Case Study:

Equifax
Data Breach
 Background
I n 2 0 1 7 , f r o m m i d - M a y t o J u l y, h a c ke r s g a i n e d u n a u t h o r i z e d a c c e s s t o s e r ve r s u s e d b y
E q u i f a x , a m a j o r c r e d i t r e p o r t i n g a g e n c y, a n d a c c e s s e d t h e p e r s on a l i n f o r m a t i o n o f n e a r l y
o n e - h a l f t h e U. S. p o p u l a t i o n .

E q u i f a x e x e c u ti ve s s ol d off n e a r l y $ 2 m i l l i o n o f c o m p a n y s t o c k t h e y o w n e d a f te r fi n d i n g o u t
a b o u t t h e h a c k, w e e k s b e f o r e i t w a s p u b l i c l y a n n o u n c e d , i n p ot e n t i a l v i o l a t i o n of i n s i d e r
t ra d i n g r u l e s .

T h e c om p a ny ’s s h a re s f e l l n e a r l y 1 4 % a f t e r t h e a n n o u n c e m e n t , b u t f e w e x p e c t e d E q u i f a x
m a n a g e rs t o b e h e l d l i a b l e f o r t h e i r m i s t a ke s , f a c e a ny r e g u l a t o r y d i s c i p l i n e , or p a y a ny
p e n a l ti e s f or p r o fi ti n g f r om t h e i r a c t i o n s .

To m a ke a m e n d s t o c u s t o m e r s a n d c l i e n t s i n t h e a f t e r m a t h o f t h e h a c k, t h e c o m p a ny o ff e r e d
“ f r e e ” c re d i t m o n i to r i n g a n d i d e n t i t y- t h e f t p r o t e c t i o n ( p r o v i d e d t h a t p e o p l e g ave u p t h e r i g h t
t o s u e t h e c o m p a ny.)

B o t h th e co m p a ny ’s c h i e f i n f o r m a t i on o ffi c e r a n d c h i e f o f s e c u r i t y r e t i r e d , a n d t h e C E O
r e s i g n e d , d ay s b e f or e h e wa s t o t e s t i f y b e f or e C on g r e s s a b o u t t h e b r e a c h . N u m e r o u s
g o ve rn m e n t i nve s t i g a t i o n s a n d h u n d r e d s o f p r i va t e l a w s u i t s w e r e fi l e d a s a r e s u l t o f t h e
Meanwhile, in Canada…

• The personal information of approximately 8,000 consumers was

impacted. An additional 11,670 credit card numbers of Canadian
consumers may have been impacted.

• Based on Canadian Privacy Laws, the Offi ce of the Privacy

Commissioner of Canada (OPC) opened an investigation into the data
breach at Equifax

• The OPC found that the company ’s safeguards were lacking in the
following areas:
1. vulnerability management;

2. network segregation;

3. implementation of basic information security practices; and

4. oversight.
Questions

1. Wh a t wer e t he co mpa ny ’s le g al re s po n si bil it ie s i n th i s c as e ? Wh at we re it s et h ic al

re s po n si bi lit i es ?(2)

2. Wh a t ar e t he diff e re n c es b et we en a c o mpa ny ’s l ega l a nd e th i ca l r es po n s ibi li ti es , a n d

d o yo u th in k t ha t t h es e d iff e re nc e s ar e i mpo r t an t ? W hy o r why n o t? (2)

3. Th e o n li ne p rivac y pro te c ti o n o ff e re d to c o ns u mer s by E qu if ax r eq ui re d th a t th e y g ive

u p th e ir ri gh t t o s u e th e c o mp any. Wa s th e c o mp any ac t in g wit h in t eg rity? Why or
w hy n o t ? (2)

4. Us i ng t he e t hi c al t h eo r ie s t ha t we h ave l e ar ne d a bo u t in th e c o u rs e, as s es s bo th t he
c ond u ct a nd t h e c harac te r o f t h e le a de rs a t E qu if ax i n th e se c i rc u mst a nc e s. (4)