Case Studies
The Equifax Data Breach
Equifax, along with Experian and
TransUnion, is one of the “Big Three” credit
reporting agencies in the United States. All
three companies offer credit monitoring
services as their core business. There are
many regulations and restrictions governing
the collection and use of credit data, but
these companies have enjoyed stable sales
and profits for many years. Equifax is based
in Atlanta and its long history traces back to
- It employs over 10,400 employees
worldwide and maintains data on 820 million
consumers.
All three agencies exchange data with banks
and other financial companies that extend
credit. They develop “credit scores” for how
well a consumer has handled his or her
credit and debt obligations. This score and
the accompanying credit report detailing a
person’s credit history are then sold to
banks, credit unions, retail credit card
issuers, auto lenders, mortgage lenders, and
others who rely on this information when
they make loans, issue credit cards, or offer
consumers mortgages and home equity
loans. It is also used by banks to check this
information before issuing bank credit cards
such as Visa or MasterCard. Equifax,
Experian, and TransUnion have most likely
compiled credit histories for nearly every
adult U.S. citizen.
In early September 2017, Equifax
announced that hackers had gained illicit
access to the personal information of 143
million people. The data included social
security numbers, birth dates, phone
numbers, email addresses, driving license
numbers, and, in some cases, credit card
numbers. The total number expanded to 148
million by March 2018. The pilfering of social
security numbers was particularly worrisome
since that number in the wrong hands
creates opportunities for identity theft and
other types of fraud.
The Equifax data breach is one of the three
worst data breaches in U.S. history along
with Yahoo and Marriott. The Marriott data
hack of 2018 affected 500 million users. In
September 2016, Yahoo revealed a serious
data security breach that had occurred 2
years earlier when 500,000 million records
were compromised. Several months later, in
53
December, 2016, Yahoo informed its users
of another newly discovered data breach.
That breach occurred in 2013 and affected
more than 1 billion Yahoo users. However,
despite the magnitude of the Yahoo and
Marriott breaches, the Equifax data breach is
considered more damaging because social
security numbers and birth dates were
involved. As one security expert observed,
“This data is the key to everyone’s files and
interactions with financial services,
government, and health care.”
After the announcement was made, the
credit reporting agency was heavily criticized
for waiting until September 7 to reveal this
data breach to the public. The breach
actually took place in March 2017 and went
undetected for almost 3 months. It was
discovered in late July, but the company
decided to withhold this information from the
public until it was able to verify the scope of
the breach. Thus, Equifax’s public
announcement did not happen until 6 weeks
after the company had learned about the
incident and 4 months after the hackers had
penetrated the Equifax network.
Cause of the Data Breach
54
Not long before the data hack
announcement, the CEO of Equifax, Rick
Smith, reaffirmed his company’s commitment
to cybersecurity. In answer to a question at a
mid-August breakfast meeting Smith said
that protecting consumer data was a “huge
priority” for the company. However,
according to several cyber risk analysis
companies, weaknesses and flaws were
obvious in the Equifax network well before
this dangerous data breach had occurred.
The company had long been considered an
attractive target for identity thieves because
of its defective cybersecurity practices.
But exactly what went wrong at Equifax?
The breach was enabled by a security flaw
in a program called Apache Struts, a widely
used web application development software
product. Through that software bug, hackers
gained access to the software underlying the
Equifax online dispute portal and from there
accessed the internal company databases.
Hackers were able to send data to a server
that was equipped to take advantage of the
software flaw. It was “the digital equivalent of
popping open a side window to sneak into a
building.”
55
56
57
Apache issued a patch for the problem as
soon as it was discovered. The U.S. Security
Readiness Team, which is part of the
Department of Homeland Security, sent out
a public alert on March 8, 2017 about the
software flaw. On March 9, Equifax’s Global
Threats and Vulnerability Management
(GTVM) team released an internal notice
declaring the urgent need to install the patch
for any Apache Struts applications. The
GTVM alerted its programmers and
developers that the patch should be installed
as soon as possible and no later than 48
hours from receipt of its March 9 memo.
