The Equifax information breach was quite possibly the most critical cyber-attacks of 2017. Equifax is one of the three main buyer credit counseling offices.

computer science

Description

Equifax Data Breach 2017 Case Study

 

Jorge Correa Martinetti

Department of Information Technology, University of the Potomac

CBSC620: Cyber Law and Policy

Dr. Darcel Tolliver

01/19/2021

 

 

 

 

 

 

 

 

 

 

Abstract

Technology has become vital in daily life, so staying away from it puts us at a huge disadvantage. Most financial institutions have sensitive information about their customers, so ensuring the security of this personal information is important. Data breach is a way how hackers steal personal information and especially, from databases’ financial institutions. In this case study, I examine the issue of the 2017 Equifax data breach. I point out some details, actions that could be taken, and laws that are violated.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Introduction

The Equifax information breach was quite possibly the most critical cyber-attacks of 2017. Equifax is one of the three main buyer credit counseling offices. On September 8, 2017, Equifax explained that it had been a victim of a cyber-attack that caused a large amount of information disruption. The world was stunned to discover that in this data breach, about 148 million US residents' touchy individual information were undermined counting names, driver's license number, SSN, dates of birth and more consumer private. Besides, information stolen from Equifax’s database, there were about 209,000 visa numbers were obtained too from this data breach. (Jason, 2019)

Equifax is one of the three big American credit agencies, which calculate people’s credit scores in the U.S and in 23 more countries around the world. It determines how difficult it is for you to do work such as a loan, or how dangerous it is to lend you some money. Additionally, there were 209,000 people’s credit card information stole in this massive data breach. Credit agencies collect financial data on pretty much everyone in the U.S. with a credit history even if you have never paid for any of the Equifax’s services directly and you are an adult, you may be affected. (Federal Trade Commission, 2019)

Details of the Event

It turns out that the hackers got in by taking advantage of a vulnerability that Equifax had plenty of opportunity to fix. The Equifax website is built on software called Apache Struts, a widely used framework for creating programs that helps companies manage large amount of data online. In March, the Apache foundation, which oversees struts, announced the existence of a vulnerability in the software code that they dubbed CVD-2017-5638. The way how operates was thorough filled out web form, so Struts handles data entered into those form. Hackers could use them to send malicious code to the servers with the data on them. (Jason, 2019)

A type of hack known as remote code execution. Normally, programmers protect against this by having the server check what you are submitting to make sure is not computer code but with this vulnerability, hackers could trigger an error, then make the server run the embedded command while it was trying to figure out what the error was. That is a serious bug, but the Apache foundation released a fix for it at the same time they announced its existence. The fix could take a while because it not as simple as downloading software update for your phone. It requires individually updating and rebuilding every app that run on the Struts platform and it could be dozen or hundred for a single company. (Consumer Financial Protection Bureau, 2019)

What Could Be Done?

It turns out that the hackers got in by taking advantage of a vulnerability that Equifax had plenty of opportunity to fix. The Equifax website is built on software called Apache Struts, a widely used framework for creating programs that helps companies manage large amount of data online. In March, the Apache foundation, which oversees struts, announced the existence of a vulnerability in the software code that they dubbed CVD-2017-5638. The way how operates was thorough filled out web form, so Struts handles data entered into those form. Hackers could use them to send malicious code to the servers with the data on them. (Jason, 2019)

The breach of Equifax’s system using this vulnerability began in mid-May, two months after the vulnerability came to light. At that time, the Equifax IT department had not yet updated its systems then. The main contributing components were frameworks the executive’s method. In particular, the Equifax IT group did not matter the fix when it came out. Even after being instigated by many sources, such as the Department of Homeland Security and product vendors, the IT department ignored the fixes to address the vulnerability. (U.S. Department Homeland Security, 2019)

Laws that Have Been Broken

The Federal Trade Commission, which is an independent agency to protect American’s information, alleged that 2017 Equifax’s data breach violated two Acts. (1) FTC Act’s prohibition against unfair and deceptive practices (2) the Gramm-Leach-Bliley Act’s Safeguards Rule. They need a monetary foundation to create, implement and maintain a wide range of data security procedures to ensure the security, privacy and integrity of customer data. (Federal Trade Commission, 2019)

The Equifax data breach settlement has reached $575 million and it could increase up until $700 million with FTC, Consumer Financial Potential Bureau and States related. They claimed that Equifax’s failure to have and execute security procedure which has affected millions of Americans. (U.S. Department Homeland Security, 2019)

Equifax is likewise needed to execute an extensive data security program requiring the organization to take a few measures including: (1) Assigning a worker to regulate the data security program; (2) Leading yearly evaluations of inner and outer security hazards and actualizing shields to address expected dangers, for example, fix the executives and security remediation strategies, network interruption components, and different insurances; (3) Getting yearly certificates from the Equifax directorate or applicable subcommittee confirming that the organization has agreed with the request, including its data security prerequisites; (4) Testing and checking the viability of the security shields; and (5) Guaranteeing specialist co-ops that entrance individual data put away by Equifax additionally actualize sufficient shields to secure such information. (Federal Trade Commission, 2019)

Conclusion

The Apache Foundation announced the reason for this data breach, which was a known vulnerability 2 months ago of the incident. Remote code execution was a technique used by hackers in this data disruption. Equifax IT department had not updated its system by the bug's announced and the main contributing components were frameworks the executive’s method. In addition, IT team could not use standard computerized scientific procedures of frameworks the board practices to recognize and follow the CVD-2017-5638 error.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

Consumer Financial Protection Bureau. (2019). Consumerfinancial.gov. Settlement with Equifax Over 2017 Data Breach. Retrieved from: https://www.consumerfinance.gov/about-us/newsroom/cfpb-ftc-states-announce-settlement-with-equifax-over-2017-data-breach/

Federal Trade Commission. (2019). Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach. Retrieved from: https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.

Jason, T. (2019). Researchedgate.net. Equifax Data Breach Case Study. Retrieved from: https://www.researchgate.net/publication/337916068_A_Case_Study_Analysis_of_the_Equifax_Data_Breach_1_A_Case_Study_Analysis_of_the_Equifax_Data_Breach

U.S. Department Homeland Security. (2019). DHS,gov. Secretary Kirstjen M. Nielsen Remarks at the RSA Conference. Retrieved from: https://www.dhs.gov/news/2018/04/17/secretary-kirstjen-m-nielsen-remarks-rsa-conference

Instruction Files

Related Questions in computer science category