Executive Summary
This business report aims to contribute to risk management on a global scale and help companies avoid and mitigate risks such as data breaches. The paper analyzes the risk management procedures of Equifax in light of the 2017 data breach. The incident resulted in the exposure of the personal information of 147 million individuals. The report further evaluates the implications and repercussions of the breach using appropriate theoretical frameworks. It also considers the risk detection methods, risk attitude, and risk appetite of the firm. Based on the findings of the report, hackers took advantage of Equifax’s insufficient cyber security procedures and vulnerabilities. The company’s risk-taking attitude did not correspond with the risk appetite. The security breach has far-reaching implications not just for the credit business but also for the legislation governing data protection, as well as for the financial line and reputation of the organization. The paper established that the data security operations of Equifax could be improved by doing meaningful and routine risk assessments, training staff members, and making public information available to stakeholders. In addition to this, the report stresses the need to include crisis management, business continuity, and risk management in cyber security policies. The objective of the paper is to make a meaningful contribution to the continuing research about risk management on a global scale and to assist firms like Equifax in preventing and mitigating future data breaches.
Introduction
The modern world is characterized by many operational modifications and enhanced technological dynamism. The world has benefited from information technology usage by boosting operations and communications. But, despite these benefits, information technology also has unavoidable drawbacks, such as cybercrime. As a consequence of the rise in cyber security events, businesses have failed, prompting the creation of efficient incident handling and crisis management solutions. These risks have to be managed. Risk management refers to the process of gathering information that may be used to make analyses of both the likelihood of an event happening and the extent to which it would have a negative impact (Week 5, slide 6). In this report, the implications of the data breach that occurred at Equifax on companies and the credit industry will be analyzed. The first part of the lesson will be an introduction to Equifax, covering its background as well as its current and past endeavours. In the next part, we will examine Equifax’s level of risk aversion and risk tolerance in light of the data that is currently available. As part of the study, we will also investigate how the vulnerabilities and threats that ultimately led to the assault were identified. In addition, an analysis of the financial, reputational, and legal repercussions of the assault on Equifax will be carried out. This section of the research concludes with a discussion of key theoretical models and ideas pertaining to crisis management, business continuity, and risk management. The feasibility of using these tactics and ideas to protect against or lessen the impact of an attack on Equifax will be investigated as part of this research. According to Hopkin (2017, p 28.), a long-term risk is one that may still have an effect on the organization even after a long time. Cyber security issues need a prompt reaction and mitigation measures to prevent further harm to the company’s data. Therefore, risk management should be described in terms of the factors that help contain it (Week 1, slide 7). The purpose of the paper is to highlight risk management elements relating to Equifax’s 2017 data breach incident.
2017 Data Breach Overview
Companies that deal in finance often acquire data on the credit and payment histories of people, in addition to other types of personal information. Other services, including credit monitoring and protection against identity theft, are offered by the firm. Hackers gained entry to Equifax’s system and took over 143 million people’s confidential information (Martin 2017). About 147.9 million Americans were impacted by the 2017 data leak, but some of them were also British and Canadian residents. According to Shepherd (2019), among the private data that the hackers took were tax identity numbers, client names, birth dates, license plate numbers, and residential locations. Operations at Equifax were negatively impacted by the assault, and the company’s image deteriorated considerably as a result of consumers’ lack of trust in the wake of the attack. Equifax’s information technology staff had been informed for many months that there was a technical issue on the website before the breach was discovered. As soon as the security flaw was found, the corporation came under a great deal of scrutiny and criticism, and a significant number of people questioned the propriety of the answer it had provided. The hack had far-reaching repercussions for both the credit sector and the legislation governing data security, and it has cost Equifax a large amount of money in addition to damaging its image. Therefore, the adoption of appropriate risk management strategies is necessary for a strategic response (Week 3, slide 6). Due to Richard Smith’s resignation as CEO at the moment as a result of this revelation, Equifax had a new leader. In relation to the assault, a leak probe was conducted, and Equifax was also penalized.
Risk Attitude
Equifax’s business model involved the collection and storage of customers’ sensitive information. As a result, the company’s risk perspective needed to place emphasis on the necessity of safeguarding sensitive data. However, the company ignored a Homeland Security alert about a weakness in Apache Struts, a well-known open-source web server. The company’s five-decade-old system, which enabled customers to view their credit reports online, was powered by an unpatched Apache Struts server (Shepherd 2019). The House panel discovered that the hackers were able to access more than 48 files containing unencrypted raw consumer credit data by obtaining a decoded password file on one computer and then moving through the organization’s various systems. An online shell was launched on the machine by the attackers after finding the vulnerability, giving them access for more than two months. Nonetheless, the data leak proved that Equifax had not taken sufficient precautions to secure the sensitive information of its customers and clients (Martin 2017). This shows that Equifax may have been overconfident in its approach to data security and, as a result, may not have fully comprehended the accident.
