My research paper is on EQUIFAX DATA BREACH For the final project, you are requi
ID: 383196 • Letter: M
Question
My research paper is on EQUIFAX DATA BREACH
For the final project, you are required to identify and research a publicized security breach that occurred within the last five years. You will research, analyze, and report on what aspects of perimeter and other security went wrong, what industry accepted protocols were not followed, and the short and long term impact on the company and the industry as a whole. GUIDELINES You should research and identify one publicized breach that occurred within the last five years. Your research on this breach should include but is not limited to:
• Background Business name and history (short version) Industry Hardware/software/applications involved (if available) Timing (Was this relevant, as with the Target breach?) • Breach/Compromise Attacker’s methodology System(s) attacked • Exfiltration Data/information exfiltrated? What data? Amount of data? o How was this exfiltrated? (This may not be available.) • Potential Effects to the Persons Involved For example, credit monitoring, fraud, and so forth • Impact to the Business Rapport with the business community Lawsuits Civil (consumers suing) Civil (commercial entities [e.g., banks] suing) Civil (government [e.g., FTC with Wyndham Hotel lawsuit]) • Lessons Learned What could the affected business have done differently? Why did they not follow industry standards, if applicable?
• Your final project paper should be 4 to 6 pages in length (1000 to 1650 words), excluding the title page and reference section.
• You should follow APA citation format and include at least three references.
• Your paper should be well developed and convey your understanding of the readings and concepts.
Explanation / Answer
The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.
Equifax on Sept. 7 announced the cybersecurity incident, one of the largest in history. Unauthorized data access occurred from mid-May through July 2017. The breach was discovered on July 29.
The personally identifiable information (PII) that was accessed includes these details:
The company detailed the data breach in its press release. Among the key facts:
With the arrival of credit cards and computerization at midcentury, the information once retained by retailers or local bureaus was consolidated in databanks — and in the hands of a small number of credit card companies and credit agencies that monitored, and sold, the financial profiles of millions of consumers.
By the 1970s, consumers recognized the power that unfettered credit agencies held in shaping their fates and fortunes. They had seen reports about outfits like the Credit Data Corp., which enabled subscribers to procure credit checks on individuals in a mere 90 seconds. And they had read about how stray remarks, “lifestyle” choices and innuendo could compromise one’s credit rating, a quantitative score that was becoming standard nationwide.
Unsavory practices later revealed in a suit by the Federal Trade Commission against the Retail Credit Co. included its agents deliberately misrepresenting themselves as they sought information, as well as false or fabricated material in consumer files, arising from the expectation that agents would supply “a prescribed amount of adverse information.” Trafficking in a mountain of detail about individuals’ “character” and habits, with few checks on the fidelity of the reporting, these agencies were rightly understood as unaccountable gatekeepers.
The Equifax data breach has increased the risk of identity theft for millions of Americans. Consumers have concerns, including protecting their credit lines.
1. Credit freezes
What it does: A credit freeze “freezes” your credit report. A credit freeze means potential creditors cannot access your credit report, making it less likely an identity thief can open new accounts in your name. For more detail, read about credit freezes, credit monitoring and identity theft protection services.
2. Fraud alerts
What it does: When anyone applies for credit in your name, a credit alert requires creditors to take reasonable steps to verify that it’s you and not a criminal seeking a new credit card or loan, for instance. Initial fraud alerts have to be renewed after 90 days.
3. Credit monitoring
What it does: Credit monitoring services track changes to one or more your credit reports, including applications for a new credit card or a loan. It can detect suspicious activity. For more detail, read about how identity theft protection differs from credit monitoring.
4. Identity theft protection
What it does: It typically provides credit file monitoring at one or more of the three credit reporting agencies and sometimes a credit score from one agency or more. Services may include alerts you’re your personally identifiable information is used in ways that may not show up on your credit report. Identity theft protection may also provide restoration services that help victims resolve various identity theft issues.
Businesses also have cause for concern. Many depend on information from the three major credit bureaus to approve consumer credit and employee security privileges, as well as to verify identifies. The breach compromises the risk analysis and identity verification systems supporting many business operations. When that data is corrupted, it can put those organizations at risk.
In a nutshell: Expect commercial-focused class actions claiming potential harm to businesses and other entities as a result of the breach, in addition to the usual consumer class actions.
Many organizations depend heavily on the data sets collected, stored and managed by Experian, TransUnion and Equifax to assist with things like:
Post-breach, businesses must determine if, and to what extent, they can trust the information provided by not just Equifax, but all of the credit bureaus. To determine credit worthiness or verify identities, businesses check their information against known values, such as a consumer’s primary mortgage lender name, the last amount for their car loan payment, or even more mundane information like date of birth, home address or their employer’s name.
