Activity 2B Performance Criteria P.C. 2.5 Implement internal control procedures for cyber security and the safe handling of payments and data Case Scenario: Equifax Data Breach Background: In March 2017, Equifax, a major credit reporting agency in the United States, experienced a significant data breach that exposed personally identifying information of hundreds of millions of individuals. The breach raised concerns not only about the security lapses that allowed it to happen but also about Equifax's response the incident. How the Equifax Breach Happened: 1. Initial Entry: The breach began through a consumer complaint web portal, exploiting a known vulnerability (CVE-2017-5638) in Apache Struts, a framework used by Equifax. The vulnerability should have been patched, but due to internal process failures, it remained unaddressed. 2. Lack of Segmentation: Attackers moved from the web portal to other servers due to inadequate segmentation of systems. They discovered usernames and passwords stored in plain text, providing access to additional systems. 3. Encryption Certificate Failure: Data was exfiltrated in encrypted form for months without detection because Equifax failed to renew an encryption certificate on an internal security tool, allowing attackers to operate undetected. 4. Delayed Public Disclosure: Equifax did not publicize the breach until more than a month after its discovery. Stock sales by top executives during this period raised suspicions of insider trading. Timeline of Events: March 10, 2017: Initial breach through the Struts vulnerability. May 13, 2017: Attackers began moving within Equifax's network, exfiltrating data. ■ July 29, 2019: Expired encryption certificate discovered; Equifax administrators became aware of the breach. ■ September 8, 2017: Equifax publicly disclosed the breach, more than a month after its discovery. Data Compromised: Potentially affected 143 million people. Exposed information included names, addresses, dates of birth, Social Security numbers, and driver's license numbers. Approximately 200,000 records included credit card numbers. Who Was Responsible: The attackers' identity remains a subject of speculation. There are strong indications that Chinese state-sponsored hackers were behind the breach for espionage purposes rather than financial gain. • Evidence points to a connection with other state-backed cyber operations targeting U.S. government officials. Equifax's Response: ⚫ Equifax's immediate response faced criticism for setting up a separate domain for breach information, potentially susceptible to phishing. ⚫ The breach site's security was questioned, and Equifax directed affected individuals to enroll in their ID protection service. ⚫Legislation imposing fines on credit-reporting agencies for breaches did not pass. Impact on Equifax: ⚫Top-level turnover in Equifax's leadership. Equifax spent $1.4 billion on cleanup and security upgrades. ⚫ A record-breaking settlement with the FTC required Equifax to spend at least $1.38 billion to resolve consumer claims. On the basis of above for case snerio prepare research report on Implementing Internal Control Procedures for Cybersecurity and Safe Handling of Payments and Data for Equifax Breach. Instructions: 1. Introduction: • Provide a brief overview of the Equifax Data Breach, highlighting its significance and impact. . Highlight the key areas of concern, including the initial entry, lack of segmentation, encryption certificate failure, delayed disclosure, and the responsible parties. 2. Analysis of Breach Causes: . Explore in detail how the breach occurred, focusing on the identified vulnerabilities and failures. Discuss the implications of the lack of segmentation and the consequences of the encryption certificate failure. 3. Timeline of Events: • Emphasize the importance of timely detection and disclosure in cybersecurity incidents. 4. Scope of Data Compromised:

FINANCIAL ACCOUNTING
10th Edition
ISBN:9781259964947
Author:Libby
Publisher:Libby
Chapter1: Financial Statements And Business Decisions
Section: Chapter Questions
Problem 1Q
icon
Related questions
Question
Could you please read the scenario and the instructions and answer that questions for me please? The instructions from 4-9 will be attached.
Activity 2B
Performance Criteria
P.C. 2.5
Implement internal control procedures for cyber security and the safe handling
of payments and data
Case Scenario:
Equifax Data Breach
Background: In March 2017, Equifax, a major credit reporting agency in the United States,
experienced a significant data breach that exposed personally identifying information of
hundreds of millions of individuals. The breach raised concerns not only about the security
lapses that allowed it to happen but also about Equifax's response the incident.
