Executive Summary
This research assesses Equifax’s risk management strategies in light of the 2017 data breach that exposed the personal information of 147 million consumers. The study looks at the firm’s attitude toward and appetite for risk, its risk-identification processes, the consequences and effects of the breach, and the use of pertinent theoretical models and ideas. The report found that Equifax’s risk-taking culture was out of line with its risk tolerance, leading to inadequate cyber security measures and weaknesses that hackers exploited. The incident had significant adverse effects on the company’s finances, reputation, and legal standing, as well as wider ramifications for the credit sector and data protection laws. According to the report, Equifax should approach its cyber security procedures with a greater understanding of the risks involved, including regular risk assessments, staff education, and open reporting to stakeholders. According to the report, a cyber security strategy must also include risk management, business continuity, and crisis management. The overarching goal of this report is to add to the continuing discussion regarding risk management in a global context to support companies like Equifax in identifying and preventing similar breaches.
Introduction
Investigating the Equifax data breach and its effects on industry commerce and the credit sector is the goal of this report. To do this, the investigation was started with a synopsis of Equifax, covering its background and business practices. The inquiry considered Equifax’s risk tolerance and attitude in light of the information. The system for spotting threats and the vulnerabilities that caused the intrusion was also examined. The effects of the Equifax hack were identified and studied, including any financial, reputational, and legal repercussions. Also, pertinent theoretical frameworks and ideas from risk management, business continuity, and crisis management were covered in the presentation. The report examined how these methods and ideas may have been used to avoid or stop the 2017 Equifax data breach. According to Hopkin (2017, p. 75), risk management should be carried out in the context of the company, the business environment, and the risks it faces. To discover essential elements that are key to risk management success, analysis of internal processes and activities inside an organization is vital (Week 2, slide 10). The 2017 data breach case was used as a framework to apply and aid the risk management process and characterize the context.
Equifax Company Culture and Case Background
Equifax is a worldwide information solutions firm that offers a variety of financial services to commercial customers and private individuals, including credit reporting, risk management, and others. Equifax, like any other organization, has a corporate culture that outlines the firm’s values, practices, and attitudes toward its workers, customers, and other stakeholders. Transparency, honesty, and accountability are strongly valued in Equifax’s risk management culture. The organization is devoted to providing its customers with trustworthy and accurate data while also respecting their right to privacy and the protection of their personal data. Equifax values its workers and strives to create a work atmosphere that welcomes all people, supports diversity, and promotes teamwork, creativity, and lifelong learning. In terms of risk management, Equifax uses a risk-based approach to its business operations. This implies that the firm detects, evaluates, and manages any risks that may affect both its customers and its business. The risk management strategy for the organization comprises frequent monitoring of its systems and procedures, as well as the implementation of controls and protocols to avoid and minimize any threats.
Equifax has operations in 24 countries and a database of more than 800 million people and 88 million enterprises. The company has become a significant player in the financial services sector. A data breach in 2017 made 147 million people’s sensitive personal information, such as social security numbers, birth dates, and addresses, public. A flaw in Equifax’s website software that had been known to the company’s IT staff for months went unpatched, which led to the hack (Shepherd 2019). Following the incident, Equifax came under intense scrutiny and criticism, and many people questioned how the corporation handled the situation and responded. The assault substantially affected Equifax’s finances and image and had broader ramifications for the credit business and data protection laws. However, Starbuck and Milliken (1988, p. 323) believe that after setbacks, those involved in sociotechnical systems redouble their efforts and become more cautious going forward. Therefore, Equifax is now a better risk manager as compared to 2017.
Equifax Risk Attitude
Based on the 2017 data breach information, the report assessed Equifax’s risk attitude and appetite. Risk attitude focuses on how people perceive the organization and its attitude toward taking risks (Week 5, slide 12). Therefore, collecting and managing very sensitive personal data was the foundation of Equifax’s business strategy, which was inherently risky. Thus, the company’s risk management strategy should have given priority to the preservation of this information. On the other hand, the data leak showed that Equifax needed to follow crucial security precautions to secure its data. Specificity in the definition is critical in creating risk matrices (Week 3, slide 8). According to Shepherd (2019), Equifax could have adopted a risk-averse stance toward data security and been unaware of the consequences of a data breach.
