Professional Documents
Culture Documents
Course Title
Student’s name
Institution
Professor’s name
Date
2
Introduction
Numerous organizations envision being proactive, but many have not been able to
achieve this quality. Currently, businesses are facing a variety of opposing forces against their
business environment. Success and survival in such cases are dependent on the company’s
capability to react swiftly and make adjustments to mitigate the threats and work on the
opportunities. Unlucky the stiff competition that companies are exposed to pushes the
management to focus on their profit margins, thus leaving other aspects out of their priority list.
Such cases can best be demonstrated such as the case of Equifax, which is a credit reporting firm
based in the US, which experienced devastating issues leading to losses within two years. after
Smith was handed the CEO position, he made significant amendments to match the data-
The CEO thus used millions to ensure cybersecurity was best by using cybersecurity
experts. The chief security officer Tony Spinelli. The chief security officer Spinelli and his staff
made efforts to ensure the company had modernized cyber defense, leading to the
implementation of a 24-hour crisis management force and finding possible loopholes on their
systems. However, Spinelli and various security staff left the company in 2013(Srinivasan et al.,
2017). Relating to this information it can be perceived, Equifax was determined to ensure that
the security of their systems was never compromised. Nevertheless, due to the expenses incurred
in ensuring this was a priority maintenance to the systems was not done for some time hence the
management redirected their focus on other aspects that proved to be urgent by then. This paper
assesses the case study of the Equifax data breach by looking at the vulnerabilities the company
3
may have been exposed to leading to hackers stealing their data and some of the recovery
ignore this fact, which resulted in the attackers stealing personal data from the systems. Almost a
year after the incident the company has not been able to recover as they face almost 240 lawsuits
and are still under the scrutiny of various organizations such as FTC, SEC as well as Canadian
and British regulators. Similarly, the market share of this company has reduced by over 30%.
The company also reported a reduction in profits within the 3rd quarter of the year 2018. This
case study examines some of the factors that lead to weak security and vulnerabilities within
their systems (Portman & Carper, 2018). The vulnerabilities that the hackers took advantage of
will also be discussed, and then the strong foundation concerning security the company had
invested in. the paper also entails the strategies Equifax has used to try and recover from the
Although several factors might have led to the data breach occurring at the company, the
main factor is related to poor management where confidential data was not well secured by the
company. At the start of Smith’s term in office acting as the company’s CEO, costly strategies
were used to make sure that the systems had high-end security protection by employing system
security experts to work to ensure the systems were monitored and secure 24/7. However, most
of these security experts left the company in 2013. In the year 2014, Equifax was only using a
percent of its operating costs on cybersecurity. Various slight occurrences indicated the
4
loopholes within the company’s security systems however the management was slow to react.
Some external sources made audits on the organization's security protocols and pointed out the
systems were vulnerable and could be attacked by hackers (GAO, 2018). The management
however disregarded these. This is evident as one former employee stated that any time there
was discussion regarding the security of the systems, the cybersecurity staff faced a hard time
getting the management to understand what was happening and its effects. This indicates as time
went by the cybersecurity of the company was left unmanaged and the company concentrated on
Similarly, Equifax had not come up with a data breach recovery strategy. Research
conducted by ESG in 2017 was critical about the firm’s level of preparedness to mitigate such
occurrences of data breaches rating the organization zero concerning privacy and data security.
The audit focused on aspects such as potential regulatory and reputational risks that would occur
in case of mishandling of private information. It is obvious that the company hand not put in
place any plans in case such incidences were to take place (GAO, 2018). As earlier stated, the
operations costs spend on the security of the systems was only 1 percent in 2014 which was not
enough to ensure maintenance of the systems and training of the employees was done in regards
to cybersecurity. Equifax also lacked strategies to ensure effective communication within the
organizations was achieved, this led to the failure of important information being communicated
among the employees at the expected time frame. The outcome was the top management
blaming an employee for failing to patch up the system with security updates as expected.
The vulnerabilities that the hackers took advantage of were the security error within the
Apache Struts software. Research done by a certain Chinese cybersecurity expert pointed out the
5
given vulnerability within the system was dangerous as it allowed the hackers to get access to the
system with ease. After exploiting the system, the hackers could install malware and hide their IP
addresses hence not being able to be tracked. Apart from this, the researchers noted that the
firm's vulnerability was an easy task as the attackers could easily find servers that had not been
patched. This led to hackers taking advantage of these vulnerabilities and collecting personal
Equifax failed to instill sufficient security measures to protect the sensitive information it
was handling. Several independent organizations had identified the flaws within the
organization’s system. Regardless the organization declined to address these problems. An audit
carried out in 2016 by Deloitte pointed out inconsiderate ways the systems were being patched.
One of the employees had pointed out the fact the communication with the management
regarding the security of the systems had been hard thus their requests being ignored. Another
audit that was conducted in 2017 on the company’s preparedness in case the company’s systems
were breached was ranked second last among US financial firms. The same findings were
pointed out by Fair Isaac Corp and BitSight saying the cybersecurity at Equifax was poor.
Apart from reducing stock values and incurring losses, Equifax clients lost their trust in
the company that had taken years to build. Thus, the measure put in place was for their
customers to regain their trust by assuring their clients that protective measures had been made to
protect their information. An instance is a company implementing a system that made sure all the
three credit bureaus were monitoring their credit data. Other measure includes credit locks and
6
generation of credit reports and also implementation of theft insurance. Regardless various
responses had issues. For instance, the post response different domain misleads people keying
learn for numerous companies dealing with sensitive customer data. The first lesson entails the
importance of proactivity, which entails identifying issues earlier and reacting to them swiftly.
Equifax management ignored numerous warnings addressed to them which later had detrimental
outcomes. Additionally, some of the measures that were put in place after the incidence was
risky and could risk their client’s information even more. Thus, it is vital for organizations to any
References
Fruhlinger, J. (2020, February 12). Equifax Data Breach FAQ: What happened, who was
affected, what was the impact? CSO Online. Retrieved November 30, 2021, from
https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-
who-was-affected-what-was-the-impact.html.
GAO, U. S. G. A. (2018). Data Protection: Actions taken by Equifax and federal agencies in
response to the 2017 breach. Data Protection: Actions Taken by Equifax and Federal
Agencies in Response to the 2017 Breach | U.S. GAO. Retrieved November 30, 2021,
from https://www.gao.gov/products/gao-18-559.
Portman, R., & Carper, T. C. (2018). HOW EQUIFAX NEGLECTED CYBERSECURITY AND
https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf?
source=techstories.org.
Srinivasan, S., Pitcher, Q., & Goldberg, J. (2017). Data breach at Equifax. Data Breach at
Equifax - Case - Faculty & Research - Harvard Business School. Retrieved November