How the Equifax Breach Happened:
1. Initial Entry: The breach began through a consumer complaint web portal, exploiting a
known vulnerability (CVE-2017-5638) in Apache Struts, a framework used by
Equifax. The vulnerability should have been patched, but due to internal process
failures, it remained unaddressed.
2. Lack of Segmentation: Attackers moved from the web portal to other servers due to
inadequate segmentation of systems. They discovered usernames and passwords
stored in plain text, providing access to additional systems.
3. Encryption Certificate Failure: Data was exfiltrated in encrypted form for months
without detection because Equifax failed to renew an encryption certificate on an
internal security tool, allowing attackers to operate undetected.
4. Delayed Public Disclosure: Equifax did not publicize the breach until more than a
month after its discovery. Stock sales by top executives during this period raised
suspicions of insider trading.
Timeline of Events:
March 10, 2017: Initial breach through the Struts vulnerability.
May 13, 2017: Attackers began moving within Equifax's network, exfiltrating data.
■ July 29, 2019: Expired encryption certificate discovered; Equifax administrators
became aware of the breach.
■ September 8, 2017: Equifax publicly disclosed the breach, more than a month after its
discovery.
Data Compromised:
Potentially affected 143 million people.
Exposed information included names, addresses, dates of birth, Social Security
numbers, and driver's license numbers.
Approximately 200,000 records included credit card numbers.
Who Was Responsible:
The attackers' identity remains a subject of speculation.
There are strong indications that Chinese state-sponsored hackers were behind the
breach for espionage purposes rather than financial gain.
• Evidence points to a connection with other state-backed cyber operations targeting U.S.
government officials.
Equifax's Response:
⚫ Equifax's immediate response faced criticism for setting up a separate domain for
breach information, potentially susceptible to phishing.
⚫ The breach site's security was questioned, and Equifax directed affected individuals to
enroll in their ID protection service.
⚫Legislation imposing fines on credit-reporting agencies for breaches did not pass.
Impact on Equifax:
⚫Top-level turnover in Equifax's leadership.
Equifax spent $1.4 billion on cleanup and security upgrades.
⚫ A record-breaking settlement with the FTC required Equifax to spend at least $1.38
billion to resolve consumer claims.
On the basis of above for case snerio prepare research report
on Implementing Internal Control Procedures for
Cybersecurity and Safe Handling of Payments and Data for
Equifax Breach.
Instructions:
1. Introduction:
• Provide a brief overview of the Equifax Data Breach,
highlighting its significance and impact.
.
Highlight the key areas of concern, including the
initial entry, lack of segmentation, encryption
certificate failure, delayed disclosure, and the
responsible parties.
2. Analysis of Breach Causes:
. Explore in detail how the breach occurred, focusing
on the identified vulnerabilities and failures.
Discuss the implications of the lack of segmentation
and the consequences of the encryption certificate
failure.
3. Timeline of Events:
•
Emphasize the importance of timely detection and
disclosure in cybersecurity incidents.
