Feranmi Adekunle
$30/hr
I specialize in offering cybersecurity related services.
- Reply rate:
- -
- Availability:
- Hourly ($/hour)
- Location:
- Ilorin, Kwara, Nigeria
- Experience:
- 3 years
Equifax Data Breach Case Study Report
Equifax, Inc., is the largest consumer credit bureau in the world, holding the largest market share in 17 of the 21 countries in which it operates. With a presence in North America, Central and South America, Europe, and Asia Pacific, Equifax provides data, technology, and analytics services to industries that include insurance, finance, credit card, banking, retail, and health care. The company's 8,000 employees collect, organize, and manage many types of credit, financial, public record, demographic, and marketing information related to over 800 million consumers and 88 million businesses around the globe. Founded in 1899 in Atlanta, Georgia, by two brothers, the company that began as a service to local grocers expanded during the early 1900s to serve insurance companies worldwide. With annual revenues of $2 billion, Equifax has become a global leader in its industry and continually seeks opportunities to expand its services geographically. Nonetheless, the company maintains its headquarters in Atlanta, where it began over 100 years ago (Rourke, E., Mancini, C., Weaver, C. S., & Salamie, D. E. (2017).
Equifax’s primary mission is to enable businesses, lenders, and consumers to make informed financial decisions by providing detailed credit histories and risk assessments. The company’s clients include financial institutions, government agencies, and retail businesses that rely on credit data to determine eligibility for loans, credit cards, and other services. Equifax offers identity theft protection and fraud prevention solutions for consumers and businesses.
Given the nature of its business, Equifax holds highly sensitive data, including Social Security numbers, dates of birth, addresses, and financial histories. This makes the company a significant target for cybercriminals. The breach in 2017, which compromised the personal data of 147 million people, was a stark example of the risks involved in managing such vast amounts of sensitive information.
Before the 2017 data breach, Equifax had a reputation as a leader in the credit reporting industry, and it was trusted to safeguard consumer data. However, this trust was severely undermined when it was revealed that the breach exposed 147 million individuals’ personal information, impacting nearly half of the U.S. population. The breach damaged Equifax's reputation and prompted widespread concern over how credit reporting agencies handle sensitive data and the cybersecurity measures to protect it.
The breach occurred when cybercriminals exploited a vulnerability in Apache Struts, a widely used open-source web application framework Equifax utilized for its online dispute resolution portal. The specific vulnerability, CVE-, was publicly disclosed in March 2017, and a patch was made available shortly after that (Luszcz, Jeff. (2018)). However, Equifax failed to apply this patch promptly, exposing its systems to attackers.
According to Equifax, cybercriminals exploited a vulnerability in one of its online applications between mid-May and July 2017, potentially revealing information for 143 million U.S. consumers. Equifax stated that “the information accessed primarily includes names, Social Security numbers, birth date, addresses, and, in some cases, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” Much of the information that Equifax listed is difficult or impossible to change, potentially exposing affected individuals to significant risk of identity theft in the future (Weiss, 2018, p. 1).
Equifax discovered the breach on July 29, 2017, but did not disclose it to the public until September 7, 2017, sparking outrage among consumers, government officials, and the media. This delay in disclosure, combined with the severity of the breach, led to widespread criticism of Equifax’s cybersecurity practices and its handling of consumer data. Investigations later revealed that Equifax had been warned about the vulnerability but failed to take immediate action, leading to severe financial, reputational, and legal consequences for the company.
The Equifax data breach timeline goes thus, starting on March 7, when a critical vulnerability (CVE-) in Apache Struts, used by Equifax, was publicly disclosed, with a patch made available the same day. By March 9, Equifax was informed of the vulnerability but failed to apply the patch, exposing its systems. In mid-May, hackers exploited the unpatched system, gaining unauthorized access to sensitive consumer data, including Social Security numbers, birth dates, and addresses. On July 29, Equifax’s security team detected suspicious network activity, turning off the compromised web application and taking steps to prevent further unauthorized access. On July 30, an internal investigation began the following day, and cybersecurity experts were hired to assess the damage. By August 2, Equifax notified the FBI and worked with forensic investigators to determine the extent of the breach. On September 7, the company publicly disclosed that the personal data of 143 million U.S. consumers (later updated to 147 million) had been compromised, leading to widespread public outrage due to the delayed announcement. Following mounting criticism, CEO Richard Smith resigned on September 26, alongside the company’s CIO and CSO. In July 2019, Equifax reached a $700 million settlement with the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and other entities, which included compensation for affected individuals and commitments to improve data security.
