Organizations strive to be proactive, but only a handful attain this quality. Present-day businesses are faced with a multitude of opposing forces their external environment. Survival and success in such conditions depend on a company’s ability to make effective and swift adjustments to minimize the threats and maximize opportunities. Unfortunately, the tight competition that firms face redirecting the management’s focus on the profit margins, thus treating all the other crucial aspects of the business as non-priorities. This concept is well-demonstrated by considering the case of Equifax, a US credit reporting giant that went from greatness to losses within two years. When Smith took over the CEO position at Equifax back in 2005, he made considerable changes to match the data-intensive operation that the company had undertaken. Smith invested millions into cybersecurity and even went ahead to employ a cybersecurity expert, Tony Spinelli who served as Equifax’s Chief Security Officer (CSO). Spinelli and his team worked to modernize the company’s cyber defenses, creating a 24-hour crisis management team and, rehearsing possible breaches. However, Spinelli and other top cybersecurity employees left Equifax in 2013. Based on this information, it can be argued that Equifax was determined to avoid attacks but since these operations were costly and the threats did not occur for some time the management redirected their attention to other aspects that appeared urgent. This paper provides a case study of Equifax data breach by analyzing vulnerabilities that the hackers exploited and recovery measured pursued by Equifax
Analysis
The threat of cyber-attack was imminent, but Equifax management chooses to ignore it, resulting in the theft considerable amount of personal data. Over one year down the line the company is yet to recover as it is facing 240 lawsuits and is still under investigation by the CFPB, FTC, SEC as well as British and Canadian regulators. Additionally, Equifax market share has plunged by over 30 percent, and the company reported a profit fall of over 27 percent in the third quarter of 2018 (Portman & Carper, 2018). This case study identifies the factors that created the weak security situation in Equifax. Additionally, the vulnerabilities that the hackers exploited will be discussed, followed by an assessment of the effectiveness that Equifax had put in place before the breach. Lastly, the paper analyzes the appropriateness of the measures that Equifax has undertaken to recover from the incident.
Factors that Created the Weak Security Situation in Equifax
Even though several organizational issues might have contributed to the data breach incident at Equifax, the most outstanding aspect is poor management in relation to securing the confidential data that the company was handling. At the beginning of Smith’s tenure as Equifax’s CEO, he invested millions in cybersecurity allowing the organization to employ cybersecurity experts who worked to modernize the company’s cybersecurity, creating a 24-hour crisis-management squads and, rehearsing possible breaches. However, a good proportion of top cybersecurity experts left the company in 2013 and left what employees called the ‘B team’ (GAO , 2018). By 2014, Equifax was spending only 1 percent of its operation expenses on cybersecurity. Several ‘minor’ incidents highlighted the flaws in Equifax’s security system but the management was reluctant to act. Several outside sources including Deloitte carried audits on the organization’s cybersecurity system and revealed the existence of flaws that could be exploited by hackers. However, the management dismissed the findings as evidenced by one former employee’s statement ‘ever y time there were discussions about the company’s cybersecurity situation, we (cybersecurity workers) had a hard time to get the management to understand what we were requesting’. From the statement, it is apparent that as time went by cybersecurity was no longer considered a priority as the company was blinded by other goals from noting the loopholes that existed in its system.
Additionally, Equifax did not have a data breach plan in place. Research carried out by the ESG team in 2017 was critical about the company’s level of cybersecurity preparedness giving the organization a zero rating for data security and privacy. The study focused on factors like the potential regulatory and reputational risks that will result from a breach of mishandling confidential information. It was apparent that Equifax did not have any plans in place to deal with such an occurrence. As mentioned before, Equifax expenditure on cybersecurity only took 1 percent of the overall operation cost in 2014 which was not sufficient to carry out thorough security checks and regular training for employees in the matter of cybersecurity. Lastly, Equifax did not have an effective communication system in place to ensure that the vital information on cybersecurity reaches all employees at the right time. The outcome was a blame game as top management faulted one employee for failing to patch up the system as required.
Vulnerabilities Exploited by Hackers
The vulnerability that hackers exploited was the security flaw in the Apache Struts software. Research conducted by a Chinese cybersecurity expert revealed that the identified vulnerability was dangerous as it allows hackers to take advantage of the software through two publicly available exploits with ease. After executing the exploit, the hacker(s) could install any malware on the computer and mask their IP address to avoid possible tracing (Contemporary Issues in Business: A Case Approach , 2018). Other than identifying that hackers could exploit the Apache Struts, the researcher noted that an organization’s vulnerability was easy to identify as a perpetrator could scan the servers running Apache and point out those that were not patched. Even though Equifax was warned about the vulnerability, the management did not undertake the appropriate measure. Therefore, on March 10th, 2017, a group of hackers exploited Equifax’s Apache Struts vulnerabilities, and within several months they had established about 30 entry points into the company’s computer system allowing them to collect personal data from May 13th until July 29 when the company first noticed.
Assessment of Effectiveness of the Organization’s Security Control
As mentioned before, Equifax did not have sufficient security measures in place to protect the confidential data that it was handling. Several independent auditing firms, including Deloitte and Cyence, identified the existence of multiple flaws in Equifax’s cybersecurity system. However, the firm failed to address these issues. In 2016, an audit carried out by Deloitte revealed a careless approach to the employed patching system. One employee dealing in cybersecurity noted that whenever issues of the company’s cybersecurity came up, workers had a hard time explaining to the management the essence of the requests that they were making. Another audit carried out by Cyence in April 2017 on Equifax’s level of preparedness upon a cyber-breach rated as second last US financial companies. The same findings were confirmed by Fair Isaac Corp (FICO) and BitSight by pointed out that Equifax’s cybersecurity was poor.
Evaluation
of the post-attack Measures undertaken by Equifax
Other than plunging stock values and losses, Equifax
lost customer trust that it had strived to build over the years. For this
reason, post-attack measures were directed towards restoring the lost trust by
assuring customers that measures had been undertaken to protect their data. For
instance, Equifax introduced a system that ensured that all three credit
bureaus were monitoring credit files. Other measures that were undertaken by
Equifax after the break was the introduction of the Equifax credit locks and
credit reports as well as the identification of theft insurance. However, some
of the responses were flawed. For instance, the post-response Equifax’s
separate registration domain was risky and could mislead people in typing into
the website. A web –developer designed a new domain that had the same features
as equifaxsecurity2017com and directed people to the fake account. A good
proportion of customers felt for the prank highlighting the flaws of the
domain. Even though undertaking extra measures to protect customers’ data is
essential, these steps should have been undertaken before the breach.
Equifax incident can serve as a learning opportunity for many companies dealing with vital consumer data. The first lesson is the essence of proactivity, which entails identifying a problem early enough and devising an effective strategy of dealing with it. Equifax ignored warnings from multiple sources about the defects in its cybersecurity system, and the outcome was catastrophic. Moreover, some of the measures installed after the breach were questionable as they risked, exposing more and more customer data. Hence it is critical for organizations to cross-examine any approach before deciding to employ it.
