Could you please make a short summary with key issues for this case study please?

at that time. That means Equifax had the information databases to match up information such as driver li- to eliminate this vulnerability two months before the cense or Social Security numbers needed to create a breach occurred. It did nothing. complete data profile for identity theft. Weaknesses in Equifax security systems were Equifax management stated that although the evident well before the big hack. A hacker was able hack potentially accessed data on approximately 143 to access credit-report data between April 2013 and million U.S. consumers, it had found no evidence of January 2014. The company discovered that it mis- unauthorized activity in the company's core credit takenly exposed consumer data as a result of a "tech- reporting databases. The hack triggered an uproar nical error" that occurred during a 2015 software among consumers, financial organizations, privacy change. Breaches in 2016 and 2017 compromised In- advocates, and the press. Equifax lost one-third of formation on consumers' W-2 forms that were stored its stock market value. Equifax CEO Smith resigned, by Equifax units, Additionally, Equifax disclosed in with the CSO (chief security officer) and CIO depart- February 2017 that a "technical issue" compromised ing the company as well, Banks will have to replace credit information of some consumers who used approximately 209,000 credit cards that were stolen identity theft protection services from LifeLock. in the breach, a major expense. Lawsuits are in the Analyses earlier in 2017 performed by four com- works. panics that rank the security status of companies Unfortunately the worst impact will be on con- based on publicly available information showed that sumers themselves, because the theft of uniquely Equifax was behind on basic maintenance of web- identifying personal information such as Social sites that could have been involved in transmitting Security numbers, address history, debt history, and sensitive consumer Information. Cyberrisk analysis birth dates could have a permanent effect. These firm Cyence rated the danger of a data breach at pieces of critical personal data could be floating Equifax during the next 12 months at 50 percent. around the Dark Web for exploitation and identity It also found the company performed poorly when theft for many years. Such information would help compared with other financial-services companies. hackers answer the series of security questions The other analyses gave Equifax a higher overall that are often required to access financial accounts. ranking, but the company fared poorly in overall According to Pamela Dixon, executive director of web-services security, application security, and soft- the World Privacy Forum, This is about as bad as it ware patching. gets. " If you have a credit report, there's at least a 50 A security analysis by Fair Isaac Corporation percent chance or more that your data were stolen in (FICO), a data analytics company focusing on credit this breach. scoring services, found that by July 14 public-facing The data breach exposed Equifax to legal and websites run by Equifax had expired certificates, er- financial challenges, although the regulatory envi- rors in the chain of certificates, or other web-security ronment is likely to become more lenient under the issues. Certificates are used to validate that a user's current presidential administration. It already is too connection with a website is legitimate and secure. lenient Credit reporting bureaus such as Equifax are The findings of the outside security analyses ap- very lightly regulated. Given the scale of the data pear to conflict with public declarations by Equifax compromised, the punishment for breaches is close executives that cybersecurity was a top priority. to nonexistent. There is no federally sanctioned Senior executives had previously said cybersecurity insurance or audit system for data storage, the way was one of the fastest-growing areas of expense for the Federal Deposit Insurance Corporation provides the company. Equifax executives touted Equifax's Insurance for banks after losses. For many types of focus on security in an investor presentation that data, there are few licensing requirements for hous- took place weeks after the company had discovered ing personally identifiable information. In many the attack. cases, terms-of-service documents indemnify compa- Equifax has not revealed specifics about the at- nies against legal consequences for breaches. tack, but either its databases were not encrypted or Experts said it was highly unlikely that any hackers were able to exploit an application vulnera; regulatory body would shut Equifax down over this bility that provided access to data in an unencrypted breach. The company is considered too critical to the state. Experts think -and hope -that the hackers American financial system. The two regulators that were unable to access all of Equifax's encrypted do have jurisdiction over Equifax, the Federal TradeChapter 8 Securing Information Systems 335 Commission and the Consumer Financial Protection Harmful data breaches keep happening. In al- Bureau, declined to comment on any potential pun- most all cases, even when the data concerns tens or ishments over the credit agency's breach. hundreds of millions of people, companies such as Even after one of the most serious data Equifax and Yahoo that were hacked continue to op- breaches in history, no one is really in a position erate. There will be hacks-and afterward, there will to stop Equifax from continuing to do business be more. Companies need to be even more diligent as usual. And the scope of the problem is much about incorporating security into every aspect of wider. Public policy has no good way to heav- their IT infrastructure and systems development ac- ily punish companies that fail to safeguard our tivities. According to Litan, to prevent data breaches data. The United States and other countries have such as Equifax's, organizations need many layers of allowed the emergence of huge phenomenally security controls. They need to assume that preven- detailed databases full of personal information tion methods are going to fail. available to financial companies, technology com- panics, medical organizations, advertisers, insur- ers, retailers, and the government. Solvers Selena Larson, "Equifax Says Hacker Stole More than Equifax has offered very weak remedies for con- Previously Heparind," CNN, March 1. 2018: AnnaMaria Andriots and Michael Rapoport, "Equifax Upends CEO's Drive to Be a Dot sumers, People can go to the Equifax website to see Powerhouse " Wall Street Journal, September 22, 2017, AnnaMaria if their information has been compromised. The Andriccis and Robert McMillan, "Equifax Security Showed Signs of site asks customers to provide their last name and Trouble Months Before Hack, " Wall Street Journal, September 26 the last six digits of their Social Security number. 