Several critical risks and vulnerabilities allowed the Equifax data breach to occur, exposing the company to cyber criminals and resulting in the theft of sensitive personal information. These vulnerabilities stemmed from technical failures, poor cybersecurity practices, and organizational oversights:
• Unpatched Software Vulnerability: The most significant vulnerability that enabled the breach was an unpatched flaw in Apache Struts, a widely used web application framework. The vulnerability, CVE-, was publicly disclosed in March 2017, and a patch was made available shortly after that (NIST, 2017). However, despite being notified of the vulnerability on March 9, 2017, Equifax failed to apply the patch. This allowed attackers to exploit the weakness and access the company’s systems. The failure to prioritize and implement timely security updates left Equifax vulnerable, demonstrating weak patch management processes within the organization.
• Delayed Detection of the Breach: The breach went undetected for nearly two months, from mid-May to July 29, 2017. During this time, hackers could extract massive amounts of personal data without triggering an alert. The delayed detection allowed the attackers to access more data over an extended period. Weak intrusion detection and monitoring systems made it difficult for Equifax to promptly detect and respond to suspicious activities within its network. The company’s inadequate security monitoring allowed attackers to operate unnoticed.
• Weak Network Segmentation: Once the attackers gained access to the Equifax network, they could move laterally across various systems. The lack of strong network segmentation—dividing networks into isolated segments to protect sensitive data—enabled the attackers to access and extract critical databases. Equifax’s internal network was not sufficiently isolated, meaning that the breach in a public-facing application could lead to access to susceptible internal data.
• Lack of Encryption on Sensitive Data: Although Equifax handled highly sensitive personal information, certain data, including Social Security numbers, was not encrypted within the compromised databases. Encryption is a critical security measure that renders stolen data unreadable to unauthorized users. By failing to encrypt critical data, Equifax left this information vulnerable, increasing the potential damage once attackers accessed it.
• Inadequate Cybersecurity Governance: Equifax lacked a robust internal cybersecurity governance and risk management process. Despite the company's vast handling of sensitive personal data, its internal communication and prioritization of security measures were insufficient. The company's leadership failed to respond quickly and effectively to known security risks. Systemic organizational flaws, including poor governance and ineffective communication, contributed to the failure to act on critical vulnerabilities and exposed the company to cyberattacks.
The Equifax data breach resulted in substantial financial losses, reputational damage, and long-term operational consequences. The costs associated with the breach were not limited to immediate financial settlements but also extended to legal fees, regulatory penalties, and a significant loss of consumer trust. Below are the critical areas of impact:
• Financial Costs: The credit bureau Equifax will pay about $650 million -- and perhaps much more -- to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their data. The settlement is vast in scope, resolving investigations by two federal agencies and 48 state attorneys general and covering every American consumer whose data was stolen -- or just under half the population of the United States. It does not just compensate victims who lost money: People who suffered through the hassles of bank phone trees and credit-card customer service lines can bill Equifax $25 an hour for their time (Cowley, Stacy., 2019).
• Reputational Damage: The breach severely damaged Equifax's reputation, leading to widespread distrust among consumers, businesses, and government regulators. As a company responsible for safeguarding sensitive financial data, Equifax faced harsh criticism for its delayed response and mishandling of the situation. This loss of consumer trust caused long-term damage to its brand, with many questioning the reliability of credit reporting agencies like Equifax. Businesses that relied on Equifax’s services also reconsidered partnerships, affecting their business relationships.
• Data Breach: The announcement by Equifax has left a significant amount of uncertainty related to the breach itself. When Equifax stated that information was “accessed,” it is unclear if that means the consumer data was observed using the unauthorized access or if an unauthorized party downloaded the data. The data breach has also questioned whether Equifax’s safeguards complied with GLBA and other data protection requirements. (Weiss, N. E., 2018)
• Legal Framework: The incident has prompted some to question whether the regulatory framework for CRAs is appropriate. The FCRA contains certain consumer protections, but some have called for additional safeguards, such as allowing consumers to freeze their credit reports for free or opt out of collecting their information. Others have called for more stringent data protection requirements and a uniform nationwide data breach notification law to replace state laws so that all consumers would be notified promptly if their data is compromised. Congress may also reassess whether the CFPB, which has supervisory authority over CRAs that are more prominent participants, should have explicit supervisory authority over cybersecurity at CRAs. (Weiss, N. E., 2018)
• Long-Term Consumer Impact: The breach exposed consumers to potential identity theft and fraud. With millions of Social Security numbers, birth dates, and other personal information compromised, affected individuals were at risk of financial fraud for years to come. While Equifax offered free credit monitoring services, the long-term risks to consumers' financial security were significant.
