Reference no: EM132990408

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States. As we'll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath.

The Equifax data breach was one of the largest in history. The company announced the data breach in September 2017, eventually reporting that 147 million consumers were affected. Hackers were able to get access to a multitude of consumer private information, including names, Social Security numbers, dates of birth, credit card numbers and even driver's license numbers.

During the investigation into the breach, Equifax admitted the company was informed in March that hackers could exploit a vulnerability in its system, but failed to install the necessary patches.

A top-level picture of how the Equifax data breach happened looks like this:

The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.

The attackers were able to move from the web portal to other servers because the systems weren't adequately segmented from one another, and they were able to find usernames and passwords stored in plain text that then allowed them to access still further systems.

The attackers pulled data out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.

Equifax did not publicize the breach until more than a month after they discovered it had happened; stock sales by top executives around this time gave rise to accusations of insider trading.

Equifax's IT department ran a series of scans that were supposed to identify unpatched systems on March 15; there were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.

While it isn't clear why the patching process broke down at this point, it's worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to assess their systems. Mandiant warned Equifax about multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony within a few weeks.

What happened to Equifax after the data breach?

As part of the legal settlement agreement, Equifax paid $175 million in civil penalties to states, and a $100 million fine to the Consumer Financial Protection Bureau.

What, ultimately, was the Equifax breach's impact? Well, the upper ranks of Equifax's C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would've imposed fines on credit-reporting agencies that get hacked went nowhere in the Senate.

That doesn't mean the Equifax breach cost the company nothing, though. Two years after the breach, the company said it had spent $1.4 billion on cleanup costs, including "incremental costs to transform our technology infrastructure and improve application, network, [and] data security." In June 2019, Moody's downgraded the company's financial rating in part because of the massive amounts it would need to spend on Infosec in the years to come. In July 2019 the company reached a record-breaking settlement with the FTC, which wrapped up an ongoing class action lawsuit and will require Equifax to spend at least $1.38 billion to resolve consumer claims.

Instructions

a. What are the top 3 lessons learned from the Equifax data breach?

b. What 3 things should Equifax done immediately after learning about the hack?

c. If you were in Equifax senior management what post-mortem activities and processes would you put in place?