What actions should Equifax have taken to prevent and handle the breaches? Provide specific examples in your answer.

What actions did Equifax take after the breaches, to help prevent future breaches

Transcribed Image Text:

The Problem Equifax (www.equifax.com) is a consumer credit-reporting and credit-monitoring agency-also known as a credit bureau-that collects and aggregates data on more than 820 million individual consumers and 91 million businesses worldwide. The agency reports an annual revenue of $3.1 billion and employs more than 9,000 workers in 14 countries. Lenders rely on the data collected by credit bureaus to help them decide whether to approve financing for homes or cars and whether to issue credit cards. In addition, many employers use credit bureaus to perform credit checks on prospective employees. Credit-reporting businesses are designed primarily to serve banks and credit card companies, not the consumers they monitor. However, consumers do benefit from the credit bureaus because maintaining a good credit profile makes it easier to obtain a loan or a credit card. It is very important to note that lenders do not face the same risks as consumers. To a lender, the unpaid bill on a fraudulent credit card is just one bad loan in a huge portfolio of loans-essentially the cost of doing business. In contrast, a consumer has only one identity and one reputation. In March 2017, Equifax experienced a major security breach. Security experts noted that in early March, the company notified a small number of banking customers that it had suffered a breach and was bringing in a security firm (Mandiant; www.fireeye.com) to investigate. According to security analysts, that investigation did not uncover evidence that the hackers had actually accessed any customer data. Most data breach disclosure laws do not activate until there is evidence that sensitive and personally identifying information, such as Social Security numbers and birth dates, has been stolen. An Equifax spokesperson asserted that the company had complied fully with all consumer notification requirements related to the incident. A second, much larger breach occurred in mid-May 2017. To access Equifax's systems, the attackers exploited a vulnerability in the Apache Struts Web application software. The theft obtained the names, Social Security numbers, birth dates, addresses, and, in some cases, driver's license numbers of almost 146 million individuals. This data can be enough for criminals to steal the identities of people whose credentials were stolen. Apache had disclosed the vulnerability in its software to its customers, including Equifax, in March 2017. It had also provided clear instructions about how to repair it. Apache claims that its customers were then responsible for implementing procedures to promptly follow these instructions. Simply put, Equifax had the time and the instructions it needed to update and patch its software. The Apache Software Foundation publicly stated that, although it was sorry if attackers had exploited a bug in its software to breach Equifax, it always recommends that users regularly patch and update their software. Equifax claimed that it discovered the incident on July 29, 2017, at which time it "acted immediately to stop the intrusion and conducted a forensic review." However, it did not disclose the breach until September 7, six weeks later. Meanwhile, the company again hired Mandiant on August 2. In a statement, Equifax denied that the second breach was related to the March breach. However, security analysts have noted that the breaches involved the same intruders. Adding to Equifax's problems, on August 1 and 2, regulatory filings revealed that three senior executives had sold their shares in the company worth almost $1.8 million. None of the filings listed the transactions as being part of scheduled 10b5-1 trading plans. These plans allow major insider (employee) stockholders of publicly traded corporations to sell a predetermined number of shares at a predetermined time. One of the executives had also sold shares on May 23. A regulatory filing for that sale also did not indicate that the sale was part of a scheduled trading plan. If it was shown that those executives sold company stock with the knowledge that either or both breaches could damage the company, then they would be vulnerable to charges of insider trading. The U.S. Justice Department (www.justice.gov) opened a criminal investigation into the stock sales. Equifax maintained that the executives had no knowledge of either breach when they made the transactions. An Attempt at a Solution Equifax hired security firm Mandiant for both breaches, and the Apache vulnerability was patched after the second breach. Equifax announced the retirement of the company's chief information officer (CIO) and chief security officer on September 15, 2017. Next, CEO Richard Smith resigned on September 26. He apologized for the breach and testified at a House Energy and Commerce Committee hearing in the U.S. Congress on October 3. Following the second breach, Equifax created a website-www.equifaxsecurity2017.com –where people could enter their last names along with the last six digits of their Social Security numbers to see if they were affected by the hack. Unfortunately, someone copied that website and hosted that copy at a very similar URL-www.securityequifax2017.com. The two websites, one real and one fake, looked the same to casual observers. Fortunately for Equifax, the creator of the fake website, Nick Sweeting, set it up to demonstrate that Equifax should have developed its website under its corporate domain (www.equifax.com). Sweeting claimed that his fake website had approximately 200,000 page downloads. If Sweeting's website had really been a phishing website, then even more damage could have been done. The Results In March 2018, a federal grand jury indicted former Equifax CIO Jun Ying for insider trading. The U.S. Department of Justice's (DOJ; www.doj.gov) indictment alleged that Ying conducted Web searches inquiring about how Experian's 2015 data breach influenced its stock price. The indictment further alleged that Ying subsequently exercised all his available stock options and then sold the stock, receiving proceeds of over $950,000 and a gain of more than $480,000. In March, 2019 Ying pleaded guilty to insider trading. As noted above, three other Equifax executives sold large amounts of Equifax stock before news of the breach became public. A special committee formed by Equifax's board of directors cleared the executives of any wrongdoing, and none of them were mentioned in the Department of Justice's complaint against Ying. In the years after the breach, Equifax invested $200 million on data security infrastructure. To oversee the recovery process, the company hired a new Chief Information Security Officer (CISO) in February 2018. He noted that, prior to a data breach, company Chief Information Security Officers (CISOS) always had to fight for budget, trying to justify and convince people about the importance of security and risk management. After a breach, the job of the Equifax CISO became far easier because everyone knew that security is critically important. Equifax is focusing its efforts in the following areas: Improving its processes for patching, vulnerability management, and digital certificate management Strengthening access control protections and identity management across the company Improving data protection across the firm's entire infrastructure Developing better detection and response programs to manage problems more effectively if and when they occur Improving data governance and reporting so that the company can offer proof of compliance and general progress in its security efforts Working on a major cultural shift to incorporate both preventive measures and response training across every department Expanding its consumer outreach and education programs