• Regulatory Response. Multiple agencies are reportedly investigating the breach. The breach also raises questions about the performance of Equifax’s regulators and whether any action on their part could have prevented the incident. The director of the CFPB recently stated during an interview that the CFPB would be changing its supervisory regime for the three largest CRAs and that the CRAs were “going to have monitoring in place that’s preventive.” It is unclear what the enhanced monitoring would look like and whether it would have been able to prevent the Equifax incident. (Weiss, N. E., 2018)
Following the Equifax data breach, cybersecurity practitioners and regulatory bodies identified several critical prevention measures that could have mitigated the attack or minimized its impact. These measures are intended to address the vulnerabilities that led to the breach and strengthen an organization’s defenses against future cyberattacks:
1. Timely Patch Management
• Regular and Prompt Patching: One of the primary lessons from the breach is the importance of timely patch management. The failure to patch the known Apache Struts vulnerability was a critical oversight. Organizations must establish a structured and timely patch management process to ensure that all known vulnerabilities are addressed as soon as updates become available.
• Automated Patching Systems: To reduce human error, companies should implement automated patch management tools to identify and apply security patches across the entire infrastructure quickly.
2. Comprehensive Vulnerability Management
• Continuous Monitoring and Audits: Organizations should conduct regular vulnerability assessments and security audits to detect system weaknesses. Continuous monitoring tools can help identify potential threats and anomalies in real-time, allowing for faster detection and response to suspicious activities.
• Penetration Testing: Regular penetration testing simulates cyberattacks and exposes potential vulnerabilities that can be addressed before attackers exploit them.
3. Network Segmentation
• Isolating Sensitive Data: Proper network segmentation ensures that public-facing systems, such as web portals, are isolated from sensitive internal databases. This practice limits attackers’ ability to move laterally within a network and access critical data even if they breach one part of the system.
• Implementing the Principle of Least Privilege: This security measure ensures that users and systems have only the minimal access necessary to perform their functions, reducing the risk of unauthorized access to sensitive data.
4. Data Encryption
• Encrypting Sensitive Data: Encryption of sensitive data—both at rest and in transit—would have made the stolen data from the Equifax breach significantly harder to exploit. Cybersecurity experts emphasized the need for organizations to encrypt personally identifiable information (PII) to protect it from unauthorized access.
• Regular Encryption Audits: Companies should regularly audit their encryption protocols to ensure they use the most up-to-date and secure encryption standards.
5. Improved Incident Detection and Response
• Intrusion Detection and Response Systems (IDRS): Organizations should implement advanced intrusion detection and response systems to identify abnormal behavior and potential breaches as they happen. Early detection significantly reduces the time attackers have to exploit vulnerabilities and extract data.
• Comprehensive Incident Response Plans: Companies must develop and maintain incident response plans detailing the steps to take in case of a breach. Regular training exercises and simulations help prepare the incident response team to act quickly and effectively.
6. Stronger Cybersecurity Governance
• Cybersecurity as a Core Organizational Priority: Equifax’s breach underscored the importance of incorporating cybersecurity into an organization’s governance. This includes establishing cybersecurity leadership at the executive level, ensuring accountability for cybersecurity practices, and dedicating adequate resources to ongoing security efforts.
• Security Awareness and Training: Ongoing employee training in cybersecurity best practices, such as recognizing phishing attempts and proper data handling protocols, is crucial for preventing breaches caused by human error.
7. Regulatory Compliance and Industry Standards
• Adherence to Regulatory Frameworks: After the breach, Equifax was required to comply with more robust regulatory standards, including regular audits and improved risk management. Following established frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or ISO 27001 can help organizations maintain a robust security posture.
• Regular Compliance Reviews: Companies should perform regular reviews to ensure compliance with evolving cybersecurity regulations and industry standards, reducing the risk of legal penalties and improving overall security practices.
The Equifax breach underscored the critical importance of timely patch management, as failure to address known vulnerabilities allowed attackers to exploit the company’s systems. It also highlighted the need for more robust cybersecurity governance, including more effective communication and prioritization of security across all levels of an organization. Additionally, the breach demonstrated the necessity of encrypting sensitive data, implementing network segmentation to prevent lateral movement, and deploying intrusion detection systems to monitor suspicious activity. Regular vulnerability assessments and employee training are essential to mitigating risks from external attacks and insider threats. By adopting these measures, organizations can significantly reduce their exposure to future cyberattacks and better protect consumers' sensitive data.
