ADM2372 Assignment 3 Case The Equitax Breaches The Problem Equifax (u n\" .cquil'axmom) is a consumer credit reponing and monitoring agencyialso known as a credit bureauthat collects and aggregates data on more than 820 million individual consumers and 91 million businesses worldwide. The agency reported an annual revenue of US $3.4 billion in 2018 and employed more than 9,000 workers in 14 countries. Lenders rely on the data collected by credit bureaus to help them decide whether to approve nancing for homes or cars and whether to issue credit cards. In addition, many employers use credit bureaus to perform credit checks on prospective employees. Credit reporting businesses are primarily designed to serve banks and credit card companies, not the consumers they monitor. However, consumers do benet from the credit bureaus because maintaining a good credit prole makes it easier to obtain a loan or a credit card. It is very imponant to note that lenders do not face the same risks as consumers. To a lender, the unpaid bill on a fraudulent credit card isjust one bad loan in a huge portfolio of loansi essentially the cost of doing business. In contrast, a consumer has only one identity and one reputation. In March 2017, Equifax experienced a major security breach. Security experts noted that in early March the company began to notify a small number of banking customers that it had suffered a breach and was bringing in a security rm to investigate. According to security analysts, that investigation did not uncover evidence that the hackers had actually accessed any customer data. Most data breach disclosure laws do not activate until there is evidence that sensitive personally identifying information such as social insurance numbers and birth dates have been stolen. An Equifax spokesperson asserted that the company had complied fully with all consumer notication requirements related to the incident. Asecond, much larger breach occurred in midrMay 2017. To access Equifax's systems, the attackers exploited a vulnerability in the Apache Struts Web-application soware. The theft obtained the names, social security (or social insurance) numbers, birth dates, addresses, and, in some cases, drivers' licence numbers of almost 146 million individuals. Equifax reported that about 100,000 Canadians were affected by the breach. The stolen data could be enough for criminals to steal the identities of people whose credentials were stolen. Apache had disclosed the vulnerability in its software to its customers, including Equifax, in March 2017. It also had provided clear instructions about how to repair it. Apache claims that its customers were then responsible for implementing procedures to promptly follow these instructions. Simply put, Equifax had the time and the instructions it needed to update and patch its software. The Apache Soware Foundation publicly stated that, although it was sorry if attackers had exploited a bug in its soware to breach Equifax, it always recommends that users regularly patch and update their software. Equif'ax claimed that it discovered the incident on July 29, 2017, at which time it \"acted immediately to stop the intrusion and conduct a forensic review." However, it did not disclose the breach until September 7, six weeks later. Meanwhile, the company again hired security rm Mandiant on August 2. In a statement, Equifax denied that the second breach was related to the March breach. However, security analysts have noted that the breaches involved the same intruders. Adding to Equifax's problems, on August 1 and 2, regulatory lings revealed that three senior executives had sold shares in the company worth almost US $1.8 million. None of the lings listed the transactions as being part of scheduled 10b5-1 trading plans. These plans allow major insider (employee) shareholders of publicly traded corporations to sell a predetermined number of shares at a predetermined time. One of the executives had also sold shares on May 23. A regulatory ling for that sale also did not indicate that the sale was part of a scheduled trading plan. If it is shown that those executives sold company shares with the knowledge that either or both breaches could damage the company, then they would be vulnerable to charges of insider trading. The U.S. Department of Justice (DoJ; www.justice.gov/) opened a criminal investigation into the stock sales. Equifax has maintained that the executives had no knowledge of either breach when they made the transactions. An Attempt at a Solution Equifax hired security rm Mandiant for both breaches, and the Apache vulnerability was patched aer the second breach. Equifax announced the retirement of the company's chief information officer and dawn, CEO Richard Smith recicms-ri nn Qpntpmbpr 96 HP nnnlnciw-rl f'nr the breach anrl testified at a llmrsp Fnerw and Apache had disclosed the vulnerability in its software to its customers, including Equifax, in March 2017. It also had provided clear instructions about how to repair it. Apache claims that its customers were then responsible for implementing procedures to promptly follow these instructions. Simply put, Equifax had the time and the instructions it needed to update and patch its software. The Apache Soware Foundation publicly stated that, although it was sorry if attackers had exploited a bug in its soware to breach Equifax, it always recommends that users regularly patch and update their software. [332MB Equifax