Risk Appetite
Equifax’s risk appetite relates to how much danger the company was ready to protect the customer’s data. The company’s risk appetite was not enough. At the time of the breach, neither the public risk appetite pronouncements of the company nor the organization’s preparedness to tolerate risk in order to pursue its goals were strong enough. In this aspect, Equifax may have been too risk-averse, as shown by the fact that it failed to implement sufficient security measures. After the data breach, it is pretty probable that Equifax has adopted a more conservative strategy for the security of customer information.
Risk Identification
Equifax’s set of procedures for identifying, describing, and cataloguing any potential data threats to assets and their business operations was not enough to counter the data breach before it happened. Therefore, both the risk assessment methodologies and security weaknesses used by Equifax were to blame for the hack. The fact that Equifax did not patch known flaws in its systems was a key contributing factor to the data leak that occurred. Because of the vulnerability in Apache Struts, hackers were able to get remote access to the system and potentially run malicious malware. After failing to act on the warning, Shepherd (2019) argues that Equifax had a data breach shortly afterwards. In spite of the fact that it was common knowledge that the corporation collected sensitive data such as credit card information, insufficient resources were assigned to guarantee the safety of this data. At Equifax, many different business divisions were accountable for their own security policies, and the security team lacked both the proper training and the manpower to detect and react to security events. By using this technique, it was challenging to uncover and handle security concerns that occurred at the business level. Preventative controls are measures that a company may put in place to reduce the likelihood that a negative result would occur (Week 7, slide 13). Equifax did not have a rigid risk management framework, which would have been helpful in determining and rating security risks before the incident.
Risk Consequences
The data breach at Equifax had far-reaching repercussions, which had an effect not just on the corporation but also on its customers. Legal agreements, penalties, costs for advisors, attorneys, and detectives, as well as the price of charging customers for credit tracking and identity security, totalled $1.7 billion for the business. The business lost $5.3 billion in market value in the week following Equifax’s disclosure of the hack, as its stock price dropped 31%. The company’s prognosis was lowered by a credit rating service for the first time ever due to cybercrime worries. The cost of the financing went up when the company’s credit ranking was downgraded. Two years after the attack, Moody’s downgraded Equifax’s rating from steady to negative, noting ongoingly high expenses associated with the theft. Additionally, the expenditures would continue to reduce Equifax’s revenue. Consequently, Equifax’s revenue and earnings took a significant hit as a result of the data hack. The incident had a substantial effect, as well, on the value of Equifax’s share price. The compromise in data protection caused by this occurrence was the most expensive one to date.
After the data breach, it took the corporation a number of years to completely regain its previous stock price. The damage to the victim’s reputation was particularly severe as a result of the occurrence. The data leak caused damage to both the importance of Equifax and the faith of its customers, who had previously provided the firm with sensitive information. Because of the breach, Equifax had to pay hefty penalties to the legal system, and the company’s image among its business partners and regulators was hurt. Legal actions were taken against the data mishandling case by individual customers whose data was exposed, w. In the year 2020, the United States of America brought charges against four soldiers of the People’s Liberation Army of China for their involvement in the attack. The breach had far-reaching ramifications for the credit sector, cyber security standards, and data privacy rules; as a result, state and federal authorities have been compelled to examine the data security policies and actions of Equifax (Martin 2017). It brought to light flaws in the credit reporting system and raised concerns over the business sector’s practice of using customers’ social security numbers to identify them. To ensure that the essence of qualitative risk management is observed, it is necessary to use the strategies with caution while using reliable tools(Week 6, slide 8). Therefore, there was a need for extra layers of cyber security, such as encryption and multi-factor authentication, in order to safeguard sensitive data.
Risk Impacts
Particularly for companies that deal with sensitive information, there is a pressing need for increased levels of data protection measures. When it comes to effectively describing their risk profile, businesses make use of risk matrices (Hopkin 2017, p.143). For instance, the estimate of prospective losses that arose as a result of the Equifax data breach was imminent. The breach had a severe effect on both Equifax’s image and the company’s financial stability. The company was forced to pay out staggering sums of money for settlements and penalties, in addition to the exorbitant costs associated with hiring consultants, attorneys, and private investigators. The cost of providing credit monitoring and identity protection services to millions of victims was a significant financial burden. Additionally, the data breach had far-reaching ramifications for the consumers whose information was stolen, which resulted in a significant decrease in stock prices and a loss of $5.3 billion (Shepherd 2019). Finally, the breach had an effect on the credit industry because it brought to light flaws in the industry’s cyber security measures, which in turn caused customers to lose faith in credit reporting companies like Equifax and others that rely on personal information to determine creditworthiness. As a result of the tragedy, authorities felt obligated to review existing data privacy regulations. The incident prompted more comprehensive and severe data protection policies that are reliable and can assure client and company’s data safety.
