

On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers had gained access

to some of its systems and potentially the personal information of about 143 million U.S. consumers,

including Social Security numbers and driver’s license numbers. Credit card numbers for 209,000

consumers and personal information used in disputes for 182,000 people were also compromised.

Equifax reported the breach to law enforcement and also hired a cybersecurity firm to investigate. The

size of the breach, importance, and quantity of personal information compromised by this breach are

considered unprecedented.

Immediately after Equifax discovered the breach, three top executives, including Chief Financial Officer

John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange

Commission filings. A company spokesman claimed the three executives had no knowledge that an

intrusion had occurred at the time they sold their shares on August 1 and August 2. Bloomberg reported

that the share sales were not planned in advance. On October 4, 2017 Equifax CEO Richard Smith

testified before Congress and apologized for the breach.

The size of the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of

all of Yahoo’s 3 billion customers. The Equifax breach was especially damaging because of the amount of

sensitive personal and financial data stored by Equifax that was stolen, and the role such data play in

securing consumers’ bank accounts, medical histories, and access to financing. In one swoop the hackers

gained access to several essential pieces of personal information that could help attackers commit

fraud. According to Avivah Litan, a fraud analyst at Gartner Inc., on a scale of risk to consumers of 1 to

10, this is a 10.

After taking Equifax public in 2005, CEO Smith transformed the company from a slow-growing credit-

reporting company (1–2 percent organic growth per year) into a global data powerhouse. Equifax

bought companies with databases housing information about consumers’ employment histories,

savings, and salaries, and expanded internationally. The company bought and sold pieces of data that

enabled lenders, landlords, and insurance companies to make decisions about granting credit, hiring job

seekers, and renting an apartment. Equifax was transformed into a lucrative business housing $12

trillion of consumer wealth data. In 2016, the company generated $3.1 billion in revenue.

Competitors privately observed that Equifax did not upgrade its technological capabilities to keep pace

with its aggressive growth. Equifax appeared to be more focused on growing data it could

commercialize.

Hackers gained access to Equifax systems containing customer names, Social Security numbers, birth

dates, and addresses. These four pieces of data are generally required for individuals to apply for various

types of consumer credit, including credit cards and personal loans. Criminals who have access to such

data could use it to obtain approval for credit using other people’s names. Credit specialist and former

Equifax manager John Ulzheimer calls this is a “nightmare scenario” because all four critical pieces of

information for identity theft are in one place.

The hack involved a known vulnerability in Apache Struts, a type of open-source software Equifax and

other companies use to build websites. This software vulnerability had been publicly identified in March

2017, and a patch to fix it was released at that time. That means Equifax had the information to

eliminate this vulnerability two months before the breach occurred. It did nothing.

Weaknesses in Equifax security systems were evident well before the big hack. A hacker was able to

access credit-report data between April 2013 and January 2014. The company discovered that it

mistakenly exposed consumer data as a result of a “technical error” that occurred during a 2015

software change. Breaches in 2016 and 2017 compromised information on consumers’ W-2 forms that

were stored by Equifax units. Additionally, Equifax disclosed in February 2017 that a “technical issue”

compromised credit information of some consumers who used identity-theft protection services from

LifeLock.

Analyses earlier in 2017 performed by four companies that rank the security status of companies based

on publicly available information showed that Equifax was behind on basic maintenance of websites

that could have been involved in transmitting sensitive consumer information. Cyberrisk analysis firm

Cyence rated the danger of a data breach at Equifax during the next 12 months at 50 percent. It also

found the company performed poorly when compared with other financial-services companies. The

other analyses gave Equifax a higher overall ranking, but the company fared poorly in overall web-

services security, application security, and software patching.

A security analysis by Fair Isaac Corporation (FICO), a data analytics company focusing on credit scoring

services, found that by July 14 public-facing websites run by Equifax had expired certificates, errors in

the chain of certificates, or other web-security issues. Certificates are used to validate that a user’s

connection with a website is legitimate and secure.

The findings of the outside security analyses appear to conflict with public declarations by Equifax

executives that cybersecurity was a top priority. Senior executives had previously said cybersecurity was

one of the fastest-growing areas of expense for the company. Equifax executives touted Equifax’s focus

on security in an investor presentation that took place weeks after the company had discovered the

attack.