claimed that it discovered the incident on July 29, 2017, at which time it \"acted immediately to stop the intrusion and conduct a forensic review." However, it did not disclose the breach until September 7, six weeks later. Meanwhile, the company again hired security rm Mandiant on August 2. In a statement, Equifax denied that the second breach was related to the March breach. However, security analysts have noted that the breaches involved the same intruders. Adding to Equifax's problems, on August 1 and 2, regulatory lings revealed that three senior executives had sold shares in the company worth almost US $1.8 million. None of the lings listed the transactions as being part of scheduled 10b5-l trading plans. These plans allow major insider (employee) shareholders of publicly traded corporations to sell a predetermined number of shares at a predetermined time. One of the executives had also sold shares on May 23. A regulatory ling for that sale also did not indicate that the sale was part of a scheduled trading plan. If it is shown that those executives sold company shares with the knowledge that either or both breaches could damage the company, then they would be vulnerable to charges of insider trading. The U.S. Department of Justice (DoJ; www.justice.gov/) opened a criminal investigation into the stock sales. Equifax has maintained that the executives had no knowledge of either breach when they made the transactions. An Attempt at a Solution Equifax hired security rm Mandiant for both breaches, and the Apache vulnerability was patched aer the second breach. Equifax announced the retirement of the company's chief information ofcer and chief security ofcer on September 15, 2017. Next, CEO Richard Smith resigned on September 26. He apologized for the breach and testied at a House Energy and Commerce Committee hearing in the U.S. Congress on October 3. Following the second breach, Equifax created a websitewwwequifaxsecurity2017.comi where people could enter their last names along with the last six digits of their social security numbers to see if they were affected by the hack. Unfortunately, someone copied that website and hosted that copy at a very similar URLihttps://securityequifax20l7.com. The two websites, one real and one fake, looked the same to casual observers. Fortunately for Equifax, the creator of the fake website, Nick Sweeting, set it up to demonstrate that Equifax should have developed its website under its corporate domain (www.equifax.com). Sweeting claimed that his fake website had approximately 200,000 page downloads. If Sweeting's website had really been a phishing website, then even more damage could have been done. The Results On March 13, 2018 former Equifax CIO Jun Ying was indicted by a federal grand jury for insider trading based on allegations that he sold more than US $950,000 worth of company shares days before the company publicly announced the breach. The Department of Justice's indictment alleges that on August 28, 2018, Ying conducted Web searches inquiring about how Experian's 2015 data breach inuenced its share price. Later that same day, Ying exercised all of his available stock options and then sold the shares, receiving proceeds of over US $950,000 and a gain of more than US $480,000. On March 15, 2018 Ying was arraigned and freed on bond. He pleaded not guilty. As noted above, three other Equifax executives sold large numbers of Equifax shares before news of the breach became public. A special committee formed by Equifax's board of directors cleared the executives of any wrongdoing and none of them were mentioned in the DoJ's complaint against Ying. In the year since the breach, Equifax invested US $200 million on data security infrastructure. To oversee the recovery process, the company hired a new chief information security officer (CISO) in February 2018. He noted that, prior to a data breach, company ClSOs always have to ght for budget, trying to justify and convince people about the importance of security and risk management. After a breach, the job of CISOs is far easier because everyone knows that security is critically important. DWCCIUIE h WCUblIC [lull [carry DUE" a plllblllllg WUUbllC, men UVEII IIIUI'C uaruage L'ULIIU IIEIVC DUE" done. The Results On March 13, 2018 former Equifax CIO Jun Ying was indicted by a federal grand jury for insider trading based on allegations that he sold more than US $950,000 worth of company shares days before the company publicly announced the breach. The Department of Justice's [333of5 indictment alleges that on August 28, 2018, Ying conducted Web searches inquiring about how Experian's 2015 data breach inuenced its share price. Later that same day, Ying exercised all of his available stock options and then sold the shares, receiving proceeds of over US $950,000 and a gain of more than US $480,000. On March 15, 2018 Ying was arraigned and freed on bond. He pleaded not guilty. As noted above, three other Equifax executives sold large numbers of Equifax shares before news of the breach became public. A special committee formed by Equifax's board of directors cleared the executives of any wrongdoing and none of them were mentioned in the DoJ's complaint against Ying. In the year since the breach, Equifax invested US $200 million on data security infrastructure. To oversee the recovery process, the company hired a new chief information security officer (CISO) in February 2018. He noted that, prior