Is the Equifax Hack the Worst Ever—and Why?
Equifax (along with TransUnion and Experian) is one of the three main U.S. credit
bureaus, which maintain vast repositories of personal and financial data used by
lenders to determine credit-worthiness when consumers apply for a credit card,
mortgage, or other loans. The company handles data on more than 820 million
consumers and more than 91 million businesses worldwide and manages a database
with employee information from more than 7,100 employers, according to its website.
These data are provided by banks and other companies directly to Equifax and the
other credit bureaus. Consumers have little choice over how credit bureaus collect and
store their personal and financial data.
Equifax has more data on you than just about anyone else. If any company needs
airtight security for its information systems, it should be credit reporting bureaus such as
Equifax. Unfortunately this has not been the case.
On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers
had gained access to some of its systems and potentially the personal information of
about 143 million U.S. consumers, including Social Security numbers and driver’s
license numbers. Credit card numbers for 209,000 consumers and personal information
used in disputes for 182,000 people were also compromised. Equifax reported the
breach to law enforcement and also hired a cybersecurity firm to investigate. The size of
the breach, importance, and quantity of personal information compromised by this
breach are considered unprecedented.
Immediately after Equifax discovered the breach, three top executives, including Chief
Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to
Securities and Exchange Commission filings. A company spokesman claimed the three
executives had no knowledge that an intrusion had occurred at the time they sold their
shares on August 1 and August 2. Bloomberg reported that the share sales were not
planned in advance. On October 4, 2017 Equifax CEO Richard Smith testified before
Congress and apologized for the breach.
The size of the Equifax data breach was second only to the Yahoo breach of 2013,
which affected data of all of Yahoo’s 3 billion customers. The Equifax breach was
especially damaging because of the amount of sensitive personal and financial data
stored by Equifax that was stolen, and the role such data play in securing consumers’
bank accounts, medical histories, and access to financing. In one swoop the hackers
gained access to several essential pieces of personal information that could help
attackers commit fraud. According to Avivah Litan, a fraud analyst at Gartner Inc., on a
scale of risk to consumers of 1 to 10, this is a 10.
After taking Equifax public in 2005, CEO Smith transformed the company from a slowgrowing credit-reporting company (1–2 percent organic growth per year) into a global
data powerhouse. Equifax bought companies with databases housing information about
consumers’ employment histories, savings, and salaries, and expanded internationally.
The company bought and sold pieces of data that enabled lenders, landlords, and
insurance companies to make decisions about granting credit, hiring job seekers, and
renting an apartment. Equifax was transformed into a lucrative business housing $12
trillion of consumer wealth data. In 2016, the company generated $3.1 billion in
Competitors privately observed that Equifax did not upgrade its technological
capabilities to keep pace with its aggressive growth. Equifax appeared to be more
focused on growing data it could commercialize.
Hackers gained access to Equifax systems containing customer names, Social Security
numbers, birth dates, and addresses. These four pieces of data are generally required
for individuals to apply for various types of consumer credit, including credit cards and
personal loans. Criminals who have access to such data could use it to obtain approval
for credit using other people’s names. Credit specialist and former Equifax manager
John Ulzheimer calls this is a “nightmare scenario” because all four critical pieces of
information for identity theft are in one place.
The hack involved a known vulnerability in Apache Struts, a type of open-source
software Equifax and other companies use to build websites. This software vulnerability
had been publicly identified in March 2017, and a patch to fix it was released at that
time. That means Equifax had the information to eliminate this vulnerability two months
before the breach occurred. It did nothing.
Weaknesses in Equifax security systems were evident well before the big hack. A
hacker was able to access credit-report data between April 2013 and January 2014.
The company discovered that it mistakenly exposed consumer data as a result of a
“technical error” that occurred during a 2015 software change. Breaches in 2016 and
2017 compromised information on consumers’ W-2 forms that were stored by Equifax
units. Additionally, Equifax disclosed in February 2017 that a “technical issue”
compromised credit information of some consumers who used identity-theft protection
services from LifeLock.
