Performance Criteria

P$.$C$.2\mathrm{.}5$ Implement internal control procedures for eyber security and the safe handling

of payments and data

Case Scenario:

Equifax Data Breach

Background: In March $2017,$ Equifax, a major credit reporting agency in the United States,

experienced a significant data breach that exposed personally identifying information of

hundreds of millions of individuals. The breach raised concerns not only about the security

lapses that allowed it to happen but also about Equifax's response to the incident.

How the Equifax Breach Happened:

Initial Entry: The breach began through a consumer complaint web portal, exploiting a

known vulnerability $($CVE$-2017-5638)$ in Apache Struts, a framework used by

Equifax. The vulnerability should have been patched, but due to internal process

failures, it remained unaddressed.

Lack of Segmentation: Attackers moved from the web portal to other servers due to

inadequate segmentation of systems. They discovered usernames and password

stored in plain text, providing access to additional systems.

Encryption Certificate Failure: Data was exfiltrated in encrypted form for months

without detection because Equifax failed to renew an encryption certificate on an

internal security tool, allowing attackers to operate undetected.

Delayed Public Disclosure: Equifax did not publicize the breach until more than a

month after its discovery. Stock sales by top executives during this period raised

suspicions of insider trading

Timeline of Events:

March $10,2017$: Initial breach through the Struts vulnerability.

May $13,2017$: Attackers began moving within Equifax's network, exfiltrating data

July $29,2019$: Expired encryption certificate discovered; Equifax administrators

became aware of the breach

September $8,2017$: Equifax publicly disclosed the breach, more than a month after its

discovery.

Data Compromised:

Potentially affected $143$ million people.

Exposed information included names, addresses, dates of birth, Social Security

numbers, and driver's license numbers.

Approximately $200,000$ records included credit card numbers.

Who Was Responsible:

The attackers' identity remains a subject of speculation.

There are strong indications that Chinese state$-$sponsored hackers were behind the

breach for espionage purposes rather than financial gain.

Evidence points to a connection with other state$-$backed cyber operations targeting U$.$S$.$

government officials

Equifax's Response:

Equifax's immediate response faced criticism for setting up a separate domain for

breach information, potentially susceptible to phishing

The breach site's security was questioned, and Equifax directed affected individuals to

enroll in their ID protection service.

Legislation imposing fines on credit$-$reporting agencies for breaches did not pass.

Impact on Equifax:

Top$-$level turnover in Equifax's leadership.

Equifax spent $$1\mathrm{.}4$ billion on cleanup and security upgrades.

A record$-$breaking settlement with the FTC required Equifax to spend at least $$1\mathrm{.}38$

billion to resolve consumer claims.

On the basis of above for case snerio prepare research report

on Implementing Internal Control Procedures for

Cybersecurity and Safe Handling of Payments and Data for

Equifax Breach.

Instructions:

Introduction :

Provide a brief overview of the Equifax Data Breach,

highlighting its significance and impact.

Highlight the key areas of concern, including the

initial entry, lack of segmentation, encryption

certificate failure, delayed disclosure, and the

responsible parties.

Analysis of Breach Causes :

Explore in detail how the breach occurred, focusing

on the identified vulnerabilities and failures.

Discuss the implications of the lack of segmentation

and the consequences of the encryption certificate

failure.

Timeline of Events :

Emphasize the importance of timely detection and

disclosure in cybersecurity incidents.

Scope of Data Compromised :