Equifax Data Breach Essay

Equifax Data Breach Essay: Introduction

This paper analyzes Equifax data breach by providing overview information; factors contributed to breach and external responses to the situation. It also presents recommendations to prevent this kind of cybersecurity failures in the future. It covers topics such as Apache software, credit monitoring and government response to the data breach. It is evident throughout the article that data breach can be prevented with the right mindset and appropriate measures.

Body Paragraphs

Overview

Perhaps the most severe cyber threats of 2017 were the Equifax data breach. The impact of the attack was far-reaching and impacted millions of individuals and numerous corporations and agencies. The assault also prompted an audit by the U.S. Government Accountability Office and a study from Congress on how this issue could be handled (Oregon Department of Justice, 2019). This research explores the facts and circumstances surrounding this dangerous cyber assault and analyzes the factors relating to the event objectively to find out how to minimize potential exposures.

Equifax is a leading consumer credit reporting agency. Equifax published a statement on September 8, 2017, indicating that it has suffered a cyber-attack resulting in a massive infringement of data. The world was stunned to discover that some 148 million sensitive personal records, including addresses, dates of birth, social security numbers and driver's license numbers, were exposed in the light of this data breach. About 209,000 credit card numbers were stolen in addition to personal details. The severity and scale of the Equifax data breach were unprecedented (Oregon Department of Justice, 2019). Even if there had been significant violations previously, the sensitivity and criticism of the personally identifiable information in this breach created a problem, the scope of which could, at that time, be barely measured.

One of the issues exacerbating the Equifax data violation was that the main product of Equifax is essentially a database containing many of the personal and financial information of the United States' population. The data collected by Equifax contains the personal credit history of each person, including information about personal identification, known addresses and number of the account (Oregon Department of Justice, 2019). Furthermore, the system is not an opt-in system, since data are collected from companies, instead of the persons listed in the database. When a person borrows money, the creditors report payment histories, balance sheets and other relevant information. The new lender examines this information to evaluate the credit risk used by borrowers for a loan decision.

Factors Behind the Breach

In the first statement, Equifax reported that from May to July 2017, misrepresenters had breached their networks. A vulnerability known as Apache Struts CVE-2017-5638 was used to permit misrepresentations to enter Equifax systems and cause data breaches. This vulnerability exploits exceptional management problems when users upload files using the Jakarta Multipart parser of the software. This vulnerability will allow remote-controlled attackers to execute arbitrary commands that can be generated remotely by Content-Disposition, Content-Type or Content-Length HTTP headers with the #cmd=string Content-Type header. Apache Struts is a popular system for lightweight Java applications (Equifax, 2019). Many companies use this valuable tool and thus make it an outstanding target for different cybercriminals because it can offer natural exposure and knowledge to other victims.

The Apache Software Foundation has discovered and corrected the potential security vulnerability. They declared to the world that they had the problem solved. On March 7, 2017, this patch was issued. Equifax and other credit reporting agencies were contacted by the Department of Homeland Security on March 8, 2017, to advise them of the risk of the system vulnerability and to direct them to install the patch (Equifax, 2019). On March 9 2017, the Apache Software Foundation contacted Equifax System Administrators and directed them to install the patch.

Equifax completed a machine check on March 15 2017, eight days after the repair launch, seven days after notification by the Homeland Security Department and six days after notification by the seller. There was no weakness in the scanner report to the Apache Struts issue. The devices were thus unpatched and unprotected until July 29 2017. In that time there was unusual activity on the network in the Equifax security team. Equifax took the complaint off-line and only retained three days to conduct a technical audit by an international information security service. The initial survey showed that many files were breached (Equifax, 2019). This eventually led to the knowledge that the privacy breach exposed the sensitive records of approximately 145 million Americans, 8,000 Canadians and 693,000 UK citizens.

