Title Page
Name: Abolaji Ogunmola
Course and Section: Legal and Ethical Issues in IT Security: SE-CSC208
Date: September 28, 2024
Professor’s Name: Glen Steins
Company: Equifax Inc.
1
Introduction
Equifax Inc. is a multinational consumer credit reporting agency that collects and aggregates
information on over 800 million individual consumers and more than 88 million businesses
worldwide. I chose Equifax because the 2017 breach was one of the largest data breaches in
history, affecting 147 million people and exposing sensitive information. It serves as a significant
case study on how a cybersecurity incident can have a profound impact on both individuals and
organizations.
Summary of the Incident
The Equifax data breach began in mid-May 2017, when cyber attackers exploited a vulnerability
in the Apache Struts web application framework used by Equifax. This vulnerability, known as
CVE-2017-5638, was a zero-day flaw that allowed hackers to gain unauthorized access to
Equifax's internal systems. This type of incident is categorized as a “data breach” because it
involves unauthorized access to confidential information. The attackers exploited this flaw using
a technique known as "remote code execution," which allowed them to run commands on
Equifax’s servers and access sensitive data stored in their databases.
Despite an official patch being released by Apache on March 7, 2017, Equifax failed to apply the
patch promptly. This oversight left their systems vulnerable, and it wasn’t until May 13, 2017,
that attackers gained initial access to the network. Over the following weeks, they moved
laterally across Equifax's systems, escalating their access privileges, and systematically extracting
data. The attackers targeted a variety of databases, containing personal information for millions
of consumers. By the end of July 2017, they had stolen sensitive data belonging to 147 million
people.
The breach wasn't detected until July 29, 2017, when Equifax’s security team noticed suspicious
network traffic associated with one of their databases. Upon investigation, they discovered that
unauthorized access had been ongoing for approximately 76 days. The attackers had exfiltrated
a vast amount of data, including names, Social Security numbers, birth dates, addresses, and, in
some cases, driver’s license numbers. In addition, around 209,000 individuals had their credit
card information exposed, and approximately 182,000 dispute documents containing personal
data were compromised.
The organization responded immediately by taking the affected web application offline to stop
further unauthorized access. Equifax then engaged an independent cybersecurity firm to
conduct a comprehensive investigation of the breach and assess the extent of the damage. On
August 2, 2017, the company's board of directors was informed of the breach, and they worked
closely with the cybersecurity experts to gather detailed information on the incident.
2
However, it wasn’t until September 7, 2017, that Equifax publicly announced the breach. The
delay in notifying the public raised concerns and criticisms about Equifax's transparency and
ability to protect consumer data. As part of their response plan, Equifax set up a dedicated
website to provide information to those affected, offering free credit monitoring and identity
theft protection services for a year. They also established a call center to handle inquiries and
concerns from affected consumers.
In addition to public communications, Equifax took significant internal steps to enhance their
cybersecurity posture. The organization hired a new Chief Information Security Officer (CISO)
and implemented several changes to their cybersecurity infrastructure, including stronger
access controls, improved network segmentation, enhanced encryption protocols, and more
rigorous vulnerability management processes. Furthermore, they initiated an ongoing effort to
replace legacy systems with more secure, modern solutions.
Equifax cooperated with government regulators and law enforcement agencies to investigate
the breach and identify the attackers. In response to the incident, the U.S. Congress held
multiple hearings, where Equifax executives were questioned about their cybersecurity
practices and response efforts. The breach also prompted the Federal Trade Commission (FTC)
to investigate Equifax’s handling of consumer data.
The Equifax breach serves as a prime example of how a single unpatched vulnerability can lead
to widespread consequences. It was one of the largest and most damaging cybersecurity
incidents in history, not just due to the sheer volume of data compromised but also because of
the sensitivity of the information involved. As a credit reporting agency, Equifax held extensive
personal information on millions of consumers, making this breach particularly alarming.
Impact(s) on the Organization
The Equifax data breach had severe consequences.
Financial Impact: The incident resulted in direct costs exceeding $1.4 billion, covering
expenses related to the investigation, remediation efforts, customer compensation, and
cybersecurity upgrades. Additionally, Equifax agreed to a settlement of up to $700
3
million with the Federal Trade Commission (FTC), Consumer Financial Protection Bureau
(CFPB), and 50 U.S. states and territories to resolve investigations into the breach.
Reputational Damage: Equifax’s reputation suffered immensely as public trust
plummeted. Customers questioned Equifax’s ability to safeguard sensitive information,
which is critical for a credit reporting agency.
Legal and Regulatory Impact: Equifax faced numerous lawsuits and regulatory actions.
The company was criticized for its handling of the breach, including the delay in notifying
affected individuals. The breach also led to increased scrutiny of data privacy practices
within the credit reporting industry, prompting stricter regulatory requirements.
In the aftermath, Equifax’s CEO, CIO, and Chief Security Officer resigned. The company
underwent significant changes to its cybersecurity practices, including appointing a new Chief
Information Security Officer (CISO) and implementing more stringent data protection measures.
Conclusion
The Equifax data breach serves as a stark reminder of the importance of cybersecurity in
protecting sensitive information. The incident exposed the consequences of failing to patch
vulnerabilities promptly and demonstrated how a single security flaw can lead to a massive,
costly breach. Organizations must prioritize robust security practices, timely vulnerability
management, and transparent communication with consumers to maintain trust. Equifax's
experience underscores the need for proactive cybersecurity measures, as the financial,
reputational, and legal ramifications of a data breach can be devastating.
Information Sources
Federal Trade Commission. “Equifax Data Breach Settlement.”
https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
CNN: https://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/
index.html
Fortra's Alert Logic, “https://www.alertlogic.com/blog/fact-checking-the-equifax-data-breach-
story-d83/?utm_source=google&utm_medium=display&utm_campaign=PMAX%20-%20Alert
%20Logic%20-%20GLOB&utm_content=|
4
&utm_term=&gad_source=1&gclid=Cj0KCQjwmOm3BhC8ARIsAOSbapVoq7_wvBpGM6PkSh7eD
mRVG4Q1H2zn_eljLVJZfzttXxpsnVPebGsaAm9xEALw_wcB”
Reuters. “https://www.reuters.com/article/business/equifax-reveals-hack-that-likely-exposed-
data-of-143-million-customers-idUSKCN1BJ1AQ/”
Reuters. “https://www.reuters.com/article/technology/equifax-breach-could-be-most-costly-in-
corporate-history-idUSKCN1GE2JO/#:~:text=NEW%20YORK%2FTORONTO%20(Reuters),costly
%20hack%20in%20corporate%20history”