The problem in Equifax
The main problem that was facing Equifax is related to the data breach that occurred between May and July 2017. Hackers discovered that Equifax’s systems had unpatched vulnerabilities in early 2017. They breached the apache struts of the company before handing it over to another team of hackers, who exploited it for several months before its discovery (Srinivasan et al. 5). They created backdoors in the company’s system, which they used to collect personal identifying information. The security team of the company discovered the problems almost three months later, which led to further investigations of the issue. The issue had caused severe impacts on the company, given that it deals with sensitive credit reports of millions of its customers (Srinivasan et al. 1). The information-sensitive nature of the company exposed it to cybercrime.
It had experienced several security lapses before the actual breach of its data at the beginning of 2017. The hackers were able to access its credit report in January 2014. Other security issues followed in 2015 and 2016, which exposed consumer information and tax data of 431,000 employees, respectively. The company did not take the necessary measures to address these issues. However, the problem reached its climax in February 2017 when the company discovered that hackers were downloading the tax documents of employees and utilizing Equifax workforce solutions for their financial gains.
The root causes of the problem
The company did not have the necessary security measures in place to prevent exposure of its data to hackers. For example, Cyence, a cyber-security firm, had noted that Equifax was ill-prepared to prevent and respond to a data breach. It had a probability of about 0.5 to experience such breaches in the future. Other reports had also shown that the company did not have data hygiene since most of the certificates of its public websites were expired or had other web-security issues. Its software patching and application security standards were rated below the expected levels (Srinivasan et al. 4). The MSCI report had also indicated that the privacy and data policies of Equifax were limited in scope and could not prevent a potential breach. It also failed to conduct a regular audit of its information security systems and policies. The continuous audit was critical, given that the company generated its revenue from the use of its information.
The company also ignored the early signs that could have played a vital role in preventing a further breach of its information. For example, it received a report from an independent researcher in 2016, which indicated that an unauthorized person could access its consumer information from its website. However, the management of the company did not take any serious action to prevent its potential cybersecurity vulnerabilities. In 2016, Equifax had also hired Deloitte firm to conduct an audit on its security systems (Srinivasan et al. 4). The audit report identified several security issues, such as an inadequate approach to patching systems, which were never addressed. Other warnings to Equifax also came from the Cisco Systems and the Department of Homeland Security.
The investigatory committee of the senate also noted that internal controls, accountability gaps, and technological barriers exposed the company to cybersecurity. For example, one of the managers had not forwarded an email to the security team to prevent a possible data breach. The company did not have internal controls to ensure efficient management of its patch systems (Srinivasan et al. 7). The security and IT personnel of Equifax were also not accountable for their actions. Finally, its technological systems were old, and it was not easy for the IT team to detect security risks.
Srinivasan, Suraj, Quinn, Pitcher, and Jonah, Goldberg. “Data Breach at Equifax.” Harvard Business School, (2019): 1-28.