While the Equifax data breach highlighted critical vulnerabilities and prevention measures, additional factors could influence the likelihood and impact of future cybercrimes. These factors include emerging technologies, evolving attack vectors, and new threats that create vulnerabilities across industries:
1. Emerging Threats from Cloud Computing and Hybrid Environments
• Cloud Adoption and Security Challenges: As more organizations migrate to cloud services, they may face challenges securing these environments. Misconfigurations in cloud platforms, improper access controls, and a lack of visibility into cloud environments create new vulnerabilities. Cloud service providers must implement and enforce robust security practices, while organizations using these services must ensure they follow shared responsibility models for security.
• Hybrid IT Environments: Many organizations use a mix of on-premises and cloud infrastructure, creating complex environments that require advanced security measures. Inconsistent policies across these environments can lead to gaps in security, increasing the risk of data breaches.
2. Supply Chain Vulnerabilities
• Third-Party Risks: Organizations increasingly rely on third-party vendors and partners, which can introduce security vulnerabilities into their supply chains. A security breach at a vendor can expose sensitive data or provide attackers a backdoor into an organization’s network. For instance, the SolarWinds attack highlighted the dangers of supply chain compromises.
• Vendor Management: Companies must ensure that their vendors adhere to strong cybersecurity standards, regularly audit third-party security practices, and require compliance with security policies as part of vendor contracts.
3. Increased Use of Internet of Things (IoT) Devices
• IoT Device Security: The proliferation of IoT devices introduces new attack surfaces, as many IoT devices have weak security protocols and are not regularly updated. Attackers can exploit vulnerabilities in connected devices to gain access to networks or launch Distributed Denial of Service (DDoS) attacks.
• Network Segmentation for IoT: Organizations need to implement proper network segmentation for IoT devices, ensuring that these devices do not have direct access to critical systems or sensitive data.
4. Advances in Ransomware Tactics
• Ransomware Evolution: Ransomware attacks have become more sophisticated, with attackers now employing double extortion tactics. This involves encrypting a victim’s data and threatening to release stolen data publicly if the ransom is not paid. The rise in ransomware-as-a-service (RaaS) has made these attacks more accessible to cybercriminals.
• Targeting of Critical Infrastructure: Ransomware attacks increasingly target critical infrastructure such as energy grids, hospitals, and transportation systems. These sectors often have outdated systems, making them vulnerable to attackers seeking large ransoms.
5. Insider Threats and Human Error
• Malicious or Negligent Insiders: Employees, contractors, or partners can pose significant threats, whether through malicious intent or negligence. Insider threats can result in data theft, unauthorized access, or accidental exposure of sensitive information.
• Security Training and Awareness: Ensuring employees are educated on security practices, such as recognizing phishing attempts and adequately handling sensitive data, is crucial for mitigating insider risks. Regular training can help reduce human error and increase awareness of evolving cyber threats.
6. Artificial Intelligence (AI) and Machine Learning (ML) in Cybercrime
• AI-Powered Attacks: As AI and machine learning continue to advance, cybercriminals may use these technologies to develop more sophisticated and automated attacks. AI can bypass traditional security measures, analyze large datasets for vulnerabilities, or create more convincing phishing campaigns through deep fake technology.
• AI in Cyber Defense: While AI presents new risks, it can also be leveraged to strengthen cyber defenses. AI-powered tools can help detect and respond to attacks faster by analyzing large volumes of data and identifying anomalies that may indicate an ongoing attack.
7. Regulatory Pressure and Compliance Challenges
• Evolving Regulatory Landscape: In the aftermath of significant breaches like Equifax, governments and regulatory bodies have introduced stricter data protection and privacy regulations. Organizations now face increased pressure to comply with laws such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S. Failure to comply can result in significant fines and legal penalties.
• Global Compliance Challenges: Multinational companies can find it challenging to keep up with varying regulations across different jurisdictions. Inconsistent data protection laws and standards can create compliance challenges and increase the risk of cyberattacks.
8. Shortage of Cybersecurity Talent
• Cybersecurity Skills Gap: The demand for skilled cybersecurity professionals outpaces the supply. This shortage leaves organizations vulnerable as they struggle to find and retain qualified security personnel to manage and protect their systems.
• Automation and Upskilling: To address this gap, organizations are increasingly turning to automation tools to streamline security tasks. Investing in ongoing education and training for existing staff can help close the skills gap and improve cybersecurity preparedness.
As technology continues to evolve, so do the tactics and strategies used by cybercriminals. Factors such as cloud adoption, IoT vulnerabilities, ransomware, and insider threats will continue to shape the future landscape of cybercrime. Organizations must stay vigilant by adapting their security practices to address these emerging risks, ensuring they remain resilient in the face of ever-changing threats.