3017: AnnaMaria Andriotis and Erequiel Minaya, "Equifax Reports Data Breach Possibly Affecting 143 Million Consumers, " Widd Street However, even if they do that, they do not neces Journal, September 7, 2017; Tara Siegel Bernard and Sucy Cowley sarily learn whether they were affected. Instead, Equifax Hack Exposes Regulmory Gaps, Leaving Customers the site provides an enrollment date for its protec Vulnerable " New York Tunes, September B, 2017, Farhad Manjoo, "Seriously, Equitas? This Is a Breach No One Should Get Away tion service. Equifax offered a free year of credit With," New York Thucs, September 8, 2017, Fileen Chang, Why protection service to consumers enrolling before Equilex Breach of 143 Million Consumers Should Freak You Out, November 2017. Obviously, all of these measures thestreetcom, September B. 2017: Tara Siegel Bernard, Tulliny Hou, Nicole Perlroth, and Ron Licher 'Equifax Says Cyberamack won't help much because stolen personal data will May Have Affected 143 Million Customers" New York Times be available to hackers on the Dark Web for years September 7, 2017; and Nicole Perlroth and Cade Metz, "What We to come. Governments Involved in state-sponsored Know and Don't Know About the Equifax Hack, " New Work Time, September 14, MT. cyberwarfare are able to use the data to populate databases of detailed personal and medical informa- tion that can be used for blackmail or future attacks. Ironically, the credit-protection service that Equifax CASE STUDY QUESTIONS is offering requires subscribers to waive their legal 8-13 Identify and describe the security and control rights to seek compensation from Equifax for their weaknesses discussed in this case. losses in order to use the service, while Equifax goes 8-14 What management, organization, and technol- unpunished. On March 1, 2018, Equifax announced ogy factors contributed to these problems? that the breach had compromised an additional 2.4 8-15 Discuss the impact of the Equifax hack. million more Americans' names and driver's license 8-16 How can future data breaches like this one be numbers, prevented? Explain your answerIs the Equifax Hack the Worst Ever-and Why? CASE STUDY E quifax (along with TransUnion and Experian) of all of Yahoo's 3 billion customers, The Equifax is one of the three main U.S. credit bureaus, breach was especially damaging because of the which maintain vast repositories of personal amount of sensitive personal and financial data and financial data used by lenders to determine stored by Equifax that was stolen, and the role such credit-worthiness when consumers apply for a credit data play in securing consumers' bank accounts, card, mortgage, or other loans. The company handles medical histories, and access to financing In one data on more than 820 million consumers and more swoop the hackers gained access to several essential than 91 million businesses worldwide and manages a pieces of personal information that could help attack- database with employee information from more than ers commit fraud. According to Avivah Litan, a fraud 7.100 employers, according to its website. These data analyst at Gartner Inc., on a scale of risk to consum- are provided by banks and other companies directly ers of 1 to 10, this is a 10. to Equifax and the other credit bureaus. Consumers After taking Equifax public in 2005, CEO Smith have little choice over how credit bureaus collect and transformed the company from a slow-growing store their personal and financial data. credit-reporting company (1-2 percent organic Equifax has more data on you than just about any- growth per year) into a global data powerhouse. one else. If any company needs airtight security for Equifax bought companies with databases housing Its information systems, it should be credit reporting Information about consumers' employment histories, bureaus such as Equifax. Unfortunately this has not savings, and salaries, and expanded internationally. been the case. The company bought and sold pieces of data that en- On September 7, 2017 Equifax reported that from abled lenders, landlords, and insurance companies to mid-May through July 2017 hackers had gained make decisions about granting credit, hiring job seek- access to some of its systems and potentially the ers, and renting an apartment. Equifax was trans- personal information of about 143 million U.S. formed into a lucrative business housing $12 trillion consumers, including Social Security numbers and of consumer wealth data. In 2016, the company gen- driver's license numbers. Credit card numbers for erated $3.1 billion in revenue. 209,000 consumers and personal information used in Competitors privately observed that Equifax disputes for 182,000 people were also compromised. did not upgrade its technological capabilities to Equifax reported the breach to law enforcement and keep pace with its aggressive growth. Equifax ap- also hired a cybersecurity firm to investigate. The peared to be more focused on growing data it could size of the breach, importance, and quantity of per- commercialize. sonal information compromised by this breach are Hackers gained access to Equifax systems contain- considered unprecedented. ing customer names, Social Security numbers, birth Immediately after Equifax discovered the breach, dates, and addresses. These four pieces of data are three top executives, including Chief Financial generally required for individuals to apply for vari- Officer John Gamble, sold shares worth a combined ous types of consumer credit, including credit cards $1.8 million, according to Securities and Exchange and personal loans, Criminals who have access to Commission filings. A company spokesman claimed such data could use it to obtain approval for credit the three executives had no knowledge that an using other people's names. Credit specialist and for- intrusion had occurred at the time they sold their mer Equifax manager John Ulzheimer calls this is a shares on August 1 and August 2. Bloomberg re- "nightmare scenario" because all four critical pieces ported that the share sales were not planned in of information for identity theft are in one place. advance. On October 4, 2017 Equifax CEO Richard The hack involved a known vulnerability in Smith testified before Congress and apologized for Apache Struts, a type of open-source software the breach. Equifax and other companies use to build websites The size of the Equifax data breach was second This software vulnerability had been publicly identi- only to the Yahoo breach of 2013, which affected data fied in March 2017, and a patch to fix it was released