Case Report: Equifax Data Breach

Case Report
Author’s Name:
Institutional Affiliation:
Submission Date:
Case Report
Equifax Data Breach happened in 2017 after a hacker was able to interrupt with its network system, and exfiltrated personal information of more than 148 million people (Srinivasan, Pitcher & S. Goldberg, 2017). Several factors increased the vulnerability of the network system hacking. First, Equifax failed to look at one of its perilous security elements for more than six months, which left it at the risk of hacking (Srinivasan, Pitcher & S. Goldberg, 2017). Secondly, the company was not prepared for any cyberattack during that period, as its digital certificate that allows the monitoring of the network system had expired two years before the breach. Thirdly, the firm was experiencing vital gaps between its information technology policies and executions, which lowered its preparedness to cyberattacks (Majority Staff Report 115th Congress, 2018). The cyberattack earned back the confidence of its clienteles leading to significant losses.
On the other hand, one of the most significant vulnerabilities caused by the incident was culture security complacency. The culture security complacency was mainly due to the exposed web application framework identified as Apache Struts (Majority Staff Report 115th Congress, 2018). The primary function of the Apache Struts is to run between the application software and operating system to allow the application to run the whole operating system. In March 2017, Apache company sent reports to all the network companies to notify them of the vulnerability of their systems to hacking (Srinivasan, Pitcher & S. Goldberg, 2017). Equifax company received a notification from the company, but it did not update the Apache Struts, which run its system. Hence, this led to the cyberattack in the company a few months later.
Before the 2017 cyberattack of Equifax, the company had set various measures that protected its network system. First, the company had installed an SSL certificate that secures network connection to avoid attacks. However, before the breach, the company SSL certificate had expired, posing it to the vulnerability of the attack (Srinivasan, Pitcher & S. Goldberg, 2017). Secondly, the firm had registered to a government agency known as the Department of Homeland Security, which monitors the communication network to detect intruders. However, the communication between the two was not active before the attack. Lastly, the company was also using the Apache Struts to run its operating system (Brown, 2018). In March 2017, the Apache company realized that various attackers were targeting networking companies, and sent numerous notifications to companies registered with them. Equifax received these notifications but did not take serious and immediate actions to secure its system. The vulnerability created by the Apache Struts allowed an attacker in May 2017 to hack the company system.
After the incident, Equifax decided to take various actions to avoid other attacks (Majority Staff Report 115th Congress, 2018). First, the secure information technology department took a critical step in uploading new SSL certificates, which helped it to resume the inspection of network system traffic t...