External Responses

Equifax completed a machine check on March 15 2017, eight days after the repair launch, seven days after notification by the Homeland Security Department and six days after notification by the seller. There was no weakness in the scanner report to the Apache Struts issue. The devices were thus unpatched and unprotected until July 29 2017. In that time there was unusual activity on the network in the Equifax security team. Equifax took the complaint off-line and only retained three days to conduct a technical audit by an international information security service. The initial survey showed that many files were breached (Equifax, 2019). This eventually led to the knowledge that the privacy breach exposed the sensitive records of approximately 145 million Americans, 8,000 Canadians and 693,000 UK citizens

The site was flagged as a threat of phishing in addition to accident damage. Equifax Customer Service has sent potential victims via its Twitter feed to one of the illegal phishing sites. As customers flocked to freeze their credit reports, naming agreements were issued to them based on the date the accounts were frozen. Sadly, it has made them easy to intuit and attack by cyber attackers, allowing another potential devastating attack (Oregon Department of Justice, 2019). Equifax was also criticized for the free credit monitoring offered while trying to delete the ability of consumers to sue them in the terms and conditions of the service process.

When the crisis escalated and got out of control, nearly all levels of government were starting to take interest and to undertake study and intervention. Eventually, Equifax paid over $600 million for the 50 U.S. State Attorneys General (Oregon Department of Justice, 2019). The central government has already taken notice of this. The Federal Trade Commission launched an inquiry, and Congress held numerous hearings to investigate Equifax. New laws regarding the practices used by credit rating companies as well as privacy were set in motion by both Parliament and the Senate.

Recommendations

Data monitoring authorities should make the data gathered, and the way it is handled should be more transparent to consumers. A significant degree of general confusion was generated by the lack of information about the vast data gathered by the CRAs on individuals following the Equifax data breach disclosure. To allow consumers more control of their information, CRAs must invest and deploy additional tools (Marinos & Clements, 2018). For example, CRAs should provide consumers with a free, simple summary of the data they collect, including the number of times that the CRA has provided the data to a client over the last year.

The overview will also be included in addition to the annual free credit report for customers at any time. This approach will allow users to monitor the CRAs' information and know how much their information was shared. Locks and freezes in credit reports allow consumers to increase their data control. CRAs shall provide all consumers with free credit freezes (Marinos & Clements, 2018). None of these measures for transparency, including loan freezes, should require the consumer or make any other commitments in connection with additional services.

Federal agencies and the private sector should cooperate to enhance the transparency and measures taken to alleviate such risks by a company in terms of cybersecurity. One example of how a private entity can make the cyber-risk company more transparent is to make publications in its SEC filings. In 2011, the SEC developed guidelines to help companies to report cybersecurity risks and incidents. According to SEC guidance, a private company may be obliged to provide the information in the registration statements and financial reports and 8 K forms if cyber safety risks or incidents are sufficiently crucial to investors. Equifax, in its SEC filings before the 2017 data breach reported no privacy threats or information security incidents (Marinos & Clements, 2018). Federal entities like the SEC will strive to promote shared disclosure about cyber danger and increase awareness of the cybersecurity posture of an organization.

In collaboration with the private sector, the department will seek to reduce the reliance on social security numbers. Statistics in social welfare are commonly used for identifying and authenticating people by public and private sectors. And when they are kept secret authenticators are helpful. Attackers robbed an additional 145 million Equifax customers through the Social Security system. As a result of this abuse, about half of the social security numbers in the world are no longer private (Marinos & Clements, 2018). As an alternative to Social Security Number used, emerging technological solutions should be pursued by OMBs and other relevant federal agencies to protect consumers from identity theft.

Equifax Data Breach Essay: Conclusion

This article analyzed the breach of Equifax's data, providing an overview of the information, factors and external responses. It also made recommendations to prevent future cybersecurity problems of this kind. Themes such as software Apache, credit monitoring and government response to a data violation were discussed. In the entire article, it is evident that data violations can be prevented with the appropriate attitude and measures.

References

Equifax. (2019). 2017 cybersecurity incident & essential consumer information.

Marinos, N., & Clements, M. (2018, August). Data Protection Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach.

Oregon Department of Justice. (2019, July 22 July 22). 50 State Attorney Secure 600 Million from Equifax in the Largest Data Breach Settlement in History.