Equifax Risk Appetite
The risk appetite of Equifax took more work to ascertain. It was uncertain if the company had official risk appetite declarations at the time of the breach. It needed to be clarified how eagerly the company was willing to embrace risk to achieve its goals. On the other hand, Equifax’s failure to put proper security measures in place raises the possibility that the business was too tolerant of risk. Equifax’s risk appetite for data security was likely to have changed due to the incident’s major financial and reputational ramifications.
Equifax Risk Identification
Before the data breach, insufficient risk detection methods and vulnerabilities were discovered at Equifax. One of the main factors leading to the Equifax assault was the business’s inability to fix known system vulnerabilities. Equifax was using Apache Struts when the Department of Homeland Security warned about vulnerability in that web application framework in March 2017. Due to the vulnerability, hackers could execute code remotely on the server and steal private data. A few months after Equifax disregarded the notice and failed to patch the vulnerability, the data breach occurred (Shepherd 2019). Moreover, Equifax continued to foster a culture where data collection and storage precede security. The company was well recognized for gathering enormous amounts of data on people, including private data like Social Security and credit card numbers. Still, it needed to devote more resources to keeping this data safe. The security at Equifax was also decentralized, with several business units responsible for their security protocols. It was discovered that the security team’s personnel and training needed to be improved, making it challenging to recognize and address security risks. The risk identification process includes identifying internal and external events that, if they occur, may impact the organization’s goals (Week 4, slide 8). This technique made it difficult to detect and manage security threats at the corporate level. Moreover, the business lacked a comprehensive risk management framework that would have allowed it to recognize and prioritize security risks across the board.
Equifax Risk Consequences
Equifax, its clients, and other stakeholders suffered significant repercussions as a result of the 2017 data breach. The breach had severe financial, reputational, and legal repercussions years after the incident. To start, Equifax suffered a profound financial loss as a result of the data breach. The business was responsible for paying any penalties, settlements, consulting fees, legal fees, investigative charges, and the price of providing credit monitoring and identity protection to customers impacted by the breach. It cost $1.7 billion, making it the most costly data security breach ever (Martin 2017). The problem had a major effect on Equifax’s stock price as well. The corporation’s market worth decreased by $5.3 billion due to the stock price decline of 31% that occurred in the week after the breach’s discovery. It took the corporation many years to completely recover its stock price after the breach, which was the primary cause of the decline (Martin 2017). The hack significantly damaged the company’s reputation in addition to other areas. The incident damaged millions of customers’ confidence in Equifax, which had been given access to their very sensitive personal data. In addition to damaging Equifax’s image with customers and regulators, the breach presented the business with difficult legal issues and sparked concerns about its capacity to protect sensitive data. A number of lawsuits, including class actions on behalf of harmed customers, were brought against the corporation. Four Chinese People’s Liberation Army soldiers were charged with violating US law in 2020. The incident revealed holes in the credit reporting system. It also underlined the need for stronger cyber security measures and prompted a closer examination of data privacy laws.
Equifax Risk Impacts
In addition to the corporation and its consumers, the Equifax data breach substantially influenced the credit industry, cyber security procedures, and data privacy laws. First and foremost, the hack seriously damaged Equifax’s image in both the public and financial spheres. The company had to pay astronomical court costs, penalties, and expenses for consultants, attorneys, and investigators. The attack made millions of individuals spend a significant price on identity protection and credit monitoring. Second, the corporation lost $5.3 billion in market value in only one week after the hack was made public, which had major repercussions for the consumers whose data was leaked (Martin 2017). Hackers were able to get their hands on 147 million people’s addresses, Social Security numbers, and other private information. These people were exposed to identity theft and other fraudulent activity as a result of this incident. The intrusion eventually had an effect on the banking sector by revealing weaknesses in its cyber security procedures. The theft also damaged consumers’ confidence in Equifax and other credit reporting agencies that use personal data to determine creditworthiness. According to Martin (2017), the data breach affected British consumers of businesses, including Capital One and British Gas. The event clarified that improved cybersecurity measures are required, especially for businesses dealing with sensitive personal data. The reliability of credit reporting agencies, which are in charge of upholding the accuracy of credit information, has also been questioned (Shepherd 2019). Eventually, the Equifax data breach had an impact on data privacy laws. Legislators and government representatives are reviewing current data privacy rules in light of the event and looking toward new legislation to safeguard customer data. To guarantee that enterprises manage personal information responsibly and securely, the event brought attention to the necessity for more comprehensive and strict data protection legislation.