Analyses earlier in 2017 performed by four companies that rank the security status of
companies based on publicly available information showed that Equifax was behind on
basic maintenance of websites that could have been involved in transmitting sensitive
consumer information. Cyberrisk analysis firm Cyence rated the danger of a data
breach at Equifax during the next 12 months at 50 percent. It also found the company
performed poorly when compared with other financial-services companies. The other
analyses gave Equifax a higher overall ranking, but the company fared poorly in overall
web-services security, application security, and software patching.
A security analysis by Fair Isaac Corporation (FICO), a data analytics company focusing
on credit scoring services, found that by July 14 public-facing websites run by Equifax
had expired certificates, errors in the chain of certificates, or other web-security issues.
Certificates are used to validate that a user’s connection with a website is legitimate and
The findings of the outside security analyses appear to conflict with public declarations
by Equifax executives that cybersecurity was a top priority. Senior executives had
previously said cybersecurity was one of the fastest-growing areas of expense for the
company. Equifax executives touted Equifax’s focus on security in an investor
presentation that took place weeks after the company had discovered the attack.
Equifax has not revealed specifics about the attack, but either its databases were not
encrypted or hackers were able to exploit an application vulnerability that provided
access to data in an unencrypted state. Experts think—and hope—that the hackers
were unable to access all of Equifax’s encrypted databases to match up information
such as driver license or Social Security numbers needed to create a complete data
profile for identity theft.
Equifax management stated that although the hack potentially accessed data on
approximately 143 million U.S. consumers, it had found no evidence of unauthorized
activity in the company’s core credit reporting databases. The hack triggered an uproar
among consumers, financial organizations, privacy advocates, and the press. Equifax
lost one-third of its stock market value. Equifax CEO Smith resigned, with the CSO
(chief security officer) and CIO departing the company as well. Banks will have to
replace approximately 209,000 credit cards that were stolen in the breach, a major
expense. Lawsuits are in the works.
Unfortunately the worst impact will be on consumers themselves, because the theft of
uniquely identifying personal information such as Social Security numbers, address
history, debt history, and birth dates could have a permanent effect. These pieces of
critical personal data could be floating around the Dark Web for exploitation and identity
theft for many years. Such information would help hackers answer the series of security
questions that are often required to access financial accounts. According to Pamela
Dixon, executive director of the World Privacy Forum, “This is about as bad as it gets.” If
you have a credit report, there’s at least a 50 percent chance or more that your data
were stolen in this breach.
The data breach exposed Equifax to legal and financial challenges, although the
regulatory environment is likely to become more lenient under the current presidential
administration. It already is too lenient. Credit reporting bureaus such as Equifax are
very lightly regulated. Given the scale of the data compromised, the punishment for
breaches is close to nonexistent. There is no federally sanctioned insurance or audit
system for data storage, the way the Federal Deposit Insurance Corporation provides
insurance for banks after losses. For many types of data, there are few licensing
requirements for housing personally identifiable information. In many cases, terms-ofservice documents indemnify companies against legal consequences for breaches.
Experts said it was highly unlikely that any regulatory body would shut Equifax down
over this breach. The company is considered too critical to the American financial
system. The two regulators that do have jurisdiction over Equifax, the Federal
Trade Commission and the Consumer Financial Protection Bureau, declined to
comment on any potential punishments over the credit agency’s breach.
Even after one of the most serious data breaches in history, no one is really in a
position to stop Equifax from continuing to do business as usual. And the scope of the
problem is much wider. Public policy has no good way to heavily punish companies that
fail to safeguard our data. The United States and other countries have allowed the
emergence of huge phenomenally detailed databases full of personal information
available to financial companies, technology companies, medical organizations,
advertisers, insurers, retailers, and the government.
Equifax has offered very weak remedies for consumers. People can go to the Equifax
website to see if their information has been compromised. The site asks customers to
provide their last name and the last six digits of their Social Security number. However,
even if they do that, they do not necessarily learn whether they were affected. Instead,
the site provides an enrollment date for its protection service. Equifax offered a free
year of credit protection service to consumers enrolling before November 2017.
