Assignment

Introduction

When it emerged that Equifax had been notified about the software vulnerability utilized by its

attacker in early March but had failed to fix it on time, its cybersecurity preparation was attacked. In

addition, they attacked the company's response to the theft, highlighting, in particular, the time it

took Equifax to notify the public of the breach after finding it.

Due to several lawsuits and investigations, Equifax needed better cybersecurity measures in order to

ensure both customers and public officials that it remained an important data custodian. On the

contrary, completing this task proved to be far simpler than expected. The study discusses the

hazards of ineffective management and failing to address issues as soon as they arise. With the

Equifax data breach, we want to learn more about how to avoid such problems in the future and the

circumstances that contributed to it.

Background

In 1899, Cator and Guy Woolford started Equifax as a Retail Credit Company in Atlanta, Georgia. The

business had offices all around the United States and Canada by 1920. Retail Credit Company was

one of the country's major credit agencies by the 1960s, containing files on millions of Americans

and Canadians. Even while the firm continued to undertake credit reporting, the majority of its

revenue came from generating reports to insurance companies when individuals applied for new

insurance policies including life, automobile, fire, and medical insurance. When people were seeking

new jobs, RCC checked into insurance claims and submitted employment reports. Retailers

Commercial Agency, a subsidiary, handled the majority of the credit activities at the time. “Powering

the world with knowledge,” the company’s tagline, encapsulated its objectives.

Experian, Dun & Bradstreet, and others competed with Equifax in commercial credit reporting for

businesses in the United States, Canada, and the UK. Over time, insurance reporting was
discontinued. In 1997, the company split out a subsidiary that supplied specialized credit information

to the insurance market called ChoicePoint.

Problem Identification

Apache Struts, an open-source Java web application framework used by companies ranging from

banks to government agencies, was found to have a security weakness in early March 2017. Due to

two publicly known exploits, this vulnerability posed a serious threat. On March 8, the U.S.

Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued an advisory

to anyone who may be at risk because of the widespread use of the program and the severity of the

vulnerability. At least one of those contacted included Equifax's GTVM team and its CSO. For its

Automated Consumer Interview System (ACIS), Equifax employed Apache Struts as middleware. This

online site allowed customers to dispute things in their credit reports. As of March 9, the GTVM

team had distributed CERT's notice to about 430 Equifax workers on relevant listservs. As a result,

Equifax mandated that the Apache Struts update be implemented within 48 hours after its release.

On the other hand, Equifax did not patch the vulnerable version of Apache Struts in response to an

internal March 9 alert. However, on March 16, 2017, only a small number of top Equifax

management with responsibility for cybersecurity attended a GTVM team monthly threat meeting

when the vulnerability was extensively addressed. No one was obligated to attend, and the business

failed to keep track of who did. Employees were provided a PowerPoint presentation outlining the

meeting's agenda, which included information about the Apache Struts patch and a list of vulnerable

versions of Apache Struts, as well as for instructions on how to apply the fix effectively. The Apache

Struts vulnerability was not listed in the list of essential patches in the April 2017 GTVM slide deck

since previous vulnerabilities were not routinely included in the succeeding months' GTVM slide

decks.

Analysis
One of the three most serious problems was the absence of an accurate inventory of Equifax's IT

assets. There were multiple unique inventories maintained by the corporation, but no one was

comprehensive because they were dispersed across several divisions. As a result, until July 2017,

neither Equifax's security employees nor Payne, the IT director for ACIS, knew that ACIS was running

Apache Struts.

Another flaw discovered in Equifax's 2015 audit that had not been remedied by 2017 was the

company's reactive rather than proactive approach to patching. Comparatively, Equifax patched just

those applications that had been shown to have critical vulnerabilities, rather than applying patches

to all of them at once. Critical updates were only implemented when it became evident that not

installing them risked the security of corporate systems, leaving such systems vulnerable in the

interim as a result of the 2015 audit. It was determined that Equifax did not have a way of verifying

whether or not it has successfully patched any known vulnerabilities. Regular scans were conducted

to discover vulnerabilities, but they were not thoroughly scrutinized since they were flawed. As long

as the vulnerability no longer appeared in the scan results, Equifax assumed that it had been fixed.

