Organizations\nstrive to be proactive, but only a handful attain this quality. Present-day\nbusinesses are faced with a multitude of opposing forces their external\nenvironment. Survival and success in such conditions depend on a company\u2019s\nability to make effective and swift adjustments to minimize the threats and\nmaximize opportunities. Unfortunately, the tight competition that firms face\nredirecting the management\u2019s focus on the profit margins, thus treating all the\nother crucial aspects of the business as non-priorities. This concept is\nwell-demonstrated by considering the case of Equifax, a US credit reporting\ngiant that went from greatness to losses within two years. When Smith took over\nthe CEO position at Equifax back in 2005, he made considerable changes to match\nthe data-intensive operation that the company had undertaken. Smith invested\nmillions into cybersecurity and even went ahead to employ a cybersecurity\nexpert, Tony Spinelli who served as Equifax\u2019s Chief Security Officer (CSO).\nSpinelli and his team worked to modernize the company\u2019s cyber defenses,\ncreating a 24-hour crisis management team and, rehearsing possible breaches.\nHowever, Spinelli and other top cybersecurity employees left Equifax in 2013.\nBased on this information, it can be argued that Equifax was determined to\navoid attacks but since these operations were costly and the threats did not\noccur for some time the management redirected their attention to other aspects\nthat appeared urgent. This paper provides a case study of Equifax data breach\nby analyzing vulnerabilities that the hackers exploited and recovery measured\npursued by Equifax<\/p>\n\n\n\n
Analysis<\/strong><\/p>\n\n\n\n The\nthreat of cyber-attack was imminent, but Equifax management chooses to ignore\nit, resulting in the theft considerable amount of personal data. Over one year\ndown the line the company is yet to recover as it is facing 240 lawsuits and is\nstill under investigation by the CFPB, FTC, SEC as well as British and Canadian\nregulators. Additionally, Equifax market share has plunged by over 30 percent,\nand the company reported a profit fall of over 27 percent in the third quarter\nof 2018 (Portman & Carper, 2018).\nThis case study identifies the factors that created the weak security situation\nin Equifax. Additionally, the vulnerabilities that the hackers exploited will\nbe discussed, followed by an assessment of the effectiveness that Equifax had\nput in place before the breach. Lastly, the paper analyzes the appropriateness\nof the measures that Equifax has undertaken to recover from the incident. <\/p>\n\n\n\n Factors\nthat Created the Weak Security Situation in Equifax<\/strong><\/p>\n\n\n\n Even\nthough several organizational issues might have contributed to the data breach\nincident at Equifax, the most outstanding aspect is poor management in relation\nto securing the confidential data that the company was handling. At the\nbeginning of Smith\u2019s tenure as Equifax\u2019s CEO, he invested millions in\ncybersecurity allowing the organization to employ cybersecurity experts who\nworked to modernize the company\u2019s cybersecurity, creating a 24-hour\ncrisis-management squads and, rehearsing possible breaches. However, a good\nproportion of top cybersecurity experts left the company in 2013 and left what\nemployees called the \u2018B team\u2019 (GAO , 2018).\nBy 2014, Equifax was spending only 1 percent of its operation expenses on\ncybersecurity. Several \u2018minor\u2019 incidents highlighted the flaws in Equifax\u2019s\nsecurity system but the management was reluctant to act. Several outside\nsources including Deloitte carried audits on the organization\u2019s cybersecurity\nsystem and revealed the existence of flaws that could be exploited by hackers.\nHowever, the management dismissed the findings as evidenced by one former\nemployee\u2019s statement \u2018ever y time there were discussions about the company\u2019s\ncybersecurity situation, we (cybersecurity workers) had a hard time to get the\nmanagement to understand what we were requesting\u2019. From the statement, it is\napparent that as time went by cybersecurity was no longer considered a priority\nas the company was blinded by other goals from noting the loopholes that\nexisted in its system. <\/p>\n\n\n\n Additionally,\nEquifax did not have a data breach plan in place. Research carried out by the\nESG team in 2017 was critical about the company\u2019s level of cybersecurity\npreparedness giving the organization a zero rating for data security and\nprivacy. The study focused on factors like the potential regulatory and\nreputational risks that will result from a breach of mishandling confidential\ninformation. It was apparent that Equifax did not have any plans in place to\ndeal with such an occurrence. As mentioned before, Equifax expenditure on\ncybersecurity only took 1 percent of the overall operation cost in 2014 which\nwas not sufficient to carry out thorough security checks and regular training\nfor employees in the matter of cybersecurity. Lastly, Equifax did not have an\neffective communication system in place to ensure that the vital information on\ncybersecurity reaches all employees at the right time. The outcome was a blame\ngame as top management faulted one employee for failing to patch up the system\nas required. <\/p>\n\n\n\n Vulnerabilities\nExploited by Hackers<\/strong><\/p>\n\n\n\n The\nvulnerability that hackers exploited was the security flaw in the Apache Struts\nsoftware. Research conducted by a Chinese cybersecurity expert revealed that\nthe identified vulnerability was dangerous as it allows hackers to take\nadvantage of the software through two publicly available exploits with ease.