www.globalethics.org www.salglobal.com www.business-ethics.org www.corporatecompliance.org www.transparency.org Institute for Global Ethics SAI Global International Business Ethics Institute Society of Corporate Compliance and Ethics Transparency International Discussion Case: Equifax's Data Breach The credit reporting company Equifax was at the center of a massive data breach affecting over 145 million customers. In 2017, hackers took advantage of a vulnerability in Equi- fax's website software and stole the personal information, including names, addresses, and Social Security numbers, of as many as 145 million Americans. A separate but related incident at Equifax involved 15 million British citizens who had their records violated from 2011 to 2016. The failure of Equifax's internal reporting and control measures led to a widespread violation of peoples' rights to the privacy of their personal information and became a huge public relations crisis for the company. Equifax's top lawyer, John Kelley, was investigated by the board of directors for his pos- sible involvement in a cover-up of the hack and his mishandling of the situation. Kelley was responsible for approving the sales of company stock by executives after the breach was dis- covered, but before it had been revealed to the public. Upon the disclosure of the breach, company stock price fell 14 percent. Investors sold approximately $4.5 billion (25 percent) of the company's market value after the hack was made public. More than 10 million Americans had their driver's license data exposed during the hack. Many people who had provided their driver's license information to the company were simply verifying their information in order to receive credit reports and ratings from Equifax. Some had entered their information on the company's web page in an effort to settle credit report disputes. The credit report dispute web page had been particularly vul- nerable to security breaches. Equifax CEO Richard Smith admitted during congressional hp Part Two Business and Ethics hearings that he and other executives had been aware of the security weaknesses, but that a single employee at the firm had not properly heeded security warnings and did not ensure the implementation of software fixes. Smith added that there was a failure in their software systems designed to scan for the absence of "patches" necessary to protect pri- vate information. Other internal control mechanisms at Equifax appeared to have been either ignored or dysfunctional. Frederick Lemieux, director of Georgetown University's graduate pro- gram in Applied Intelligence, blamed the breach on what he called "passive complicity" in the firm's culture. (Complicity means being involved in wrongdoing; passive complicity implies that executives were guilty of wrongdoing by not actively preventing it.) That top executives seemed to worry more about their own stock portfolios than the security of their customers' personal information was troubling to many ethics experts. Observers also crit- icized the company for its delay in going public about the breach. Finally, it appeared that knowledge of the potential for hacking was isolated to only one employce. A more robust system where multiple individuals were responsible for preventing a problem might have avoided the hack. Unlike banks, credit reporting agencies are relatively lightly regulated, and they typi- cally rely on internal systems to maintain security. Lemieux stated, "there is no incentive to comply with the best industry practices and no incentives to spend [funds on these pro- grams] because you're not accountable for it." He noted that credit reporting agencies did not face the same financial or legal consequences that banks or other businesses, like Tar- get or Home Depot, encountered when hacked. Pamela Pressman, president of the Center for Responsible Enterprise and Trade, said that the breach should remind Equifax and other firms to train their employees and raise awareness about proper "cyber hygiene... ensur- ing that your employees, your contractors, your vendors-those people that have access to your network and your data-understand their role in protecting the network and protect- ing the data." The cyberattack on Equifax was potentially more dangerous than other hacks in recent history because credit-reporting agencies played a significant role in determining who received financing and ultimately, how much credit they received. The data collected by these agencies was needed for applying for credit cards, loans, and background checks. The attack was conducted in one major maneuver, which facilitated the hackers' ability to use the data for their own purposes. This breach could lead to problems for small financial institutions, like community banks and credit unions, which typically relied on information collected by the credit-reporting firms to determine their loan decisions. Larger financial institutions were more likely to collect additional information from applicants, which made them less vulnerable. Days after the company discovered the breach, CFO John Gamble and two other top Equifax executives reportedly sold a combined $1.8 million worth of shares of the com- pany, but all three denied knowing of the hack when they made the transactions, despite evidence to the contrary. CEO Smith stepped down from his post following these events. Smith had been in charge since 2005. The Federal Bureau of Investigation investigated Equifax's handling of the situation as well as the actions of the top executives. When testi- fying before Congress, Smith downplayed the severity of the situation and the factors that facilitated the breach. He repeatedly blamed an IT worker who did not implement software remedies after Equifax executives had been warned of possible holes in Equifax's website security by the US. Department of Homeland Security. Equifax hired FireEye's Mandiant group to investigate the breach. The Mandiant report determined that approximately 2.5 million additional U.S. consumers were potentially