Data Security Read the article below and answer the following questions: Answer the following
questions: Identify and describe the security and control weaknesses discussed in this case. What
management, organization, and technology factors contributed to these problems? Discuss the
impact of the Equifax hack. How can future data breaches like this one be prevented? Is the
Equifax Hack the Worst Everand Why? Equifax (along with TransUnion and Experian) is one of
the three main U.S. credit bureaus, which maintain vast repositories of personal and financial
data used by lenders to determine credit-worthiness when consumers apply for a credit card,
mortgage, or other loans. The company handles data on more than 820 million consumers and
more than 91 million businesses worldwide and manages a database with employee information
from more than 7,100 employers, according to its website. These data are provided by banks and
other companies directly to Equifax and the other credit bureaus. Consumers have little choice
over how credit bureaus collect and store their personal and financial data. Equifax has more data
on you than just about anyone else. If any company needs airtight security for its information
systems, it should be credit reporting bureaus such as Equifax. Unfortunately, this has not been
the case. On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers
had gained access to some of its systems and potentially the personal information of about 143
million U.S. consumers, including Social Security numbers and driver's license numbers. Credit
card numbers for 209,000 consumers and personal information used in disputes for 182,000
people were also compromised. Equifax reported the breach to law enforcement and also hired a
cybersecurity firm to investigate. The size of the breach, importance, and quantity of personal
information compromised by this breach are considered unprecedented. Immediately after
Equifax discovered the breach, three top executives, including Chief Financial Officer John
Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange
Commission filings. A company spokesman claimed the three executives had no knowledge that
an intrusion had occurred at the time they sold their shares on August 1 and August 2.
Bloomberg reported that the share sales were not planned in advance. On October 4, 2017
Equifax CEO Richard Smith testified before Congress and apologized for the breach. The size of
the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of all
of Yahoo's 3 billion customers. The Equifax breach was especially damaging because of the
amount of sensitive personal and financial data stored by Equifax that was stolen, and the role
such data play in securing consumers' bank accounts, medical histories, and access to financing.
In one swoop the hackers gained access to several essential pieces of personal information that
could help attac.
Data Security Read the article below and answer the following questi.pdf
1. Data Security Read the article below and answer the following questions: Answer the following
questions: Identify and describe the security and control weaknesses discussed in this case. What
management, organization, and technology factors contributed to these problems? Discuss the
impact of the Equifax hack. How can future data breaches like this one be prevented? Is the
Equifax Hack the Worst Everand Why? Equifax (along with TransUnion and Experian) is one of
the three main U.S. credit bureaus, which maintain vast repositories of personal and financial
data used by lenders to determine credit-worthiness when consumers apply for a credit card,
mortgage, or other loans. The company handles data on more than 820 million consumers and
more than 91 million businesses worldwide and manages a database with employee information
from more than 7,100 employers, according to its website. These data are provided by banks and
other companies directly to Equifax and the other credit bureaus. Consumers have little choice
over how credit bureaus collect and store their personal and financial data. Equifax has more data
on you than just about anyone else. If any company needs airtight security for its information
systems, it should be credit reporting bureaus such as Equifax. Unfortunately, this has not been
the case. On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers
had gained access to some of its systems and potentially the personal information of about 143
million U.S. consumers, including Social Security numbers and driver's license numbers. Credit
card numbers for 209,000 consumers and personal information used in disputes for 182,000
people were also compromised. Equifax reported the breach to law enforcement and also hired a
cybersecurity firm to investigate. The size of the breach, importance, and quantity of personal
information compromised by this breach are considered unprecedented. Immediately after
Equifax discovered the breach, three top executives, including Chief Financial Officer John
Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange
Commission filings. A company spokesman claimed the three executives had no knowledge that
an intrusion had occurred at the time they sold their shares on August 1 and August 2.