References
Rourke, E., Mancini, C., Weaver, C. S., & Salamie, D. E. (2017). Equifax, Inc. In S. Long, D. Jacques, & P. Kepos (Eds.), International Directory of Company Histories (Vol. 182, pp. 201-207). St. James Press. https://link-gale-com.ezproxy.umgc.edu/apps/doc/CX-/GVRL?u=umd_umuc HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/CX-/GVRL?u=umd_umuc&sid=bookmark-GVRL&xid=040b01fd"& HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/CX-/GVRL?u=umd_umuc&sid=bookmark-GVRL&xid=040b01fd"sid=bookmark-GVRL HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/CX-/GVRL?u=umd_umuc&sid=bookmark-GVRL&xid=040b01fd"& HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/CX-/GVRL?u=umd_umuc&sid=bookmark-GVRL&xid=040b01fd"xid=040b01fd
Weiss, N. E. (2018). The Equifax data breach: An overview and issues for Congress (Library of Congress public ed.). Congressional Research Service. https://crsreports.congress.gov/product/pdf/IN/IN10792
Luszcz, Jeff. (2018). Apache Struts 2: how technical and development gaps caused the Equifax Breach. Network Security, 2018(1), 5–8. https://doi.org/10.1016/S-
CYBERSECURITY INCIDENT HANDLING: A CASE STUDY OF THE EQUIFAX DATA BREACH. (2018). Issues in Information Systems. https://doi.org/-/3_iis_2018_150-159
Andriotis, AnnaMaria, & Rexrode, Christina. (2017). Lawmakers Grill Former Equifax CEO Over Timing of Hack Disclosure; House financial services panel members seek details on the timeline of decision to inform public about massive breach. The Wall Street Journal. Eastern Edition.
Baker, A. (2020, January 27). The Equifax breach: A timeline of events. Security Magazine. https://www.securitymagazine.com/articles/90852-the-equifax-breach-a-timeline-of-events
DeMarco, Edward J., & Mason, Bernard. (2017). THE EQUIFAX DATA BREACH AND ITS CONSEQUENCES. The RMA Journal, 100(3), 80-.
McDonald, R. Robin. (2020). Judge signs off on Equifax’s $7.75M settlement with financial institutions in the 2017 data breach. BenefitsPRO.
Cowley, Stacy. (2019). Record Data Breach Settlement Will Cost Equifax $650 Million: National Desk. The New York Times.
National Institute of Standards and Technology. (2017). CVE- detail. NIST. https://nvd.nist.gov/vuln/detail/cve-
Moore, Tyler. (2017). On the harms arising from the Equifax data breach of 2017. International Journal of Critical Infrastructure Protection, 19, 47–48. https://doi.org/10.1016/j.ijcip-
DeMarco, E. J., Jr., & Mason, B. (2017, November). THE EQUIFAX DATA BREACH AND ITS CONSEQUENCES. The RMA Journal, 100(3), 80+. https://link-gale-com.ezproxy.umgc.edu/apps/doc/A-/GBIB?u=umd_umuc HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/A-/GBIB?u=umd_umuc&sid=bookmark-GBIB&xid=184cd8d6"& HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/A-/GBIB?u=umd_umuc&sid=bookmark-GBIB&xid=184cd8d6"sid=bookmark-GBIB HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/A-/GBIB?u=umd_umuc&sid=bookmark-GBIB&xid=184cd8d6"& HYPERLINK "https://link-gale-com.ezproxy.umgc.edu/apps/doc/A-/GBIB?u=umd_umuc&sid=bookmark-GBIB&xid=184cd8d6"xid=184cd8d6
Baker, A. (2020, January 27). The Equifax breach: A timeline of events. Security Magazine. https://www.securitymagazine.com/articles/90852-the-equifax-breach-a-timeline-of-events
Chatterjee, S. (2021, September 9). Equifax data breach: An analysis of the causes, consequences, and lessons learned. Journal of Cybersecurity and Privacy, 1(2), 245-264. https://doi.org/10.3390/jcp-
Consumer Financial Protection Bureau. (2020). Equifax data breach settlement overview. Retrieved from https://www.consumerfinance.gov/about-us/blog/equifax-data-breach-settlement-overview/
Federal Trade Commission. (2019). Equifax data breach settlement: What you need to know. https://www.ftc.gov/equifax-data-breach-settlement
Riley, M. (2017, September 7). Equifax says the data breach may have affected 143 million Americans. Bloomberg. https://www.bloomberg.com/news/articles/-/equifax-says-data-breach-may-have-affected-143-million-americans
U.S. House of Representatives Committee on Oversight and Reform. (2018). The Equifax data breach: What went wrong? https://oversight.house.gov/report/the-equifax-data-breach-what-went-wrong/