Transcribed Image Text:

General Thoughts Any data breach harms a company's reputation. This problem is particularly critical for Equifax because its entire business model involves providing a complete financial profile of consumers that lenders and other businesses can trust. Not only has Equifax's credibility been severely damaged, but the breach also undermines the integrity of the data collected by the other two major credit bureaus: Experian (www.experian.com) and TransUnion (www.transunion.com). The effects of the Equifax breach make it clear that Social Security numbers are rapidly becoming an unreliable method to verify a person's identity. Once a person's Social Security number has been compromised, it is a difficult problem to fix because so many systems and applications rely on that number. The solution to the Social Security number problem may lie in utilizing additional layers of security. For example, we might start to see security questions and one-time security codes sent via e-mail or text message to our smartphones. The problem with added security is that it is more difficult to conduct transactions over the Web-specifically, electronic commerce. Consider the security freeze, which is the most effective way for customers who are anxious about the Equifax hack to protect themselves. If you contact a credit-reporting company and request a freeze, which you can do at each of the three companies' websites, then you are instructing the company not to provide any information when a lender contacts them in the process of opening an account. Thus, if someone tries to use your name and Social Security number to obtain a new credit card, then the application will probably be rejected. This action prevents fake credit cards from being issued in your name. It also prevents the resulting unpaid bills from ending up on your credit report and damaging your credit. When you need a loan, you can contact the credit agency and lift the freeze. What a freeze costs is subject to state law. It is usually free to victims of identity theft. Otherwise, people who are simply being cautious might pay from $3 to $10 to set the freeze and a similar fee when they lift it. On September 12, 2017, Equifax temporarily waived freeze fees. The freeze fees accentuate the overall consumer unfriendliness of the process. Consumers must pay a separate fee to each of the credit-reporting agencies. They then receive a PIN that they must use-again, one for each company-when they want to lift the freeze. To put a freeze in place online, consumers must verify their identity by entering their Social Security numbers, which is problematic if they are putting the freeze in place and have just discovered that these numbers have been stolen. Once a freeze is in place, consumers must remember where they put their PINS before they apply for a loan, a credit card, a job, or an apartment. People who set freezes at Equifax immediately after the breach found that their new PIN codes were made up of the date and time they put the freeze on-as opposed to random, unguessable numbers. By law, consumers can request one free copy of their credit reports per year from each of the three credit bureaus by accessing www.annualcreditreport.com. Consumer advocates would like to see everyone who was impacted by the Equifax breach request a credit freeze. In effect, freezes would become the default setting for all credit files, with everyone's credit data essentially off limits unless the consumer says otherwise. As it stands, however, the problems associated with freezes may make that solution less than appealing. However, if freezes became the norm, then credit bureaus would likely devise better ways to protect their data. For example, a smartphone app might allow you to toggle on and off access to all three of your credit files. And the cost of the breaches for Equifax? For 2017, costs associated with the breaches totaled $164 million, with $50 million offset by insurance. Company officials projected an additional $275 million in costs for 2018, with $75 million offset by insurance. And the bottom line for Equifax? The credit bureau's shares declined 31 percent in value from September 7 to 13, 2017. However, by July 2019, Equifax shares traded at $131 per share, down 8 percent from $141 per share just prior to the breach. Equifax reported 2018 total revenue of $3.4 billion and net income of $300 million. Interestingly, net income decreased by almost 50 percent from 2017. And the bottom line for consumers? Regardless of security breaches at credit bureaus, consumers are not able to opt out of the bureaus.