Jorge
Correa Martinetti
Department
of Information Technology, University of the Potomac
CBSC620:
Cyber Law and Policy
Dr.
Darcel Tolliver
01/19/2021
The Equifax information breach was
quite possibly the most critical cyber-attacks of 2017. Equifax is one of the
three main buyer credit counseling offices. On September 8, 2017, Equifax
explained that it had been a victim of a cyber-attack that caused a large
amount of information disruption. The world was stunned to discover that in
this data breach, about 148 million US residents' touchy individual information
were undermined counting names, driver's license number, SSN, dates of birth
and more consumer private. Besides, information stolen from Equifax’s database,
there were about 209,000 visa numbers were obtained too from this data breach.
(Jason, 2019)
It turns out that the hackers got
in by taking advantage of a vulnerability that Equifax had plenty of opportunity
to fix. The Equifax website is built on software called Apache Struts, a widely
used framework for creating programs that helps companies manage large amount of
data online. In March, the Apache foundation, which oversees struts, announced the
existence of a vulnerability in the software code that they dubbed
CVD-2017-5638. The way how operates was thorough filled out web form, so Struts
handles data entered into those form. Hackers could use them to send malicious code
to the servers with the data on them. (Jason,
2019)
A type of hack known as remote
code execution. Normally, programmers protect against this by having the server
check what you are submitting to make sure is not computer code but with this
vulnerability, hackers could trigger an error, then make the server run the embedded
command while it was trying to figure out what the error was. That is a serious
bug, but the Apache foundation released a fix for it at the same time they
announced its existence. The fix could take a while because it not as simple as
downloading software update for your phone. It requires individually updating
and rebuilding every app that run on the Struts platform and it could be dozen
or hundred for a single company. (Consumer Financial Protection Bureau, 2019)
It turns out that the hackers got
in by taking advantage of a vulnerability that Equifax had plenty of opportunity
to fix. The Equifax website is built on software called Apache Struts, a widely
used framework for creating programs that helps companies manage large amount of
data online. In March, the Apache foundation, which oversees struts, announced the
existence of a vulnerability in the software code that they dubbed
CVD-2017-5638. The way how operates was thorough filled out web form, so Struts
handles data entered into those form. Hackers could use them to send malicious code
to the servers with the data on them. (Jason, 2019)
The Federal Trade Commission,
which is an independent agency to protect American’s information, alleged that
2017 Equifax’s data breach violated two Acts. (1) FTC Act’s prohibition against
unfair and deceptive practices (2) the Gramm-Leach-Bliley Act’s Safeguards Rule.
They need a monetary foundation to create, implement and maintain a wide range
of data security procedures to ensure the security, privacy and integrity of
customer data. (Federal Trade Commission, 2019)
The Equifax data breach settlement
has reached $575 million and it could increase up until $700 million with FTC,
Consumer Financial Potential Bureau and States related. They claimed that
Equifax’s failure to have and execute security procedure which has affected
millions of Americans. (U.S. Department Homeland Security, 2019)
Equifax is likewise needed to
execute an extensive data security program requiring the organization to take a
few measures including: (1) Assigning a worker to regulate the data security
program; (2) Leading yearly evaluations of inner and outer security hazards and
actualizing shields to address expected dangers, for example, fix the
executives and security remediation strategies, network interruption
components, and different insurances; (3) Getting yearly certificates from the
Equifax directorate or applicable subcommittee confirming that the organization
has agreed with the request, including its data security prerequisites; (4) Testing
and checking the viability of the security shields; and (5) Guaranteeing
specialist co-ops that entrance individual data put away by Equifax
additionally actualize sufficient shields to secure such information. (Federal
Trade Commission, 2019)
The Apache Foundation announced
the reason for this data breach, which was a known vulnerability 2 months ago
of the incident. Remote code execution was a technique used by hackers in this
data disruption. Equifax IT department had not updated its system by the bug's
announced and the main contributing components were frameworks the executive’s
method. In addition, IT team could not use standard computerized scientific
procedures of frameworks the board practices to recognize and follow the
CVD-2017-5638 error.
Consumer Financial Protection Bureau. (2019). Consumerfinancial.gov.
Settlement with Equifax Over 2017 Data Breach. Retrieved from: https://www.consumerfinance.gov/about-us/newsroom/cfpb-ftc-states-announce-settlement-with-equifax-over-2017-data-breach/
Federal Trade Commission. (2019). Part of Settlement with
FTC, CFPB, and States Related to 2017 Data Breach. Retrieved from: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
Jason, T. (2019). Researchedgate.net. Equifax Data Breach
Case Study. Retrieved from: https://www.researchgate.net/publication/337916068_A_Case_Study_Analysis_of_the_Equifax_Data_Breach_1_A_Case_Study_Analysis_of_the_Equifax_Data_Breach
U.S. Department Homeland Security. (2019). DHS,gov. Secretary
Kirstjen M. Nielsen Remarks at the RSA Conference. Retrieved from: https://www.dhs.gov/news/2018/04/17/secretary-kirstjen-m-nielsen-remarks-rsa-conference
Get Free Quote!
420 Experts Online