1

Data breach at Equifax case study

Course Title

Student’s name

Institution

Professor’s name

Date
 2

Data breach at Equifax case study

Introduction

Numerous organizations envision being proactive, but many have not been able to

achieve this quality. Currently, businesses are facing a variety of opposing forces against their

business environment. Success and survival in such cases are dependent on the company’s

capability to react swiftly and make adjustments to mitigate the threats and work on the

opportunities. Unlucky the stiff competition that companies are exposed to pushes the

management to focus on their profit margins, thus leaving other aspects out of their priority list.

Such cases can best be demonstrated such as the case of Equifax, which is a credit reporting firm

based in the US, which experienced devastating issues leading to losses within two years. after

Smith was handed the CEO position, he made significant amendments to match the data-

intensive activities that the company had undergone.

The CEO thus used millions to ensure cybersecurity was best by using cybersecurity

experts. The chief security officer Tony Spinelli. The chief security officer Spinelli and his staff

made efforts to ensure the company had modernized cyber defense, leading to the

implementation of a 24-hour crisis management force and finding possible loopholes on their

systems. However, Spinelli and various security staff left the company in 2013(Srinivasan et al.,

2017). Relating to this information it can be perceived, Equifax was determined to ensure that

the security of their systems was never compromised. Nevertheless, due to the expenses incurred

in ensuring this was a priority maintenance to the systems was not done for some time hence the

management redirected their focus on other aspects that proved to be urgent by then. This paper

assesses the case study of the Equifax data breach by looking at the vulnerabilities the company
 3

may have been exposed to leading to hackers stealing their data and some of the recovery

strategies the company employed.

Analysis of the firm

The cyberattack was forthcoming, regardless of the management at Equifax trying to

ignore this fact, which resulted in the attackers stealing personal data from the systems. Almost a

year after the incident the company has not been able to recover as they face almost 240 lawsuits

and are still under the scrutiny of various organizations such as FTC, SEC as well as Canadian

and British regulators. Similarly, the market share of this company has reduced by over 30%.

The company also reported a reduction in profits within the 3rd quarter of the year 2018. This

case study examines some of the factors that lead to weak security and vulnerabilities within

their systems (Portman & Carper, 2018). The vulnerabilities that the hackers took advantage of

will also be discussed, and then the strong foundation concerning security the company had

invested in. the paper also entails the strategies Equifax has used to try and recover from the

aftermath of this incident.

Factors that resulted in weak system security in Equifax.

Although several factors might have led to the data breach occurring at the company, the

main factor is related to poor management where confidential data was not well secured by the

company. At the start of Smith’s term in office acting as the company’s CEO, costly strategies

were used to make sure that the systems had high-end security protection by employing system

security experts to work to ensure the systems were monitored and secure 24/7. However, most

of these security experts left the company in 2013. In the year 2014, Equifax was only using a

percent of its operating costs on cybersecurity. Various slight occurrences indicated the
 4

loopholes within the company’s security systems however the management was slow to react.

Some external sources made audits on the organization's security protocols and pointed out the

systems were vulnerable and could be attacked by hackers (GAO, 2018). The management

however disregarded these. This is evident as one former employee stated that any time there

was discussion regarding the security of the systems, the cybersecurity staff faced a hard time

getting the management to understand what was happening and its effects. This indicates as time

went by the cybersecurity of the company was left unmanaged and the company concentrated on

other objectives not closing the loopholes within their systems.

Similarly, Equifax had not come up with a data breach recovery strategy. Research

conducted by ESG in 2017 was critical about the firm’s level of preparedness to mitigate such

occurrences of data breaches rating the organization zero concerning privacy and data security.

The audit focused on aspects such as potential regulatory and reputational risks that would occur

in case of mishandling of private information. It is obvious that the company hand not put in

place any plans in case such incidences were to take place (GAO, 2018). As earlier stated, the

operations costs spend on the security of the systems was only 1 percent in 2014 which was not

enough to ensure maintenance of the systems and training of the employees was done in regards

to cybersecurity. Equifax also lacked strategies to ensure effective communication within the

organizations was achieved, this led to the failure of important information being communicated

among the employees at the expected time frame. The outcome was the top management

blaming an employee for failing to patch up the system with security updates as expected.

Vulnerabilities hackers used to breach data at Equifax

The vulnerabilities that the hackers took advantage of were the security error within the

Apache Struts software. Research done by a certain Chinese cybersecurity expert pointed out the
 5

given vulnerability within the system was dangerous as it allowed the hackers to get access to the

system with ease. After exploiting the system, the hackers could install malware and hide their IP

addresses hence not being able to be tracked. Apart from this, the researchers noted that the

firm's vulnerability was an easy task as the attackers could easily find servers that had not been

patched. This led to hackers taking advantage of these vulnerabilities and collecting personal

data from their servers (Fruhlinger, 2020).

Examining the effectiveness of the firm’s security control

Equifax failed to instill sufficient security measures to protect the sensitive information it

was handling. Several independent organizations had identified the flaws within the

organization’s system. Regardless the organization declined to address these problems. An audit

carried out in 2016 by Deloitte pointed out inconsiderate ways the systems were being patched.

One of the employees had pointed out the fact the communication with the management

regarding the security of the systems had been hard thus their requests being ignored. Another

audit that was conducted in 2017 on the company’s preparedness in case the company’s systems

were breached was ranked second last among US financial firms. The same findings were

pointed out by Fair Isaac Corp and BitSight saying the cybersecurity at Equifax was poor.

Evaluation of the attack’s aftermath applied by Equifax

Apart from reducing stock values and incurring losses, Equifax clients lost their trust in

the company that had taken years to build. Thus, the measure put in place was for their

customers to regain their trust by assuring their clients that protective measures had been made to

protect their information. An instance is a company implementing a system that made sure all the

three credit bureaus were monitoring their credit data. Other measure includes credit locks and
 6

generation of credit reports and also implementation of theft insurance. Regardless various

responses had issues. For instance, the post response different domain misleads people keying

into their website.

In summary, the hacking incident that transpired at Equifax serves as an opportunity to

learn for numerous companies dealing with sensitive customer data. The first lesson entails the

importance of proactivity, which entails identifying issues earlier and reacting to them swiftly.

Equifax management ignored numerous warnings addressed to them which later had detrimental

outcomes. Additionally, some of the measures that were put in place after the incidence was

risky and could risk their client’s information even more. Thus, it is vital for organizations to any

given strategies before making decisions on implementation.

 7

References

Fruhlinger, J. (2020, February 12). Equifax Data Breach FAQ: What happened, who was

affected, what was the impact? CSO Online. Retrieved November 30, 2021, from

https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-

who-was-affected-what-was-the-impact.html.

GAO, U. S. G. A. (2018). Data Protection: Actions taken by Equifax and federal agencies in

response to the 2017 breach. Data Protection: Actions Taken by Equifax and Federal

Agencies in Response to the 2017 Breach | U.S. GAO. Retrieved November 30, 2021,

from https://www.gao.gov/products/gao-18-559.

Portman, R., & Carper, T. C. (2018). HOW EQUIFAX NEGLECTED CYBERSECURITY AND

SUFFERED A DEVASTATING DATA BREACH. Retrieved November 30, 2021, from

https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf?

source=techstories.org.

Srinivasan, S., Pitcher, Q., & Goldberg, J. (2017). Data breach at Equifax. Data Breach at

Equifax - Case - Faculty & Research - Harvard Business School. Retrieved November

30, 2021, from https://www.hbs.edu/faculty/Pages/item.aspx?num=53509.