4. Scope of Data Compromised:
Transcribed Image Text:Activity 2B Performance Criteria P.C. 2.5 Implement internal control procedures for cyber security and the safe handling of payments and data Case Scenario: Equifax Data Breach Background: In March 2017, Equifax, a major credit reporting agency in the United States, experienced a significant data breach that exposed personally identifying information of hundreds of millions of individuals. The breach raised concerns not only about the security lapses that allowed it to happen but also about Equifax's response the incident. How the Equifax Breach Happened: 1. Initial Entry: The breach began through a consumer complaint web portal, exploiting a known vulnerability (CVE-2017-5638) in Apache Struts, a framework used by Equifax. The vulnerability should have been patched, but due to internal process failures, it remained unaddressed. 2. Lack of Segmentation: Attackers moved from the web portal to other servers due to inadequate segmentation of systems. They discovered usernames and passwords stored in plain text, providing access to additional systems. 3. Encryption Certificate Failure: Data was exfiltrated in encrypted form for months without detection because Equifax failed to renew an encryption certificate on an internal security tool, allowing attackers to operate undetected. 4. Delayed Public Disclosure: Equifax did not publicize the breach until more than a month after its discovery. Stock sales by top executives during this period raised suspicions of insider trading. Timeline of Events: March 10, 2017: Initial breach through the Struts vulnerability. May 13, 2017: Attackers began moving within Equifax's network, exfiltrating data. ■ July 29, 2019: Expired encryption certificate discovered; Equifax administrators became aware of the breach. ■ September 8, 2017: Equifax publicly disclosed the breach, more than a month after its discovery. Data Compromised: Potentially affected 143 million people. Exposed information included names, addresses, dates of birth, Social Security numbers, and driver's license numbers. Approximately 200,000 records included credit card numbers. Who Was Responsible: The attackers' identity remains a subject of speculation. There are strong indications that Chinese state-sponsored hackers were behind the breach for espionage purposes rather than financial gain. • Evidence points to a connection with other state-backed cyber operations targeting U.S. government officials. Equifax's Response: ⚫ Equifax's immediate response faced criticism for setting up a separate domain for breach information, potentially susceptible to phishing. ⚫ The breach site's security was questioned, and Equifax directed affected individuals to enroll in their ID protection service. ⚫Legislation imposing fines on credit-reporting agencies for breaches did not pass. Impact on Equifax: ⚫Top-level turnover in Equifax's leadership. Equifax spent $1.4 billion on cleanup and security upgrades. ⚫ A record-breaking settlement with the FTC required Equifax to spend at least $1.38 billion to resolve consumer claims. On the basis of above for case snerio prepare research report on Implementing Internal Control Procedures for Cybersecurity and Safe Handling of Payments and Data for Equifax Breach. Instructions: 1. Introduction: • Provide a brief overview of the Equifax Data Breach, highlighting its significance and impact. . Highlight the key areas of concern, including the initial entry, lack of segmentation, encryption certificate failure, delayed disclosure, and the responsible parties. 2. Analysis of Breach Causes: . Explore in detail how the breach occurred, focusing on the identified vulnerabilities and failures. Discuss the implications of the lack of segmentation and the consequences of the encryption certificate failure. 3. Timeline of Events: • Emphasize the importance of timely detection and disclosure in cybersecurity incidents. 4. Scope of Data Compromised:
Expert Solution
steps

Step by step

Solved in 2 steps

Blurred answer
Similar questions
  • SEE MORE QUESTIONS
Recommended textbooks for you
FINANCIAL ACCOUNTING
FINANCIAL ACCOUNTING
Accounting
ISBN:
9781259964947
Author:
Libby
Publisher:
MCG
Accounting
Accounting
Accounting
ISBN:
9781337272094
Author:
WARREN, Carl S., Reeve, James M., Duchac, Jonathan E.
Publisher:
Cengage Learning,
Accounting Information Systems
Accounting Information Systems
Accounting
ISBN:
9781337619202
Author:
Hall, James A.
Publisher:
Cengage Learning,
Horngren's Cost Accounting: A Managerial Emphasis…
Horngren's Cost Accounting: A Managerial Emphasis…
Accounting
ISBN:
9780134475585
Author:
Srikant M. Datar, Madhav V. Rajan
Publisher:
PEARSON
Intermediate Accounting
Intermediate Accounting
Accounting
ISBN:
9781259722660
Author:
J. David Spiceland, Mark W. Nelson, Wayne M Thomas
Publisher:
McGraw-Hill Education
Financial and Managerial Accounting
Financial and Managerial Accounting
Accounting
ISBN:
9781259726705
Author:
John J Wild, Ken W. Shaw, Barbara Chiappetta Fundamental Accounting Principles
Publisher:
McGraw-Hill Education