The problem is it’s not clear if these details were exposed as part of the breach since, according to Equifax, the records for approximately 180,000 individuals also included information about disputes, which encompassed additional personal data.
And consider this: Equifax is only one of three major credit bureaus. Much of the exposed data is essentially duplicated in the credit files held at the other bureaus, even if they collect that data separately and on their own. That means that the compromise of information at Equifax calls into question corresponding data at the other two main credit bureaus. Businesses can’t simply point their data requests somewhere else, because every data set is now suspect.
Attorneys should be considering what their business clients’ potential risk may be at this point. It will be criticial for them to begin analyzing where risks exist and to develop strategies to mitigate them.
The Equifax data breach could spell trouble when it’s time to file your tax return, according to the U.S. Internal Revenue Service, and any hack involving millions of Social Security numbers could fuel that trend.
Tax-related identity theft occurs whenever someone uses your Social Security number to file a tax return in your name. One of the goals? To receive a fraudulent tax refund. Someone could also use your Social Security number to get a job.
You can take steps to help protect yourself from tax-related identity theft. The U.S. Federal Trade Commission encourages you to file your taxes early in the tax season, for instance. If you file your tax return first, the Internal Revenue Service will know any subsequent attempt to grab a refund in your name is likely fraudulent.
The FTC also recommends taking these steps.
Lessons learnt from Equifax Breach-
First, security is often incorrectly framed as a choice between security and privacy. In recent years, whether it is the debate on government's collection of metadata or law enforcement's increasing insistence on access to encrypted data, we are asked to choose sides between privacy versus security.
The Equifax incident unambiguously refutes that way of looking at things: privacy depends on security, and vice versa. In the Equifax case, the privacy of 143 million customers was clearly violated — and that breach of privacy introduced the potential for further, cascading breaches, where security is based on those exposed details, such as social security numbers and other sensitive personal information.
Better security undoubtedly leads to greater privacy protection for consumers whose data is aggregated by companies. And a greater emphasis on privacy helps create a culture that values security and is willing to put forth the effort to ensure it. We should learn that security isn't an end in itself, but rather a mechanism to protect important values, one of which is privacy.
Second, timing is key when notifying stakeholders after a breach. To the consternation of many observers, Equifax discovered that its systems had been breached on July 29 and reported it more than a month later, on September 7. By way of comparison, proposed European regulations mandate breach notification within 72 hours, while allowing explanation by the notifying party in case of any delays.
Notification shouldn't be arbitrary or an afterthought. The key question that should determine the length of time a company has to report a breach is the following: Would cyber incident damages be reduced more by allowing a company time to provide an organized response, or by allowing affected individuals to act earlier in a decentralized fashion? In the Equifax case, the extended period of time seems to have been unwarranted. After all, the company website established to ostensibly assist affected individuals has been plagued by accusations of inaccuracy and insecurity.
"Regardless of timing, pre-set processes by which companies notify customers of a breach should be part of their post-breach responsibilities."
It's important to note that this is not just a problem between companies and customers or citizens. Notification is no better within many enterprises generally. A recent survey found that nearly 40 percent of U.S.-based, in-house attorneys and general counsel fail to disclose security issues to their board. In such cases, failure of clear governance makes companies — and everyone who connects to them through a network — far less secure.
Regardless of timing, pre-set processes by which companies notify customers of a breach should be part of their post-breach responsibilities. If companies are expected to provide guidance on how to deal with the aftermath, then they should prepare guidance beforehand or within a reasonable period post-breach (and held to account for their inability to provide guidance). At the same time, in order for an enterprise to ensure that its cyber-resilience strategy is effective, there need to be clear rules and timelines for managers to share information with company leaders.
Third, the government's role in the wake of a breach needs to be more clearly defined. The immediate aftermath of a breach usually centers (generally unhelpfully) on assigning culpability rather than focusing on the victims or on creating policies that would prevent breaches.
The U.S. (like other governments) made a policy choice to give organizations principal responsibility for responding to cyber attacks. Governments, as in other national security matters, could assume principal responsibility themselves or could develop a policy to share responsibility among key stakeholders.
But even as organizations are held responsible, the government's duty to assist these organizations remains ambiguous. Governments have technical expertise as well as emergency response capabilities that do not have a clear trigger in the current policy environment. At the very least, clear rules and lines of responsibility would help to create reasonable expectations around cyber defense for the private sector.
As cyberattacks continue to increase, the Equifax breach will soon be seen as unexceptional. What will remain exceptional is a culture and policy posture that labors under a dangerous black-and-white assumption where privacy is pitted against security.
Over the past 20 years, there have been ever greater "calls to arms" to tackle cyber security. And yet billions of dollars of market value have evaporated owing to cyber incidents in the last year, not to mention the consumer impact.
That status quo is not sustainable.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.