Consequently, patching "critical" technological assets was not given the priority it deserved due to

Equifax's patch management strategy, resulting in longer than necessary lag times for essential

upgrades. To top it all off, Equifax simply lacked the employees to execute the technology and

processes essential to accomplish these internal security objectives.

Alternatives

Equifax's absence of a centralized inventory of IT assets was in part due to the way the company

managed its IT and security workers, according to a Congressional probe conducted in 2013. Before

2005, Equifax's CSO was subordinate to the CIO, who in turn was subordinate to the CEO, as is

customary at 25% to 50% of organizations having CSOs. Even Equifax's CIO, at the time of the hack,

was aware that this organizational structure, which combined IT and security into a single chain of

command, was an industry best practice. When a company's CSO didn't report directly to the CIO,
another typical arrangement was for the CIO and the CSO to both reports directly to the CEO and the

board of directors. While only about 8% of companies with security positions use this structure,

Equifax's CLO was made the "head of security" in 2005 after a conflict between the CIO and CISO,

resulting in the CLO becoming "head of security," a position only used by a small percentage of

companies.

Recommendations

As a way to ensure more Board supervision of management, permanently split the CEO and

Chairman roles. To ensure that executive remuneration may be recovered in the event of financial or

reputational harm to the company as a result of executive misbehavior or supervisory failures, the

board should revise the company's clawback policy. Any compensation recovered will be disclosed

to shareholders. When determining executive pay, consider the impact of any data breach-related

lawsuits, settlements, and other expenses. As soon as possible, appoint a special committee of

directors to study and assess the financial impact of a data breach on the company, as well as to

ensure that any future breaches are reported to the Board of Directors. After the Committee's

conclusions are released, the company should likewise inform shareholders. Stakeholder advocates

and outside experts should form a multi-stakeholder advisory board to address public policy

concerns about the company's data security procedures.

Action Plan

Because the client's data is at risk, these procedures and compensation should be taken as soon as

possible so that the consumer feels secure. Monitoring of all three credit bureaus' credit files; credit

lock; credit reports; identity theft insurance; and a year of "dark web" scanning of Social Security

Numbers are all included in this package. All U.S. customers should be able to use these services for

free. The Board should take some time, analyze the different teams, and appoint qualified workers

to prevent this from happening again in the long run.

Conclusion

When huge businesses are experimenting with our data and not applying adequate resources to

secure it, we should expect more incidents like this to occur in the future. Equifax's profitability

dropped 27% year over year in the period after the breach news. Nearly $90 million in expenditures

were immediately incurred because of the breach, as were 240 consumer lawsuits. The corporation

had suffered a great deal of harm. There were other victims of harmful cyber activities than Equifax.

More than 3,785 companies in the United States were affected by data breaches in 2017 according

to the FBI. In addition, large-scale hacks were seldom an easy matter. More than $498 million in

market capitalization each significant cyberattack occurred between January 2000 and January 2017,

according to the President's Council of Economic Advisers (CEA). Given this, several experts

questioned what Equifax might have done differently to safeguard itself, while others questioned if

Equifax was truly careless or merely unfortunate.

References

Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). " I've Got Nothing to Lose": Consumers' Risk

Perceptions and Protective Actions after the Equifax Data Breach. In Fourteenth Symposium on

Usable Privacy and Security (SOUPS 2018) (pp. 197-216).

Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: a case study of the Equifax data

breach. Issues in Information Systems, 19(3).

Zou, Y., & Schaub, F. (2018, April). Concern But No Action: Consumers' Reactions to the Equifax

Data Breach. In Extended abstracts of the 2018 CHI conference on human factors in computing

systems (pp. 1-6).