Models and Theoretical Concepts in the Equifax Data Breach Case
Many theoretical models and ideas from the risk management, business continuity, and crisis management domains may have been used to prevent or lessen data breaches since the Equifax 2017 case. The risk management framework is one pertinent model. It is possible that Equifax employed the model to find and fix the flaws in its procedures and systems that allowed the attack. Data security depth is another key idea, which calls for the implementation of many layers of security measures to fend off possible threats. Equifax may have prevented the intrusion by having a strict and organized risk management plan (Shepherd 2019). This method would have allowed Equifax to strengthen its critical data and systems, making it harder for attackers to get past its security. To stop unauthorized access to their systems and data, they could have introduced tighter access controls, such as multi-factor authentication and encryption (Shepherd 2019). Also, Equifax would have benefited from the implementation of a thorough business continuity and crisis management plan. Such a strategy would have offered a road map for handling a data breach and minimizing its effects on the business and its clients. Hopkin (2017, p. 343) agrees that risk management strategies should be set within the context of the broader framework of corporate governance. Procedures for locating and containing the breach, notifying clients and stakeholders, and working with law enforcement and regulatory organizations should all have been part of the designed strategy.
The Synthesis between Academic Concepts and Equifax Data Breach Case
For the sake of applying several theoretical frameworks and ideas from risk management, business continuity, and crisis management, the Equifax data breach serves as a case study. The risk management process, which involves recognizing, assessing, prioritizing, and resolving hazards, is one helpful paradigm. The action that creates the risk should be stopped as a risk management strategy (Week 7, slide 10). Therefore, by failing to recognize the risk of a cyber-attack, assess the potential impact of such an attack, prioritize cyber security as a top concern, and respond promptly and effectively to the breach once it occurred, the Equifax breach suggests that the company had weaknesses in each of these stages (Shepherd 2019). The need for having a crisis management plan in place is another crucial factor to take into account. The company received criticism for its tardy and inefficient reaction to the breach, which would indicate a deficient crisis management strategy. The risk of disruptive events happening will be reduced, the harm they may do will be limited, and the expense of the events will be contained by identifying them in advance and taking the necessary action (Week 1, slide 13). A thorough plan would contain clear roles and responsibilities for crisis management, communication procedures with stakeholders, and techniques for determining and minimizing the effects of the breach. Starbuck and Milliken (1988, p. 333) insist that if issues and threats are identified, they may be addressed via fine-tuning, reducing waste, saving money, and increasing output.
Conclusion and Recommendation
The report evaluated the 2017 Equifax data breach and provided a short overview of the company. Risk attitude, risk identification, risk consequence, and risk impact were all addressed in the study. The paper also discussed the use of pertinent theoretical models, frameworks, and ideas and how they may have assisted Equifax in averting or lessening the catastrophe. Hopkin (2017, p. 180) asserts that in every given firm, the measures that may be taken to achieve a higher level of risk management should be under continuous scrutiny. The focus of risk analysis should be on understanding rather than pure prediction (Week 6, slide 12). Therefore, to safeguard its stakeholders from the potentially disastrous effects of a data breach, businesses need to place emphasis on proactive risk management and invest in strong cyber security measures. In order to lessen the damage caused and start the trust-building process following a breach, businesses must also be open and timely in their communication with stakeholders.