Bloomberg reported that the share sales were not planned in advance. On October 4, 2017
Equifax CEO Richard Smith testified before Congress and apologized for the breach. The size of
the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of all
of Yahoo's 3 billion customers. The Equifax breach was especially damaging because of the
amount of sensitive personal and financial data stored by Equifax that was stolen, and the role
such data play in securing consumers' bank accounts, medical histories, and access to financing.
In one swoop the hackers gained access to several essential pieces of personal information that
could help attackers commit fraud. According to Avivah Litan, a fraud analyst at Gartner Inc., on
a scale of risk to consumers of 1 to 10, this is a 10. After taking Equifax public in 2005, CEO
Smith transformed the company from a slow-growing credit-reporting company (12 percent
2. organic growth per year) into a global data powerhouse. Equifax bought companies with
databases housing information about consumers' employment histories, savings, and salaries, and
expanded internationally. The company bought and sold pieces of data that enabled lenders,
landlords, and insurance companies to make decisions about granting credit, hiring job seekers,
and renting an apartment. Equifax was transformed into a lucrative business housing $12 trillion
of consumer wealth data. In 2016, the company generated $3.1 billion in revenue. Competitors
privately observed that Equifax did not upgrade its technological capabilities to keep pace with
its aggressive growth. Equifax appeared to be more focused on growing data it could
commercialize. Hackers gained access to Equifax systems containing customer names, Social
Security numbers, birth dates, and addresses. These four pieces of data are generally required for
individuals to apply for various types of consumer credit, including credit cards and personal
loans. Criminals who have access to such data could use it to obtain approval for credit using
other people's names. Credit specialist and former Equifax manager John Ulzheimer calls this is
a "nightmare scenario" because all four critical pieces of information for identity theft are in one
place. The hack involved a known vulnerability in Apache Struts, a type of open-source software
Equifax and other companies use to build websites. This software vulnerability had been publicly
identified in March 2017, and a patch to fix it was released at that time. That means Equifax had
the information to eliminate this vulnerability two months before the breach occurred. It did
nothing. Weaknesses in Equifax security systems were evident well before the big hack. A
hacker was able to access credit-report data between April 2013 and January 2014. The company
discovered that it mistakenly exposed consumer data as a result of a "technical error" that
occurred during a 2015 software change. Breaches in 2016 and 2017 compromised information
on consumers' W-2 forms that were stored by Equifax units. Additionally, Equifax disclosed in
February 2017 that a "technical issue" compromised the credit information of some consumers
who used identity-theft protection services from LifeLock. Analyses earlier in 2017 performed
by four companies that rank the security status of companies based on publicly available
information showed that Equifax was behind on basic maintenance of websites that could have
been involved in transmitting sensitive consumer information. Cyberrisk analysis firm Cyence
rated the danger of a data breach at Equifax during the next 12 months at 50 percent. It also
found the company performed poorly when compared with other financial-services companies.
The other analyses gave Equifax a higher overall ranking, but the company fared poorly in
overall web-services security, application security, and software patching. A security analysis by
Fair Isaac Corporation (FICO), a data analytics company focusing on credit scoring services,
found that by July 14 public-facing websites run by Equifax had expired certificates, errors in the
chain of certificates, or other web-security issues. Certificates are used to validate that a user's
connection with a website is legitimate and secure. The findings of the outside security analyses
3. appear to conflict with public declarations by Equifax executives that cybersecurity was a top
priority. Senior executives had previously said cybersecurity was one of the fastest-growing
areas of expense for the company. Equifax executives touted Equifax's focus on security in an
investor presentation that took place weeks after the company had discovered the attack. Equifax
has not revealed specifics about the attack, but either its databases were not encrypted or hackers
were able to exploit an application vulnerability that provided access to data in an unencrypted
state. Experts thinkand hopethat the hackers were unable to access all of Equifax's encrypted
databases to match up information such as driver license or Social Security numbers needed to
create a complete data profile for identity theft. Equifax management stated that although the
hack potentially accessed data on approximately 143 million U.S. consumers, it had found no
evidence of unauthorized activity in the company's core credit reporting databases. The hack
triggered an uproar among consumers, financial organizations, privacy advocates, and the press.
