Professional Documents
Culture Documents
Introduction
When it emerged that Equifax had been notified about the software vulnerability utilized by its
attacker in early March but had failed to fix it on time, its cybersecurity preparation was attacked. In
addition, they attacked the company's response to the theft, highlighting, in particular, the time it
took Equifax to notify the public of the breach after finding it.
Due to several lawsuits and investigations, Equifax needed better cybersecurity measures in order to
ensure both customers and public officials that it remained an important data custodian. On the
contrary, completing this task proved to be far simpler than expected. The study discusses the
hazards of ineffective management and failing to address issues as soon as they arise. With the
Equifax data breach, we want to learn more about how to avoid such problems in the future and the
Background
In 1899, Cator and Guy Woolford started Equifax as a Retail Credit Company in Atlanta, Georgia. The
business had offices all around the United States and Canada by 1920. Retail Credit Company was
one of the country's major credit agencies by the 1960s, containing files on millions of Americans
and Canadians. Even while the firm continued to undertake credit reporting, the majority of its
revenue came from generating reports to insurance companies when individuals applied for new
insurance policies including life, automobile, fire, and medical insurance. When people were seeking
new jobs, RCC checked into insurance claims and submitted employment reports. Retailers
Commercial Agency, a subsidiary, handled the majority of the credit activities at the time. “Powering
the world with knowledge,” the company’s tagline, encapsulated its objectives.
Experian, Dun & Bradstreet, and others competed with Equifax in commercial credit reporting for
businesses in the United States, Canada, and the UK. Over time, insurance reporting was
discontinued. In 1997, the company split out a subsidiary that supplied specialized credit information
Problem Identification
Apache Struts, an open-source Java web application framework used by companies ranging from
banks to government agencies, was found to have a security weakness in early March 2017. Due to
two publicly known exploits, this vulnerability posed a serious threat. On March 8, the U.S.
Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued an advisory
to anyone who may be at risk because of the widespread use of the program and the severity of the
vulnerability. At least one of those contacted included Equifax's GTVM team and its CSO. For its
Automated Consumer Interview System (ACIS), Equifax employed Apache Struts as middleware. This
online site allowed customers to dispute things in their credit reports. As of March 9, the GTVM
team had distributed CERT's notice to about 430 Equifax workers on relevant listservs. As a result,
Equifax mandated that the Apache Struts update be implemented within 48 hours after its release.
On the other hand, Equifax did not patch the vulnerable version of Apache Struts in response to an
internal March 9 alert. However, on March 16, 2017, only a small number of top Equifax
management with responsibility for cybersecurity attended a GTVM team monthly threat meeting
when the vulnerability was extensively addressed. No one was obligated to attend, and the business
failed to keep track of who did. Employees were provided a PowerPoint presentation outlining the
meeting's agenda, which included information about the Apache Struts patch and a list of vulnerable
versions of Apache Struts, as well as for instructions on how to apply the fix effectively. The Apache
Struts vulnerability was not listed in the list of essential patches in the April 2017 GTVM slide deck
since previous vulnerabilities were not routinely included in the succeeding months' GTVM slide
decks.
Analysis
One of the three most serious problems was the absence of an accurate inventory of Equifax's IT
assets. There were multiple unique inventories maintained by the corporation, but no one was
comprehensive because they were dispersed across several divisions. As a result, until July 2017,
neither Equifax's security employees nor Payne, the IT director for ACIS, knew that ACIS was running
Apache Struts.
Another flaw discovered in Equifax's 2015 audit that had not been remedied by 2017 was the
company's reactive rather than proactive approach to patching. Comparatively, Equifax patched just
those applications that had been shown to have critical vulnerabilities, rather than applying patches
to all of them at once. Critical updates were only implemented when it became evident that not
installing them risked the security of corporate systems, leaving such systems vulnerable in the
interim as a result of the 2015 audit. It was determined that Equifax did not have a way of verifying
whether or not it has successfully patched any known vulnerabilities. Regular scans were conducted
to discover vulnerabilities, but they were not thoroughly scrutinized since they were flawed. As long
as the vulnerability no longer appeared in the scan results, Equifax assumed that it had been fixed.
Consequently, patching "critical" technological assets was not given the priority it deserved due to
Equifax's patch management strategy, resulting in longer than necessary lag times for essential
upgrades. To top it all off, Equifax simply lacked the employees to execute the technology and
Alternatives
Equifax's absence of a centralized inventory of IT assets was in part due to the way the company
managed its IT and security workers, according to a Congressional probe conducted in 2013. Before
2005, Equifax's CSO was subordinate to the CIO, who in turn was subordinate to the CEO, as is
customary at 25% to 50% of organizations having CSOs. Even Equifax's CIO, at the time of the hack,
was aware that this organizational structure, which combined IT and security into a single chain of
command, was an industry best practice. When a company's CSO didn't report directly to the CIO,
another typical arrangement was for the CIO and the CSO to both reports directly to the CEO and the
board of directors. While only about 8% of companies with security positions use this structure,
Equifax's CLO was made the "head of security" in 2005 after a conflict between the CIO and CISO,
resulting in the CLO becoming "head of security," a position only used by a small percentage of
companies.
Recommendations
As a way to ensure more Board supervision of management, permanently split the CEO and
Chairman roles. To ensure that executive remuneration may be recovered in the event of financial or
reputational harm to the company as a result of executive misbehavior or supervisory failures, the
board should revise the company's clawback policy. Any compensation recovered will be disclosed
to shareholders. When determining executive pay, consider the impact of any data breach-related
lawsuits, settlements, and other expenses. As soon as possible, appoint a special committee of
directors to study and assess the financial impact of a data breach on the company, as well as to
ensure that any future breaches are reported to the Board of Directors. After the Committee's
conclusions are released, the company should likewise inform shareholders. Stakeholder advocates
and outside experts should form a multi-stakeholder advisory board to address public policy
Action Plan
Because the client's data is at risk, these procedures and compensation should be taken as soon as
possible so that the consumer feels secure. Monitoring of all three credit bureaus' credit files; credit
lock; credit reports; identity theft insurance; and a year of "dark web" scanning of Social Security
Numbers are all included in this package. All U.S. customers should be able to use these services for
free. The Board should take some time, analyze the different teams, and appoint qualified workers
When huge businesses are experimenting with our data and not applying adequate resources to
secure it, we should expect more incidents like this to occur in the future. Equifax's profitability
dropped 27% year over year in the period after the breach news. Nearly $90 million in expenditures
were immediately incurred because of the breach, as were 240 consumer lawsuits. The corporation
had suffered a great deal of harm. There were other victims of harmful cyber activities than Equifax.
More than 3,785 companies in the United States were affected by data breaches in 2017 according
to the FBI. In addition, large-scale hacks were seldom an easy matter. More than $498 million in
market capitalization each significant cyberattack occurred between January 2000 and January 2017,
according to the President's Council of Economic Advisers (CEA). Given this, several experts
questioned what Equifax might have done differently to safeguard itself, while others questioned if
Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). " I've Got Nothing to Lose": Consumers' Risk
Perceptions and Protective Actions after the Equifax Data Breach. In Fourteenth Symposium on
Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: a case study of the Equifax data
Zou, Y., & Schaub, F. (2018, April). Concern But No Action: Consumers' Reactions to the Equifax
Data Breach. In Extended abstracts of the 2018 CHI conference on human factors in computing
systems (pp. 1-6).