Equifax has not revealed specifics about the attack, but either its databases were not encrypted or

hackers were able to exploit an application vulnerability that provided access to data in an unencrypted

state. Experts think—and hope—that the hackers were unable to access all of Equifax’s encrypted

databases to match up information such as driver license or Social Security numbers needed to create a

complete data profile for identity theft.

Equifax management stated that although the hack potentially accessed data on approximately 143

million U.S. consumers, it had found no evidence of unauthorized activity in the company’s core credit

reporting databases. The hack triggered an uproar among consumers, financial organizations, privacy

advocates, and the press. Equifax lost one-third of its stock market value. Equifax CEO Smith resigned,

with the CSO (chief security officer) and CIO departing the company as well. Banks had to replace

approximately 209,000 credit cards that were stolen in the breach, a major expense. Lawsuits are in the

works.

Unfortunately the worst impact will be on consumers themselves, because the theft of uniquely

identifying personal information such as Social Security numbers, address history, debt history, and birth

dates could have a permanent effect. These pieces of critical personal data could be floating around the

Dark Web for exploitation and identity theft for many years. Such information would help hackers

answer the series of security questions that are often required to access financial accounts. According to

Pamela Dixon, executive director of the World Privacy Forum, “This is about as bad as it gets.” If you

have a credit report, there’s at least a 50 percent chance or more that your data were stolen in this

breach.

The data breach exposed Equifax to legal and financial challenges, although the regulatory environment

is likely to become more lenient under the current presidential administration. It already is too lenient.

Credit reporting bureaus such as Equifax are very lightly regulated. Given the scale of the data

compromised, the punishment for breaches is close to nonexistent. There is no federally sanctioned

insurance or audit system for data storage, the way the Federal Deposit Insurance Corporation provides

insurance for banks after losses. For many types of data, there are few licensing requirements for

housing personally identifiable information. In many cases, terms-of-service documents indemnify

companies against legal consequences for breaches.

Experts said it was highly unlikely that any regulatory body would shut Equifax down over this breach.

The company is considered too critical to the American financial system. The two regulators that do

have jurisdiction over Equifax, the Federal Trade Commission and the Consumer Financial Protection

Bureau, declined to comment on any potential punishments over the credit agency’s breach.

Even after one of the most serious data breaches in history, no one is really in a position to stop Equifax

from continuing to do business as usual. And the scope of the problem is much wider. Public policy has

no good way to heavily punish companies that fail to safeguard our data. The United States and other

countries have allowed the emergence of huge phenomenally detailed databases full of personal

information available to financial companies, technology companies, medical organizations, advertisers,

insurers, retailers, and the government.

Equifax has offered very weak remedies for consumers. People can go to the Equifax website to see if

their information has been compromised. The site asks customers to provide their last name and the

last six digits of their Social Security number. However, even if they do that, they do not necessarily

learn whether they were affected. Instead, the site provides an enrollment date for its protection

service. Equifax offered a free year of credit protection service to consumers enrolling before November

2017. Obviously, all of these measures won’t help much because stolen personal data will be available

to hackers on the Dark Web for years to come. Governments involved in state-sponsored cyberwarfare

are able to use the data to populate databases of detailed personal and medical information that can be

used for blackmail or future attacks. Ironically, the credit-protection service that Equifax is offering

requires subscribers to waive their legal rights to seek compensation from Equifax for their losses in

order to use the service, while Equifax goes unpunished. On March 1, 2018, Equifax announced that the

breach had compromised an additional 2.4 million more Americans’ names and driver’s license

numbers.

In late 2018, the U.S. House Committee on Oversight and Government Reform published a new report

on the Equifax breach. The report concluded that the incident was “entirely preventable” and occurred

because Equifax had failed to implement an adequate security program to protect its sensitive data. But

authorities have neither sanctioned Equifax nor addressed the deeper industry-wide flaws that the

incident exposed. Since the hack, Equifax has spent over $1 billion, including costs for litigation and

fines, and will have to pay a settlement of up to $700 million to resolve investigations and lawsuits

stemming from the data breach. The company continues to do business as usual.Harmful data breaches

keep happening. In almost all cases, even when the data concerns tens or hundreds of millions of

people, companies such as Equifax and Yahoo that were hacked continue to operate. There will be

hacks—and afterward, there will be more. Companies need to be even more diligent about

incorporating security into every aspect of their IT infrastructure and systems development activities.

According to Litan, to prevent data breaches such as Equifax’s, organizations need many layers of

security controls. They need to assume that prevention methods are going to fail.

error: Content is protected !!