to a data breach, company CISOs always have to ght for budget, trying to justify and convince people about the importance of security and risk management. After a breach, the job of CISOs is far easier because everyone knows that security is critically important. Equifax is focusing its efforts in the following areas: 0 Improving its processes for patching, vulnerability management, and digital certificate management; I Strengthening access control protections and identity management across the company; 0 Improving data protection across the rm's entire infrastructure; 0 Developing better detection and response programs to manage problems more effectively if and when they occur; I Improving data governance and reporting so that the company can offer proof of compliance and general progress in its security efforts; a Working on a major cultural shi to incorporate both preventive measures and response training across every department; and 0 Expanding its consumer outreach and education programs. General Thoughts Any data breach harms a company's reputation. This problem is particularly critical for Equifax because its entire business model involves providing a complete financial profile of consumers that lenders and other businesses can trust. Not only has Equifax's credibility been severely damaged, but the breach also undermines the integrity of the data collected by the other two major credit bureaus, Experian (www.cxperiancom) and TransUnion (\\vwwjransuniunicorn). The effects of the Equifax breach make it clear that social insurance numbers are rapidly becoming an unreliable method to verify a person's identity. Once a person's social insurance number has been compromised, it is a difcult problem to fix because so many systems and applications rely on that number. The solution to the social insurance number problem may lie in utilizing additional layers of security. For example, we might start to see security questions and one-time security codes sent via email or text message to our smartphones. The problem with added security is that it is more difficult to conduct transactions over the Webspecifically, electronic commerce. Consider the security freeze, which is the most effective way for customers who are anxious about the Equifax hack to protect themselves. If you contact a credit reporting company and request a freeze, which you can do at each of the three companies\" websites, then you are instructing the company not to provide any information when a lender contacts it in the process of opening an account. Thus, if someone tries to use your name and social insurance number to obtain a new credit card, then the application will probably be rejected. This action prevents fake credit cards from being issued in your name. It also prevents the resulting unpaid bills from ending up on your report and damaging your credit. When you need a loan, you can contact the credit agency and lift the freeze. What a freeze costs is subject to state law. It is usually free to victims of identity the. Otherwise, people who are simply being cautious might pay from US $3 to $10 to set the freeze, and a similar fee when they li it. On September 12, 2017, Equifax temporarily waived freeze fees. 0 Expanding its consumer outreach and education programs. General Thoughts Any data breach harms a company's reputation. This problem is particularly critical for Equifax because its entire business model involves providing a complete nancial prole of consumers that lenders and other businesses can trust. Not only has Equifax's credibility been severely damaged, but the breach also undermines the integrity of the data collected by the other two Experian (www.experian.com) and TransUnion (\\v\" wlransuiuuncoru). a] 4 0f 5 uifax breach make it clear that social insurance numbers are rapidly c....u......g _.. .........a01e method to verify a person's identity. Once a person's social insurance number has been compromised, it is a difcult problem to x because so many systems and applications rely on that number. The solution to the social insurance number problem may lie in utilizing additional layers of security. For example, we might start to see security questions and one-time security codes sent via email or text message to our smartphones. The problem with added security is that it is more difcult to conduct transactions over the Webispecically, electronic commerce. Consider the security freeze, which is the most effective way for customers who are anxious about the Equifax hack to protect themselves. If you contact a credit reporting company and request a freeze, which you can do at each of the three companies\" websites, then you are instructing the company not to provide any information when a lender contacts it in the process of opening an account. Thus, if someone tries to use your name and social insurance number to obtain a new credit card, then the application will probably be rejected. This action prevents fake credit cards from being issued in your name. It also prevents the resulting unpaid bills from ending up on your report and damaging your credit. When you need a loan, you can contact the credit agency and lift the freeze. What a freeze costs is subject to state law. It is usually free to victims of identity the. Otherwise, people who are simply being cautious might pay from US $3 to $10 to set the freeze, and a similar fee when they lift it. On September 12, 2017, Equifax temporarily