A Case Study Analysis of the Equifax Data Breach 2

A Case Study of the Equifax Data Breach

Jason E. Thomas

MBA111

Philosophy and Ethics of Business

MID TERM EXAM

Prof. Lemuel Rodolfo Braña, PhD, MTM, PMP®, ITIL®, SMAC™, ISTQB®, CSSBB™, CMC®
A Case Study Analysis of the Equifax Data Breach 3

The Equifax data breach was one of the most significant cyberattacks of 2017. The

attack’s effects were far-reaching, affecting millions of people and multiple businesses and

agencies. In fact, the attack was so concerning that the United States Government Accountability

Office was engaged to investigate the incident and create a report for Congress about how to

address the problem. This case study analysis will explore the facts and circumstances

surrounding this damaging cyberattack, and critically analyze the factors concerning the case to

draw conclusions about ways to mitigate future exposures. Lastly, a recent cyberattack will be

explored along and a brief comparison of consumer susceptibility to cybercrime versus

traditional crime.

Background

Equifax is one of the top three consumer credit reporting agencies. On September 8, 2017,

Equifax released a statement that it had been a victim of a cyberattack resulting in a massive data

breach (Fruhlinger, 2019; Rajna, 2018). The world was shocked to learn that in this data breach,

some 148 million US citizens’ sensitive personal data were compromised including names, dates

of birth, Social Security numbers, and driver’s license numbers (Marinos & Clements, 2018). In

addition to personal information, some 209,000 credit card numbers were also stolen (Perez,

2017). The severity and scope of the Equifax data breach were unprecedented at the time.

Though they had previously been larger breaches, the sensitivity and criticality of the personal

identifying information in the financial information in this breach created a problem whose

magnitude could barely be calculated at the time.

One of the issues that exacerbated the Equifax data breach was the fact that Equifax’s

main product is essentially derived from a database containing many of the US population’s
A Case Study Analysis of the Equifax Data Breach 4

personal and financial information. The data stored by Equifax contains each person’s personal

credit history, which includes personal identifying information, known addresses, and account

numbers. Further, the system is not an opt in system, as the data is gathered from businesses

rather than the individuals listed in the database. When a person borrows money, lending

institutions report the information about payment history, balances, and other key information

items. When someone wants to borrow money, the new lender checks this information to assess

the borrowers credit risk, which is used to make a lending decision.

Factors That Contributed to the Breach

In the initial announcement, Equifax stated that miscreants had infiltrated their systems

from May through July of 2017 (Gressin, 2017). The vulnerability that enabled miscreants to

enter the Equifax systems and effect the data breach was a vulnerability called Apache Struts

CVE-2017-5638. This vulnerability takes advantage of exception handling issues in the Jakarta

Multipart parser of the software when users go to upload files. This vulnerability allows enables

attackers from a remote location to execute arbitrary commands that can be created remotely by

means of crafted: Content-Disposition, Content-Type, or Content-Length HTTP header with a

Content-Type header containing the characters #cmd=string (NIST, 2018). Apache Struts is a

popular framework for creating streamlined Java applications (The Apache Software Foundation,

2018). This useful product is used by many organizations, thereby making it an exceptional

target for various cyber criminals because it can offer a potential entry point to a great number of

victims and their information.

The Apache Software Foundation discovered the potential vulnerability and made a patch

to correct it. Then they made an announcement to the world to inform them of the issue (Marinos

& Clements, 2018). The patch was released on March 7, 2017. On March 8, 2017, the
A Case Study Analysis of the Equifax Data Breach 5

Department of Homeland Security contacted Equifax as well as the other credit reporting

agencies to notifying them of the system’s vulnerability and directed them to install the patch.

Equifax systems administrators were contacted on March 9, 2017 by the Apache Software

Foundation, who also directed them to install the patch.

On March 15, 2017 some eight days after the patch announcement, seven days after

notification from the Department of Homeland Security, and six days after notification from the

vendor, Equifax conducted a scan of its systems (Marinos & Clements, 2018). The scanner

report did not show a vulnerability to the Apache Struts issue. Consequently, the systems were

unpatched and unprotected until July 29, 2017. During this time, the security department at

Equifax noticed suspicious activity on the network. Equifax took the application off-line and

three days and later hired an external cybersecurity firm to conduct a forensic investigation. The

initial investigation indicated that many files were breached. Ultimately, this resulted in

announcements that the personal information of some 145 million Americans, 8,000 Canadians,

and 693,000 British citizens’ information had been compromised due to a data breach.

External Responses to the Data Breach

Equifax’s lackluster response to the notification of the vulnerability and bumbled

handling of the notification of the breach was met with great criticism. Equifax had to create a

separate domain and webpage to deal with all of the information that needed to be disseminated

and to communicate with affected users and stakeholders (Equifax, 2019). This potentially

well-intentioned business maneuver demonstrates the complexity of dealing with the issue. Other

parties immediately initiated fake settlement sites and information sites creating additional

opportunities for fraud and cybercrime as well as additional public confusion (Atleson, 2019).

(Rajna, 2018)
A Case Study Analysis of the Equifax Data Breach 6

Adding accident injury, the site was flagged as a phishing threat. Worse, Equifax

customer service directed potential victims to one of the illicit phishing sites via their Twitter

feed (Deahl & Carman, 2017). As customers flocked to freeze their credit reports, they were

given PINs with naming conventions based on the date the accounts which were frozen. This

unfortunately made them easy for cyberattackers to intuit and attack — enabling once again

more potential and devastating attacks. Further, Equifax was criticized for offering free credit

monitoring while trying to remove consumers’ ability to sue them in the terms and conditions

during the process to register for the service.

As the situation continued to worsen and spiral out of control, governments at virtually

all levels begin to take notice and initiate inquiries and actions. Eventually, Equifax settled with

all 50 State Attorney Generals in the United States for some $600 million (Oregon Department

of Justice, 2019). The federal government also took notice. The Federal Trade Commission

conducted an investigation and Congress held several hearings to investigate Equifax and bills

were introduced in both the House and the Senate regarding business processes used by credit

reporting agencies and privacy (Marinos & Clements, 2018).