Case study chapter 8; HEADING: Is the equifax hack the worst ever and why

QUESTIONS:

8-13: Identify and Describe the security and control weaknesses discussed in this case?

8-14: What management, organization, and technology factors contributed to these problems?

8-15: Discuss the impact of the equifax hack.

8-16: How can future data breaches like this one be prevented?

THE READING IS IN THE PHOTOS BELOW

E B/sp/179439174/mi/571755613?cfi=%2F%2F4 quifax (along with TransUnion and Experian) of all of Yahoo's 3 billion customers. The Equifax is one of the three main U.S. credit bureaus, breach was especially damaging because of the which maintain vast repositories of personal amount of sensitive personal and financial data and financial data used by lenders to determine stored by Equifax that was stolen, and the role such credit-worthiness when consumers apply for a credit data play in securing consumers' bank accounts, card, mortgage, or other loans. The company handles medical histories, and access to financing. In one data on more than 820 million consumers and more swoop the hackers gained access to several essential than 91 million businesses worldwide and manages a pieces of personal information that could help attack- database with employee information from more than ers commit fraud. According to Avivah Litan, a fraud 7.100 employers, according to its website. These data analyst at Gartner Inc., on a scale of risk to consum- are provided by banks and other companies directlyers of 1 to 10, this is a 10. to Equifax and the other credit bureaus Consumers After taking Equifax public in 2005, CEO Smith have little choice over how credit bureaus collect and transformed the company from a slow-growing store their personal and financial data. credit-reporting company (1-2 percent organic Equifax has more data on you than just about any growth per year) into a global data powerhouse. one else. If any company needs airtight security for Equifax bought companies with databases housing its information systems, it should be credit reporting information about consumers' employment histories, bureaus such as Equifax. Unfortunately this has not savings, and salaries, and expanded internationally been the case The company bought and sold pieces of data that en- On September 7, 2017 Equifax reported that from abled lenders, landlords, and insurance companies to mid-May through July 2017 hackers had gained make decisions about granting credit, hiring job seek- access to some of its systems and potentially the ers, and renting an apartment. Equifax was trans- personal information of about 143 million US formed into a lucrative business housing $12 trillion consumers, including Social Security numbers and of consumer wealth data. In 2016, the company gen- driver's license numbers. Credit card numbers for erated $3.1 billion in revenue. 209,000 consumers and personal information used in Competitors privately observed that Equifax disputes for 182,000 people were also compromised did not upgrade its technological capabilities to Equifax reported the breach to law enforcement and keep pace with its aggressive growth. Equifax ap- also hired a cybersecurity firm to investigate. The peared to be more focused on growing data it could size of the breach, importance, and quantity of per- commercialize sonal information compromised by this breach are Hackers gained access to Equifax systems contain considered unprecedented, ing customer names, Social Security numbers, birth Immediately after Equifax discovered the breach dates, and addresses. These four places of data are three top executives, including Chief Financial generally required for individuals to apply for varl- Officer John Gamble, sold shares worth a combined ous types of consumer credit, including credit cards $1.6 million, according to Securities and Exchange and personal loans. Criminals who have access to also hired a cybersecurity firm to investigate. The peared to be more focused on growing data it could size of the breach, importance, and quantity of per- commercialize. sonal information compromised by this breach are Hackers gained access to Equifax systems contain- considered unprecedented. ing customer names, Social Security numbers, birth Immediately after Equifax discovered the breach, dates, and addresses. These four pieces of data are three top executives, including Chief Financial generally required for individuals to apply for vari- Officer John Gamble, sold shares worth a combined ous types of consumer credit, including credit cards $1.8 million, according to Securities and Exchange and personal loans. Criminals who have access to Commission filings. A company spokesman claimed such data could use it to obtain approval for credit the three executives had no knowledge that an using other people's names. Credit specialist and for- intrusion had occurred at the time they sold their mer Equifax manager John Ulzheimer calls this is a shares on August 1 and August 2. Bloomberg re- "nightmare scenario' because all four critical pieces ported that the share sales were not planned in of information for identity theft are in one place. advance. On October 4, 2017 Equifax CEO Richard The hack involved a known vulnerability in Smith testified before Congress and apologized for Apache Struts, a type of open-source software the breach Equifax and other companies use to build websites. The size of the Equifax data breach was second This software vulnerability had been publicly identi- only to the Yahoo breach of 2013, which affected data fied in March 2017, and a patch to fix it was released at that time. That means Equifax had the information databases to match up information such as driver li- to eliminate this vulnerability two months before the cense or Social Security numbers needed to create a breach occurred. It did nothing. complete data profile for identity theft. Weaknesses in Equifax security systems were Equifax management stated that although the evident well before the big hack. A hacker was able hack potentially accessed data on approximately 143 to access credit-report data between April 2013 and million U.S. consumers, it had found no evidence of January 2014. The company discovered that it mis. unauthorized activity in the company's core credit takenly exposed consumer data as a result of a "tech- reporting databases. The hack triggered an uproar nical error" that occurred during a 2015 software among consumers, financial organizations, privacy change. Breaches in 2016 and 2017 compromised in- advocates, and the press. Equifax lost one-third of formation on consumers' W-2 forms that were stored its stock market value. Equifax CEO Smith resigned, by Equifax units. Additionally, Equifax disclosed in with the CSO (chief security officer) and CIO depart- February 2017 that a "technical issue compromised ing the company as well. Banks will have to replace credit information