Economics
Student’s Name
Institutional Affiliation
Date
Economics
Key Factors for the Weak Security Situation at Equifax
A culture of cybersecurity complacency caused the company’s hack at Equifax, which was exacerbated by a lack of insight into its intricate legacy IT environments. One of the most significant data breaches in US history exposed the private information of 145 million people, including those in the US, Canada, and the UK. Names, birthdates, social security numbers, and addresses of individuals were among the information disclosed. Additionally, exposed were gender-specific information, contact information (phone and email), credit card numbers, and license numbers.
The IT systems of the organization had numerous flaws. Equifax exposed its systems for 145 days because it neglected to address a significant Apache Struts vulnerability. The organization also failed to renew 324 security certificates, including 79 that were required to keep an eye on domains crucial to its operations. The business was aware that its patching procedure needed improvements to be effective. The company did not, however, take the necessary steps or set up a system to guarantee compliance and accountability. The business abandoned its Automated Consumer Interview System by failing to upgrade its visibility appliance, a device used to monitor network traffic.
The organization could no longer see the data being exfiltrated from the environment since the visibility appliance certificate had been out of date for 19 months. When the breach started, the visibility certificate on the device watching the automated consumer interview system would have been active if Equifax had created a certificate management mechanism with clear roles and responsibilities. The organization would have been able to mitigate and avoid the data breach if they had spotted the strange traffic coming from the interview system much sooner.
Vulnerabilities Exploited at the Equifax Data Breach Incident
Because the business failed to take precautions, the attackers could enter the interview environment and conduct 9,000 queries thanks to the Struts vulnerability. Of those, 265 delivered datasets with personally identifiable data. The business updated the certificate and became aware of the erroneous web traffic six days after the incident. The organization was working on a complicated legacy IT system constructed in the 1970s, making it challenging to scan efficiently, patch, and alter. Due to the company’s lack of knowledge of its legacy system, its patch management policy required staff to be aware of the source and version of all software used by specific programs so they could manually update each. Due to a weak data security infrastructure, Equifax exposed itself to risk. The business ought to have taken greater responsibility for implementing best practices for consumer information data security protection.
Measures Taken by Equifax to Recover from Data Breach
The organization investigated the data breach’s circumstances, attempted to locate and contact anyone whose personal information had been compromised, and took steps to recover from the incident. Identification, detection, segmenting access to databases, and data governance was among the problems that needed to be fixed. These flaws gave attackers access to the company’s network and the ability to retrieve data from databases containing personally identifiable information. Since the hack, the corporation has filed documents confirming its improved security and notified those impacted.
Three significant federal agencies that use Equifax’s identity verification services, the Internal Revenue Service, the Social Security Administration, and the US Postal Service, assessed the company’s security measures. The evaluation uncovered several minor technical issues Equifax was instructed to resolve. The agencies made contractual changes with Equifax (Gressin, 2017). Modifying the notification requirement for upcoming data breaches was one of the adjustments. One of the contracts with Equifax was terminated by the Internal Revenue Service.
To address the breach, the Department of Homeland Security gave help. Equifax denied the help since it had previously hired a cybersecurity consultant from outside to provide professional services. The Federal Trade Commission and the Bureau of Consumer Financial Protection also started an inquiry into the incident, both of which have regulatory and enforcement power over consumer reporting services like Equifax. Equifax improved system monitoring, increased communication between the security team and the C-suite, and changed the corporate culture by educating staff about the significance of cyber security.
Evaluation of Post-Attack Measures, Company’s Response, and Measures Proposed by the US government
The organization acted by looking into what caused the breach, trying to find and contact everybody whose personal information had been compromised, and taking steps to recover from the issue. The company’s countermeasures successfully prevented a similar intrusion in the future (Gressin, 2017). The corporation introduced the notion of assurance so that it could consistently and continuously check the effectiveness of each control’s coverage. The monitoring systems were improved to achieve this. The business can view any firewall setting through these monitoring tools and take proactive measures to combat it. Since cultural difficulties were the most challenging obstacle for Equifax to overcome, the corporation also altered its culture. The US government wanted Equifax to create a fund (called a “Consumer fund”) with a cap of $425 million. The fund’s purpose was to offer reparation to consumers who the incident had negatively impacted.
Reference
Gressin, S. (2017). The Equifax data breach: What to do. Federal Trade Commission, 8.