Equifax lost one-third of its stock market value. Equifax CEO Smith resigned, with the CSO
(chief security officer) and CIO departing the company as well. Banks will have to replace
approximately 209,000 credit cards that were stolen in the breach, a major expense. Lawsuits are
in the works. Unfortunately the worst impact will be on consumers themselves, because the theft
of uniquely identifying personal information such as Social Security numbers, address history,
debt history, and birth dates could have a permanent effect. These pieces of critical personal data
could be floating around the Dark Web for exploitation and identity theft for many years. Such
information would help hackers answer the series of security questions that are often required to
access financial accounts. According to Pamela Dixon, executive director of the World Privacy
Forum, "This is about as bad as it gets." If you have a credit report, there's at least a 50 percent
chance or more that your data were stolen in this breach. The data breach exposed Equifax to
legal and financial challenges, although the regulatory environment is likely to become more
lenient under the current presidential administration. It already is too lenient. Credit reporting
bureaus such as Equifax are very lightly regulated. Given the scale of the data compromised, the
punishment for breaches is close to nonexistent. There is no federally sanctioned insurance or
audit system for data storage, the way the Federal Deposit Insurance Corporation provides
insurance for banks after losses. For many types of data, there are few licensing requirements for
housing personally identifiable information. In many cases, terms-of-service documents
indemnify companies against legal consequences for breaches. Experts said it was highly
unlikely that any regulatory body would shut Equifax down over this breach. The company is
considered too critical to the American financial system. The two regulators that do have
jurisdiction over Equifax, the Federal Trade Commission and the Consumer Financial Protection
Bureau, declined to comment on any potential punishments over the credit agency's breach. Even
after one of the most serious data breaches in history, no one is really in a position to stop
4. Equifax from continuing to do business as usual. And the scope of the problem is much wider.
Public policy has no good way to heavily punish companies that fail to safeguard our data. The
United States and other countries have allowed the emergence of huge phenomenally detailed
databases full of personal information available to financial companies, technology companies,
medical organizations, advertisers, insurers, retailers, and the government. Equifax has offered
very weak remedies for consumers. People can go to the Equifax website to see if their
information has been compromised. The site asks customers to provide their last name and the
last six digits of their Social Security number. However, even if they do that, they do not
necessarily learn whether they were affected. Instead, the site provides an enrollment date for its
protection service. Equifax offered a free year of credit protection service to consumers enrolling
before November 2017. Obviously, all of these measures won't help much because stolen
personal data will be available to hackers on the Dark Web for years to come. Governments
involved in state-sponsored cyberwarfare are able to use the data to populate databases of
detailed personal and medical information that can be used for blackmail or future attacks.
Ironically, the credit-protection service that Equifax is offering requires subscribers to waive
their legal rights to seek compensation from Equifax for their losses in order to use the service,
while Equifax goes unpunished. On March 1, 2018, Equifax announced that the breach had
compromised an additional 2.4 million more Americans' names and driver's license numbers.
Harmful data breaches keep happening. In almost all cases, even when the data concerns tens or
hundreds of millions of people, companies such as Equifax and Yahoo that were hacked continue
to operate. There will be hacksand afterward, there will be more. Companies need to be even
more diligent about incorporating security into every aspect of their IT infrastructure and
systems development activities. According to Litan, to prevent data breaches such as Equifax's,
organizations need many layers of security controls. They need to assume that prevention
methods are going to fail. ----------------------------------- Reference: Kenneth Laudon, Jane
Laudon, Kenneth C. Laudon, Jane P. Laudon. (2018). Management Information Systems:
Managing the Digital Firm (16th Edition) [Texidium version]. Retrieved from
http://texidium.com Post Instructions Your post should be at least 250 words. Once you have
posted, you are expected to respond to at least 2 other people's posts. Respond with information
that can stimulate further discussion into the post you are responding to or show what you have
learned from it.