Obviously, all of these measures won’t help much because stolen personal data will be
available to hackers on the Dark Web for years to come. Governments involved in statesponsored cyberwarfare are able to use the data to populate databases of detailed
personal and medical information that can be used for blackmail or future attacks.
Ironically, the credit-protection service that Equifax is offering requires subscribers to
waive their legal rights to seek compensation from Equifax for their losses in order to
use the service, while Equifax goes unpunished. On March 1, 2018, Equifax announced
that the breach had compromised an additional 2.4 million more Americans’ names and
driver’s license numbers.
Harmful data breaches keep happening. In almost all cases, even when the data
concerns tens or hundreds of millions of people, companies such as Equifax and Yahoo
that were hacked continue to operate. There will be hacks—and afterward, there will be
more. Companies need to be even more diligent about incorporating security into every
aspect of their IT infrastructure and systems development activities. According to Litan,
to prevent data breaches such as Equifax’s, organizations need many layers of security
controls. They need to assume that prevention methods are going to fail.
Sources: Selena Larson, “Equifax Says Hackers Stole More than Previously Reported,” CNN, March 1, 2018; AnnaMaria Andriotis
and Michael Rapoport, “Equifax Upends CEO’s Drive to Be a Data Powerhouse,” Wall Street Journal, September 22, 2017;
AnnaMaria Andriotis and Robert McMillan, “Equifax Security Showed Signs of Trouble Months Before Hack,” Wall Street Journal,
September 26, 2017; AnnaMaria Andriotis and Ezequiel Minaya, “Equifax Reports Data Breach Possibly Affecting 143 Million
Consumers,” Wall Street Journal, September 7, 2017; Tara Siegel Bernard and Stacy Cowley, “Equifax Hack Exposes Regulatory
Gaps, Leaving Customers Vulnerable,” New York Times, September 8, 2017; Farhad Manjoo, “Seriously, Equifax? This Is a Breach
No One Should Get Away With,” New York Times, September 8, 2017; Eileen Chang, “Why Equifax Breach of 143 Million
Consumers Should Freak You Out,” thestreet.com, September 8, 2017; Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron
Lieber, “Equifax Says Cyberattack May Have Affected 143 Million Customers,” New York Times, September 7, 2017; and Nicole
Perlroth and Cade Metz, “What We Know and Don’t Know About the Equifax Hack,” New York Times, September 14, 2017.
Case Study Questions
1. 8-13 Identify and describe the security and control weaknesses
discussed in this case.
2. 8-14 What management, organization, and technology factors
contributed to these problems?
3. 8-15 Discuss the impact of the Equifax hack.
4. 8-16 How can future data breaches like this one be prevented? Explain
Purchase answer to see full
Our customer is the center of what we do and thus we offer 100% original essays..
By ordering our essays, you are guaranteed the best quality through our qualified experts.All your information and everything that you do on our website is kept completely confidential.
Academicwritingcompany.com always strives to give you the best of its services. As a custom essay writing service, we are 100% sure of our services. That is why we ensure that our guarantee of money-back stands, alwaysRead more
The paper that you order at academicwritingcompany.com is 100% original. We ensure that regardless of the position you are, be it with urgent deadlines or hard essays, we give you a paper that is free of plagiarism. We even check our orders with the most advanced anti-plagiarism software in the industry.Read more
The Academicwritingcompany.com thrives on excellence and thus we help ensure the Customer’s total satisfaction with the completed Order.To do so, we provide a Free Revision policy as a courtesy service. To receive free revision the Academic writing Company requires that the you provide the request within Fifteen (14) days since the completion date and within a period of thirty (30) days for dissertations and research papers.Read more
With Academicwritingcompan.com, your privacy is the most important aspect. First, the academic writing company will never resell your personal information, which include credit cards, to any third party. Not even your lecturer on institution will know that you bought an essay from our academic writing company.Read more
The academic writing company writers know that following essay instructions is the most important part of academic writing. The expert writers will, therefore, work extra hard to ensure that they cooperate with all the requirements without fail. We also count on you to help us provide a better academic paper.Read more