Theoretical Framework
Numerous risks arose as a result of the intrinsic character of the process that credit reporting organizations such as Equifax used. Multiple techniques and concepts from the fields of risk management, business continuity, and crisis management may have helped avoid or lessen the impact of the Equifax data breach. Managing risks provides a standardized way for detecting and analyzing threats, putting preventative steps into place, and monitoring their success. This makes risk management a crucial element in handling uncertain threats to customers’ data. Risk management skills could have helped Equifax in identifying and addressing the security flaws that led to the data breach. While conducting risk assessments, the specific nature of the company determines the scope of potential dangers that have to be taken into consideration (Hopkin 2017, p. 278). If Equifax had developed a thorough and methodical risk management plan, the company might have been able to prevent the data breach from occurring. Readiness is also critical since it calls for multiple plans and approaches to data safety and protection. It is possible that the employment of reliable risk attitude, appetite, and identification techniques could have helped Equifax protect its data and systems from being breached. To safeguard its systems and data from unwanted access, Equifax may have benefitted from implementing a complete business continuity and crisis management strategy, as well as better access controls, such as encryption and authentication. The organization and its customers would have been able to recover from the data incident more quickly if such a policy had been in place. Data management requires security preparedness all the time to identify and shut down any breach within seconds.
Cross-Disciplinary Relation
Risk management relies on business continuity and good crisis management strategies. Data security is crucial because when hackers have access to this information, they may use it to commit crimes like fraud. Equifax risked their business as it faced serious financial and reputational damages. However, the data breach at Equifax presented a number of opportunities for the application of various models and concepts pertaining to risk management, business continuity, and crisis management. Businesses place emphasis on the identification, evaluation, and management of data security. The incident suggests that the company failed to identify the risk of a possible breach, assess the potential impact of such an attack, prioritize cyber security as a top concern, and respond quickly and effectively. Catastrophic events help businesses improve as they develop countermeasures (Milliken and Starbuck 1988, p. 337). Therefore, crisis management requires quick reactions to data breach cases. The Equifax case study is relevant to business continuity and planning because it established clear roles and responsibilities for crisis readiness, response, and procedures for communicating with stakeholders to mitigate the effects of the breach.
The data breach had a substantial impact on the operations of Equifax, notably on the company’s capacity to offer credit reporting services that are both quick and accurate. Moreover, determining which aspects of the business absolutely have to go on as usual, regardless of the situation, is an essential step in developing an efficient strategy for maintaining business continuity. The case highlights the importance of regulatory compliance and risk management, both of which may have assisted the organization in identifying critical business activities and implementing steps to ensure their continuation in the event of a cyber security breach. For instance, statisticians often make use of probability distributions that operate on the assumption that the odds of reoccurring occurrences remain the same (Milliken and Starbuck 1988, p. 321). Therefore, the theft at Equifax also highlights the importance of regulatory compliance and risk management. Companies that operate in the credit reporting sector are required to adhere to stringent privacy and security regulations. As a consequence of the company’s inability to comply with these rules, substantial financial and reputational fines were levied upon Equifax, and this event generated larger questions about the effectiveness of governmental control in the industry.
Conclusions
The report justifies that Equifax is accountable for the 2017 data breach of millions of individuals to fraud and identity theft. It is clear that risk management is dependent on business continuity and crisis strategies. The report highlights the importance of preventing and detecting software vulnerabilities. The real reason for the Equifax attack was a known but unpatched system flaw, which could have been avoided with a stronger mechanism for preventing vulnerabilities. This paper included an executive summary examining the Equifax data breach incident and provided background information on the company. The paper shows how the elements of risk management should have been used to manage the breach. The use of applicable theoretical frameworks was key to cross-disciplinary relations. To shield its stakeholders from the potentially disastrous effects of a data breach, businesses must give proactive risk management a high priority and make major investments in the development of solid cybersecurity systems. Moreover, managing disruptions is the only goal that may be accomplished with the reliability of risk management elements (Week 4, slide 12).In the event that a data breach occurs, a business should respond quickly and effectively to avoid further data leaks for the safety of the company and its customers.