References
Hopkin, P 2017, Fundamentals of risk management: understanding, evaluating and implementing effective risk management. 4th ed. London, United Kingdom ; New York, Ny: Kogan Page Limited, pp.1–489.
Martin, A 2017, Mass data breach with Equifax hack ‘an unmitigated disaster’. [online] Sky News. Available at: https://news.sky.com/story/mass-data-breach-with-equifax-hack-an-unmitigated-disaster-11026490.
Shepherd, A 2019, The Equifax effect: explaining the disaster. IT PRO. [online] Available at: https://www.itpro.co.uk/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century.
Starbuck, W and Milliken, F 1988, Challenger: fine-tuning the odds until something breaks. 4th ed. New York University, New York, USA, pp.319–388.
Week 1. (n.d.). Risk management in a global context. Slides 1-15.
Week 2. (n.d.). Risk management in a global context. Slides 1-16.
Week 3. (n.d.). Risk management in a global context. Slides 1-13.
Week 4. (n.d.). An Introduction to Enterprise Risk Management. Slides 1-14.
Week 5. (n.d.). Risk management in a global context. Slides 1-17.
Week 6. (n.d.). Risk management in a global context. Slides 1-15.
Week 7. (n.d.). Risk management in a global context. Slides 1-16.
Appendices
Table of Important Events
Date | Event |
7th March 2017 | The Apache Struts Project Management Committee announced the CVE-2017-5638 vulnerability. |
8th March 2017 | Equifax received a message from the US-CERT, the United States Computer Emergency Readiness Team, on Apache Struts vulnerability. |
9th March 2017 | Equifax’s Global Threat and Vulnerability Management (GTVM) team sent an internal email urging that relevant parties implement the essential fix to the USCERT notice. |
10th March 2017 | The first indication that attackers were using servers to exploit the Apache Struts vulnerability was noticed. |
15th March 2017 | The security team at Equifax performed scans to find any systems using Apache Struts Vulnerability. |
13th May 2017 | Vulnerability in Apache Struts allowed attackers to access the Equifax network. |
29th July 2017 | Equifax updated the device monitoring the ACIS network’s security certificate, which had expired. |
30th July 2017 | Equifax took down the ACIS application. |
31st July 2017 | Equifax employees discovered that personally identifiable information (PII) may have resulted from the intrusion. |
2nd August 2017 | Equifax hired cyber security company Mandiant and legal firm King and Spalding to do an investigation into the breach. Equifax also notifies the Federal Bureau of Investigation. |
11th August 2017 | Mandiant discovered that hackers may have accessed a database table with enormous data. |
17th August 2017 | A senior leadership team meeting was held at Equifax to review Mandiant’s early findings. Conclusions of the investigation on the data leak were made. |
24th August 2017 | Mandiant validated the amount of PII obtained and formulated a strategy to identify any impacted customers. |
4th September 2017 | Equifax generated a list of 143 million US citizens based on Mandiant’s investigation. These were customers whose private data could have been compromised. |
7th September 2017 | Equifax disclosed the incident to the general public. According to Equifax, the data obtained by hackers such as names, social security numbers, birth dates, addresses, and driver’s license numbers. |
14th September 2017 | The House Committee on Government Reform and the Oversight Committee of the House of Science, Space, and Technology looked into the Equifax information breach. |
2nd October 2017 | Mandiant concluded its forensic investigation and determined an additional 2.5 million victims. |
3rd October 2017 | Richard Smith provided testimony to the Subcommittee on Consumer Protection and Digital Commerce. |
1st March 2018 | Equifax announced additional details on the 2017 hack, naming the perpetrators. |
Numbers on the Equifax Data Breach
Days | Impact |
76 | The number of days the attackers operated inside Equifax’s networks before they were found. |
143 million | The number of customers whose data was compromised. |
Amount | Impact |
$1.4 billion | Amount of money Equifax has invested in enhancing its security after the data breach. |
$125 | The most compensation a customer got if their data was one of the many that were stolen from Equifax’s computers. |