However, Equifax did not patch the Apache
Struts software flaw until August, 4 months
later and well after the fatal intrusion
occurred. There were two problems. First,
Equifax’s chief developer for the online
dispute portal, which used the hacked
Apache application, was not on the GTVM
memo distribution list. Second, in response
to the alert about the Apache Struts problem,
Equifax scanned its network to identify the
vulnerable versions of this program. But the
scanning tool did not perform a thorough
search at every level of the network and did
not identify the vulnerable version of the
Apache Struts application that was used for
the online dispute portal. Part of the problem
was the company’s failure to maintain a
comprehensive and up-to-date information
technology (IT) inventory. Without that
inventory, the scanning tools could not be
properly directed to find all the instances of
the Apache Struts vulnerability.
In contrast to Equifax, both of its rivals,
TransUnion and Experian, received the
same alert from Homeland Security and the
same patch from Apache Struts. Both
companies patched vulnerable versions of
the software within days of receiving the
patch and neither suffered a data breach
because of this security flaw.
The 2015 Security Audit
Critics of Equifax have said that its IT and
security capabilities have not kept pace with
its lofty ambitions. CEO Smith had
transformed Equifax from a credit reporting
agency into a data giant by purchasing other
companies with databases that tracked
information about consumers’ employment
history, salaries, and so forth. Equifax was
becoming a “global data-analytics company.”
But Smith and his executive team
58
concentrated more on data collection and
processing and not so much on securing that
data.
As a result, Equifax lagged behind basic
security maintenance, despite the fact that
the data of credit firms tends to attract many
opportunistic hackers. Security ratings
companies sounded the alarm but no one at
Equifax seemed to be listening. In April
2017, the cyber risk analysis firm, Cyence,
rated the likelihood of a dangerous data
breach at Equifax during the next 12 months
at 50%. Also, according to Cyence, in their
peer group of 23 companies the credit
reporting agency was second to last.
Security Scorecard ranked Equifax “in the
middle of the pack” among financial services
companies. The reason for the low score
was the use of older software and tardiness
in installing patches. And Fair Isaac Corp
gave Equifax a 550 FICO score on a scale
that ranges from 300 to 850. The score
takes into account hardware, network
security, and web services.
Equifax appeared to be blindsided by the
breach and allegations of its weak security
infrastructure that followed its announcement
59
60
to many dismayed consumers who found out
that their personal information may have
been stolen. But the company had ample
warning that its security system was
vulnerable and in need of improvement.
In 2015, an internal security audit was
conducted to review the state of
cybersecurity and the company’s current
policies. The audit exposed salient
cybersecurity flaws and deficiencies in the
Equifax network. The report concluded
“current patch and configuration
management controls are not adequately
designed to ensure Equifax systems are
securely configured and patched in a timely
manner.” The audit called attention to
Equifax’s failure to confirm the successful
implementation of patches. According to the
audit, “most Equifax systems are not
patched in a timely manner.” The audit report
also underscored a large number of
vulnerabilities in the company’s IT systems.
The report cited 1,000 vulnerabilities on
externally facing systems and 7,500 on
internal systems spread across 22,000 host
servers. Despite these findings, there were
no follow-up audits subsequent to the
disappointing 2015 report.
61
62
Epilogue
After the breach and the consumer backlash
it generated, there were predictions that
regulators would impose strict new rules on
the credit-reporting industry. But no new
regulations have been implemented in the
United States. There are still no federal laws
mandating notification of data breaches
within a certain time frame. Equifax had to
endure only minimal adverse consequences,
but it has budgeted an additional $200
million for IT security. The Consumer
Financial Protection Bureau, the agency
responsible for the protection and security of
consumer data, initiated no punitive actions
against Equifax. The Federal Trade
Commission also refrained from taking any
enforcement action against this creditreporting company.
Questions - Discuss the moral issues in this case
and whether or not Equifax’s actions
constitute a moral failing. - Should companies like Equifax be
compelled to announce data breaches
to the public within a certain time frame
(e.g., 72 hours after discovery)? What
would be the downside of legalizing
such a requirement?
63 - In your opinion, why was security so lax
at Equifax and how can this laxity be
remedied?