of some consumers who used approximately 209,000 credit cards that were stolen identity-theft protection services from LifeLock. in the breach, a major expense. Lawsuits are in the Analyses earlier in 2017 performed by four com- works, panies that rank the security status of companies Unfortunately the worst impact will be on con- based on publicly available information showed that sumers themselves, because the theft of uniquely Equifax was behind on basic maintenance of web identifying personal information such as Social sites that could have been involved in transmitting Security numbers, address history, debt history, and sensitive consumer information. Cyberrisk analysis birth dates could have a permanent effect. These firm Cyence rated the danger of a data breach at pieces of critical personal data could be floating Equifax during the next 12 months at 50 percent around the Dark Web for exploitation and identity It also found the company performed poorly when theft for many years. Such information would help compared with other financial-services companies. hackers answer the series of security questions The other analyses gave Equifax a higher overall that are often required to access financial accounts ranking, but the company fared poorly in overall According to Pamela Dixon, executive director of web-services security, application security, and soft- the World Privacy Forum, This is about as bad as it ware patching gets. If you have a credit report, there's at least a 50 A security analysis by Fair Isaac Corporation percent chance or more that your data were stolen in (FICO), a data analytics company focusing on credit this breach scoring services, found that by July 14 public facing The data breach exposed Equifax to legal and websites run by Equifax had expired certificates, er financial challenges, although the regulatory envi- rors in the chain of certificates, or other web-securityronment is likely to become more lenient under the issues. Certificates are used to validate that a user's current presidential administration. It already is too connection with a website is legitimate and secure. lenient. Credit reporting bureaus such as Equifax are The findings of the outside security analyses ap- very lightly regulated. Given the scale of the data pear to conflict with public declarations by Equifax executives that cybersecurity was a top priority. compromised, the punishment for breaches is close to nonexistent. There is no federally sanctioned Senior executives had previously said cybersecurity Insurance or audit system for data storage the way was one of the fastest-growing areas of expense for the Federal Deposit Insurance Corporation provides the company. Equifax executives touted Equifax's insurance for banks after losses. For many types of focus on security in an investor presentation that data, there are few licensing requirements for hous- took place weeks after the company had discovered ing personally identifiable information. In many Harmful data breaches keep happening. In al- most all cases, even when the data concerns tens or hundreds of millions of people, companies such as Equifax and Yahoo that were hacked continue to op- erate There will be hacks-and afterward, there will be more. Companies need to be even more diligent about incorporating security into every aspect of their IT infrastructure and systems development ac- tivities. According to Litan, to prevent data breaches such as Equifax's, organizations need many layers of security controls. They need to assume that preven- tion methods are going to fail. Commission and the Consumer Financial Protection Bureau, declined to comment on any potential pur- ishments over the credit agency's breach. Even after one of the most serious data breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the scope of the problem is much wider. Public policy has no good way to heav- ily punish companies that fail to safeguard our data. The United States and other countries have allowed the emergence of huge phenomenally detailed databases full of personal information available to financial companies, technology com- panies, medical organizations, advertisers, insur- ers, retailers, and the government. Equifax has offered very weak remedies for con- sumers. People can go to the Equifax website to see if their information has been compromised. The site asks customers to provide their last name and the last six digits of their Social Security number However, even if they do that, they do not neces- sarily learn whether they were affected. Instead, the site provides an enrollment date for its protec- tion service. Equifax offered a free year of credit protection service to consumers en rolling before November 2017. Obviously, all of these measures won't help much because stolen personal data will be available to hackers on the Dark Web for years to come. Governments involved in state-sponsored cyberwarfare are able to use the data to populate databases of detailed personal and medical informa- tion that can be used for blackmail or future attacks. Ironically, the credit-protection service that Equifax is offering requires subscribers to waive their legal rights to seek compensation from Equifax for their losses in order to use the service, while Equifax goes unpunished on March 1, 2018, Equifax announced that the breach had compromised an additional 2.4 million more Americans' names and driver's license numbers. Seras Selema Larson, 'Equifax Says Hackers See More than Previously Reported, CNN, March 1, 2018 Anna Maria Andriodis and Michael Rapoport, Equifax Upends CEOs Drive to Be a Data Powerhouse Wall Street Journal, September 22, 2017, Anna Maria Andriotis and Robert McMillan, "Equifax Security Showed signs of Trouble Montlus Before Hackl Set Journal, September 25, 2017 Anna Maria Andriotis and Enquiel Minaya, "Equifax Reports Data Breach Possibly Affecting 143 Million Consumers, Wall Street Journal, September 7, 2017; Tara Siegel Benard and Sucy Cowley *Equifax Itack Exposes Regulatory Caps Leaving Customers vulnerable," New York Times, September 8, 2017, Farhad Manjoo "Seriously, Equifax? This is a freach No One Should Get Away With New York Times, September 8, 2017, Eileen Chang. "Why Equifax reach of 143 Million Consumen should Freak You Out," the street.com. September 8, 2017: Dara Siegel Bernard, Tiffany Hou, Nicole Perlroth, and Ron Leber "Equifax Says Cyberattack May Have Affected 143 Million Customen New York Time September 7, 2017, and Nicole Perroth and Cade Me What We Know and Don't Know About the Equidax Hack New York Times September 14, 2017 CASE STUDY QUESTIONS 8-13 Identify and describe the security and control weaknesses discussed in this case. 8-14 What management, organization, and technol- ogy factors contributed to these problems? 8-15 Discuss the impact of the Equifax hack 8-16 How can future data breaches like this one be prevented? Explain your