\nAfter executing the exploit, the hacker(s) could install any malware on the\ncomputer and mask their IP address to avoid possible tracing (Contemporary Issues in Business: A Case Approach ,\n2018). Other than identifying that hackers could exploit the Apache\nStruts, the researcher noted that an organization\u2019s vulnerability was easy to\nidentify as a perpetrator could scan the servers running Apache and point out\nthose that were not patched. Even though Equifax was warned about the\nvulnerability, the management did not undertake the appropriate measure.\nTherefore, on March 10th,<\/sup> 2017, a group of hackers exploited\nEquifax\u2019s Apache Struts vulnerabilities, and within several months they had\nestablished about 30 entry points into the company\u2019s computer system allowing\nthem to collect personal data from May 13th<\/sup> until July 29 when the\ncompany first noticed. <\/p>\n\n\n\n Assessment\nof Effectiveness of the Organization\u2019s Security Control<\/strong><\/p>\n\n\n\n As\nmentioned before, Equifax did not have sufficient security measures in place to\nprotect the confidential data that it was handling. Several independent\nauditing firms, including Deloitte and Cyence, identified the existence of\nmultiple flaws in Equifax\u2019s cybersecurity system. However, the firm failed to\naddress these issues. In 2016, an audit carried out by Deloitte revealed a\ncareless approach to the employed patching system. One employee dealing in\ncybersecurity noted that whenever issues of the company\u2019s cybersecurity came\nup, workers had a hard time explaining to the management the essence of the requests\nthat they were making. Another audit carried out by Cyence in April 2017 on\nEquifax\u2019s level of preparedness upon a cyber-breach rated as second last US\nfinancial companies. The same findings were confirmed by Fair Isaac Corp (FICO)\nand BitSight by pointed out that Equifax\u2019s cybersecurity was poor.<\/p>\n\n\n\n Evaluation\nof the post-attack Measures undertaken by Equifax Equifax\nincident can serve as a learning opportunity for many companies dealing with\nvital consumer data. The first lesson is the essence of proactivity, which\nentails identifying a problem early enough and devising an effective strategy\nof dealing with it. Equifax ignored warnings from multiple sources about the\ndefects in its cybersecurity system, and the outcome was catastrophic.\nMoreover, some of the measures installed after the breach were questionable as\nthey risked, exposing more and more customer data. Hence it is critical for\norganizations to cross-examine any approach before deciding to employ it. <\/p>\n","protected":false},"excerpt":{"rendered":" Organizations strive to be proactive, but only a handful attain this quality. Present-day businesses are faced with a multitude of opposing forces their external environment. Survival and success in such conditions depend on a company\u2019s ability to make effective and swift adjustments to minimize the threats and maximize opportunities. Unfortunately, the tight competition that firms […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1114","post","type-post","status-publish","format-standard","hentry","category-research-paper-writing"],"_links":{"self":[{"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/posts\/1114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/comments?post=1114"}],"version-history":[{"count":1,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/posts\/1114\/revisions"}],"predecessor-version":[{"id":1115,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/posts\/1114\/revisions\/1115"}],"wp:attachment":[{"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/media?parent=1114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/categories?post=1114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/papersspot.com\/blog\/wp-json\/wp\/v2\/tags?post=1114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n<\/strong>Other than plunging stock values and losses, Equifax\nlost customer trust that it had strived to build over the years. For this\nreason, post-attack measures were directed towards restoring the lost trust by\nassuring customers that measures had been undertaken to protect their data. For\ninstance, Equifax introduced a system that ensured that all three credit\nbureaus were monitoring credit files. Other measures that were undertaken by\nEquifax after the break was the introduction of the Equifax credit locks and\ncredit reports as well as the identification of theft insurance. However, some\nof the responses were flawed. For instance, the post-response Equifax\u2019s\nseparate registration domain was risky and could mislead people in typing into\nthe website. A web \u2013developer designed a new domain that had the same features\nas equifaxsecurity2017com and directed people to the fake account. A good\nproportion of customers felt for the prank highlighting the flaws of the\ndomain. Even though undertaking extra measures to protect customers\u2019 data is\nessential, these steps should have been undertaken before the breach.<\/p>\n\n\n\n