References
Hopkin, P 2017, Fundamentals of risk management: understanding, evaluating and implementing effective risk management. 4th ed. London, United Kingdom; New York, Ny: Kogan Page Limited, pp.1–489.
Martin, A 2017, Mass data breach with Equifax hack ‘an unmitigated disaster’. [online] Sky News. Available at: https://news.sky.com/story/mass-data-breach-with-equifax-hack-an-unmitigated-disaster-11026490.
Shepherd, A 2019, The Equifax effect: explaining the disaster. IT PRO. [online] Available at: https://www.itpro.co.uk/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century.
Milliken, F and, Starbuck, W 1988, Challenger: fine-tuning the odds until something breaks. 4th ed. New York University, New York, USA, pp.319–388.
Week 1. (n.d.). Risk management in a global context. Slides 1-15.
Week 3. (n.d.). Risk management in a global context. Slides 1-13.
Week 4. (n.d.). An Introduction to Enterprise Risk Management. Slides 1-14.
Week 5. (n.d.). Risk management in a global context. Slides 1-17.
Week 6. (n.d.). Risk management in a global context. Slides 1-15.
Week 7. (n.d.). Risk management in a global context. Slides 1-16.
Appendices
2017 Equifax Data Breaches and Associated Companies
| Number Of Cards/Accounts Exposed By the Breach | Company |
| 130 million | Heartland Payment Sys. |
| 90 million | TJX |
| 56 million | Home Depot |
| Number Of Customers Exposed By the Breach | Company |
| 500 million | Yahoo |
| 70 million | Target |
| 100 million | Sony |
| 117 million | |
| 76 million | J.P. Morgan |
| 80 million | Anthem |
Monthly Analysis of the 2017 Equifax Data Breach
| Month | Events |
| March 2017 | · The US Computer Emergency Readiness Team (US-CERT) advised Equifax to fix the specific vulnerability in the Apache Struts software when the Apache Struts Project Management Committee released the patch for the CVE-2017-5638 vulnerability affecting Apache Struts.
· After receiving the USCERT alert via email, Equifax’s Global Threat and Vulnerability Management (GTVM) team requested that the essential update be implemented within 48 hours. Thereafter, the first instance of a server attack was based on a vulnerability in Apache Struts. · The security team at Equifax ran scans to find any systems that make use of Apache Struts. The vulnerability did not affect any externally visible systems, according to the scans. |
| May 2017 | · The Automated Consumer Interview System (ACIS) application’s Apache Struts vulnerability allowed attackers to access the Equifax network and introduce web shells into the Equifax system.
· Around this time, hackers used an Equifax legacy environment to get unauthorized access to Equifax databases. Attackers submitted around 9,000 requests to the Equifax system’s sensitive databases. |
| July 2017 | · Equifax updated the monitoring system’s security certificate for ACIS network traffic.
· The security team at Equifax kept an eye on network traffic in the hopes of spotting any further unusual activities. ACIS was deleted, and David Webb, Chief Information Officer, was alerted by Graeme Payne, Senior Vice President and Chief Information Officer for Global Corporate Platforms, that personally identifiable information (PII) had been leaked. |
| August 2017 | · King and Spalding were chosen by Equifax as its legal advisor, while Mandiant was chosen as its cybersecurity company. Equifax also notified the Federal Bureau of Investigation, which undertook an inquiry into the intrusion
· . Mandiant claimed that a database table holding a significant quantity of personally identifiable information (PII) on customers had been breached by hackers. · Mandiant verified the amount of PII acquired and started working with the Equifax database owners to create a strategy for locating the customers who have been compromised. |
| September 2017 | · Equifax generated a list of 143 million American citizens based on Mandiant’s findings.
· Customers whose private data had been compromised. The hack had been made public by Equifax. Names, Social Security numbers, dates of birth, residences, license numbers, credit card information, and dispute documentation were all taken, according to Equifax, from the attackers. · David Webb, the CIO of Equifax, and Susan Mauldin, the CSO, made retirement announcements. |
| October | · Mandiant concluded its forensic investigation and figured out that 2.5 million more customers suffered the data breach.
· Due to Graeme Payne’s failure to deliver the GTVM email notice on the March 9 upgrade to the Apache Struts vulnerability, Equifax fired him. · Richard Smith appeared before the Subcommittee on Digital Commerce and Consumer Protection of the House Energy and Commerce Committee. |
Monthly Analysis of the 2018 Equifax Data Breach
| Month | Events |
| March 2018 | A deeper investigation established that the hackers took the personal information of more additional 2.4 million Equifax customers. |
write