Data Breach at Equifax
Essay by skowalsky • May 5, 2019 • Coursework • 1,534 Words (7 Pages) • 1,143 Views
- How does Equifax’s business model work? Answer this in the context of the so-called Business Model Canvas (Links to an external site.)Links to an external site. shown below. There's a copy in Week 7 as well.
- Was Equifax lax or unlucky to be cyber-breached in this way?
I think Equifax was lax on their cybersecurity protocols for many years and it was only a matter of time before something like this happened. From 2013 to 2017 Equifax had received numerous reports from various companies notifying them of various vulnerabilities in their security programs. The Senate report even went as far as to say that “Experian should have recognized the breach more quickly if they more carefully noted who was accessing their systems, from where and when.” (page 5) In the report Richard Smith stated at the congressional hearing “it was the failure of a single employee for not implementing the software patch.” (page 3)
I find it hard to believe that it was one person’s error that caused this huge data loss. Numerous companies had contacted Equifax alerting them of the vulnerability of the Apache Struts program but the blame is on one human being. Where are all the system checks that are supposed to be in place. Once the notifications had been received an internal audit should have been completed to see if the patch had been put in place and when it was discovered that the patch was not there initiate it. The first notification about the Apache Struts vulnerability was made on March 8th, March 9th Equifax sends an internal alert about the known issues and does not patch the vulnerability. It was not until March 15th that Equifax ran a scan to learn that the patch had not been implemented but the damage had already been done. On March 10th and May 15th hackers had accessed Equifax’s database and started collection of personal identification information (PII).
- Where would you assign accountability for the breach – the technology (security) team, senior management, CEO, the Board of directors?
From the reading I would have to almost say that it was both the CEO and the senior management team that is responsible for the breach. According to a statement from a former employee of Equifax there was “a careless approach to patching systems” and “every time there was a discussion about doing something, we had a tough time to get management to understand what we were even asking.” (page 4) The CEO Richard Smith had invested millions of dollars into Equifax’s cybersecurity and even hired an expert CSO who created a system that would remediate system issues immediately.
The question now arises as to what was that money actually spent on when it came to the cybersecurity program. We know the system had flaws due to the numerous reports that Equifax had received about the cybersecurity system. If the reports that were coming in to Equifax from the various organizations Equifax paid for outlined what needed to be corrected and no action was taken that would fall on the CEO as well as the senior management team. Equifax suffered several security lapses which to me means that there was inadequate training being provided to the technology security team which once again falls on the CEO for the money that he spent and the senior managers for not taking the reports serious and getting the teams trained better. Pointing the finger at ONE individual and saying it was all their fault is a cop out and total BS.
I would also fault the board of directors. Equifax was the only credit reporting company of the three companies that had their own Technology committee. According to Exhibit 7 (page 16) the purpose of the committee would be to “review the Company's technology investments and infrastructure associate with risk management, including policies relating to information security disaster recovery, and business continuity.” So, my question is if this committee’s sole purpose was to protect the company's technological infrastructure and had policies for disaster recovery WHY did it take so long for the committee to be made aware. The first strike happened on March 10th. March 15th the vulnerability is not identified as unpatched. Nothing is brought to anyone's attention no double check, no crossing “T’s” or dotting “I’s” just normal procedure. May 13th disaster happens. July 29/30th security team notices an abnormality and board is not notified. August 11 an independent company is hired and finds that hackers have accessed various databases STILL the committee does not know what is going on. Now on September 1st the board is finally notified after 6 ½ months. Where was the technology committee during this whole fiasco? The committee failed both the company and also the consumers that were affected by the hacking.
- How would you characterize Equifax’s response in the wake of the breach?
I would characterize Equifax’s response to the breach as a very feeble attempt to get out of as much trouble and pay the smallest amount it could. Equifax’s exposure to this breach goes in line with all the other breaches that had been happening since 2015. A breach in 2016 exposed 431,000 Kroger employee’s information and in 2017 hackers exposed employee information from companies like Northrop Grumman and Whole Foods. (page 4). In the wake of the breach Equifax still tried down playing the severity of the issue. Equifax did not make any kind of notification to consumers for approximately six weeks. This left the consumers with no ability of protecting themselves because any and all damage had already been done. Equifax did not even know how many consumers had been exposed. As of September 4, 2017 Equifax, released that 143 million consumers had been affected, but on October 2, 2017 an additional 2.5 million more consumers had their information stolen.
...
...