waived freeze fees. The freeze fees accentuate the overall consumer unfriendliness of the process. Consumers must pay a separate fee to each of the credit reporting agencies. They then receive a PIN that they must useagain, one for each companyiwhen they want to lift the freeze. To put a freeze in place online, consumers must verify their identity by entering their social insurance numbers, which is problematic if they are putting the freeze in place because they had just discovered that these numbers had been stolen. Once a freeze is in place, consumers must remember where they put their 1'le before they apply for a loan, a credit card, a job, or an apartment. People who set freezes at Equifax immediately aer the breach found that their new PIN codes were made up of the date and time they put the freeze onias opposed to random, unguessable numbers. By law, U.S. consumers can request one free copy of their credit reports per year from each of the three credit bureaus by accessing www.annualcreditreport.com. Consumer advocates would like to see everyone who was impacted by the Equifax breach request a credit freeze. In effect, freezes would become the default setting for all credit les, with everyone's credit data essentially off limits unless the consumer says otherwise. As it stands, however, the problems associated with freezes may make that solution less than appealing. However, if freezes became the norm, then credit bureaus would likely devise better ways to protect their data. In response, to provide better control over credit reports, Equifax has created and made available a free app called \"Lock and Alert." Users can \"lock\" their credit le and request alerts when the account is locked or unlocked. Users can unlock the le when someone needs to perform a credit check and then relock the account. The lock and alert app is separate from the security freeze, which also locks an account but would need to be separately requested. And the cost of the breaches for Equifax? For 2017, costs associated with the breaches totalled US $164 million, with US $50 million offset by insurance. Company ofcials projected an additional US $275 million in costs for 2018, with US $75 million offset by insurance. And the bottom line for Equifax? The credit bureau's shares declined 31 percent in value from September 7 to 13, 2017. However, by August 2018, Equifax shares were trading at US $128 per share, down 10 percent from US $141 per share just prior to the breach. Equifax reported 2017 total revenue of US $3.4 billion and net income of US $587 million. Interestingly, net income increased by 20 percent over 2016. And the bottom line for coWredit bureaus, consumers are not able to opt out of the bureaus. fees. The "eeze fees accentuate the overall consumer unfriendliness of the process. Consumers must pay a separate fee to each of the credit reporting agencies. They then receive a PIN that they must useagain, one for each companyiwhen they want to lift the freeze. To put a 'eeze in place online, consumers must verify their identity by entering their social insurance numbers, which is problematic if they are putting the freeze in place because they had just discovered that \"use \"whens \"4 been stolen. a] 5 Of 5 )lace, consumers must remember where they put their PINs before they apply .ard, a job, or an apartment. People who set freezes at Equifax immediately alter the breach found that their new PIN codes were made up of the date and time they put the freeze onias opposed to random, unguessable numbers. By law, US. consumers can request one free copy of their credit reports per year from each of the three credit bureaus by accessing www.annualcreditreport.com. Consumer advocates would like to see everyone who was impacted by the Equifax breach request a credit 'eeze. In effect, freezes would become the default setting for all credit les, with everyone's credit data essentially off limits unless the consumer says otherwise. As it stands, however, the problems associated with freezes may make that solution less than appealing. However, if freezes became the norm, then credit bureaus would likely devise better ways to protect their data. In response, to provide better control over credit reports, Equifax has created and made available a free app called \"Lock and Alert." Users can \"lock\" their credit le and request alerts when the account is locked or unlocked. Users can unlock the le when someone needs to perform a credit check and then relock the account. The lock and alert app is separate from the security freeze, which also locks an account but would need to be separately requested. And the cost of the breaches for Equifax'.' For 2017, costs associated with the breaches totalled US $164 million, with US $50 million offset by insurance. Company officials projected an additional US $275 million in costs for 2018, with US $75 million offset by insurance. And the bottom line for Equifax'.' The credit bureau's shares declined 31 percent in value from September 7 to 13, 2017. However, by August 2018, Equifax shares were trading at US $128 per share, down 10 percent from US $141 per share just prior to the breach. Equifax reported 2017 total revenue of US $3.4 billion and net income of US $587 million. Interestingly, net income increased by 20 percent over 2016. And the bottom line for consumers? Regardless of security breaches at credit bureaus, consumers are not able to opt out of the bureaus