In the summer of 2017, it was revealed that Equifax, a massive credit reporting bureau managing the credit rating and personally- identifying information of most credit-using Americans, had suffered a severe security breach affecting 143 million Americans.5 Among the data stolen in the breach were social security and credit card numbers, birthdates, addresses, and information related to credit disputes. The scale and severity of the breach were nearly unprecedented, and to make things worse, Equifax's conduct before and after the announcement of the breach came under severe criticism. For example, the website created by a PR consulting firm to handle consumer inquiries about the breach was riddled with security flaws, despite requesting customers submit personally-identifying information to check to see if they were affected. The site also told consumers that by using the site to see if they were affected, they were waiving legal rights to sue Equifax for damages related to the breach. The site, which gave many users inconsistent and unclear information about their status in the breach, offered to sell consumers further credit protection services from Equifax, for a fee. Soon it was learned that Equifax had known of the May 2017 breach for several months before disclosing it. Additionally, the vulnerability the attackers exploited had been discovered by Equifax's software supplier earlier that year; that company provided a patch to all of its customers in March 2017. Thus Equifax had been notified of the vulnerability and given the opportunity to patch its systems, two months before the breach exposed 100 million Americans to identity theft and grievous financial harm. Later, security researchers investigating the general quality of Equifax's cybersecurity efforts discovered that on at least one of Equifax's systems in Argentina, an unsecured network was allowing logins with the eminently guessable 'admin/admin' combination of username and password, and giving intruders ready access to sensitive data including 14,000 unencrypted employee usernames, passwords, and national ID numbers. Following the massive breach, two high-ranking Equifax executives charged with information security immediately retired, and the Federal Trade Commission launched an investigation of Equifax for the breach. After learning that three other Equifax executives had sold almost two billion dollars of their company stock before the public announcement of the breach, the Department of Justice opened an investigation into the possibility of insider trading related to the executives' prior knowledge of the breach. Q1. Of the ten types of ethical challenges for cybersecurity practitioners, which of those types does the Equifax case study potentially involve? Explain your answer (5 Marks) Q2. If you were hired to advise another major credit bureau on their information security, in light of the Equifax disaster, what are three questions you might first ask about your client's cybersecurity practices, and their ethical values in relation to cybersecurity? (4 Marks)