Task 1

Task 1.1

Title: The 2017 Equifax Data Breach

Task 1.2

Introduction

In September 2017, Equifax, which is one of the major consumer credit reporting agencies in the

United States, experienced significant data breach activity that compromised the details of

approximately 147 million consumers. The leaked details were SNNs, DOBs, addresses, and for

some, DLN as well. The breach happened because some of Equifax’s web applications used an

unpatched Apache Struts vulnerability, CVE-2017-5638. Even though the patch was released

several months prior to the attack, the flaw was left exposed due to broken internal controls. The

Equifax breach can now be referred to as a case study of some of the negative impacts of

negligence in matters to do with cybersecurity. In this respect, it is a perfect learning case to be

used by the cybersecurity professionals to explore the realms of technology, policy, and

organizational accountability.

Task 2: Citations

1. Wang, P., & Johnson, C. (2018). CYBERSECURITY INCIDENT HANDLING: A CASE

STUDY OF THE EQUIFAX DATA BREACH. Issues in Information Systems, 19(3).

https://doi.org/10.48009/3_iis_2018_150-159
2. Ikezuruora, C. (2024, January 26). Beyond Headlines: Case Study- The Equifax Data

Breach and Lessons Learned. PrivacyEnd. https://www.privacyend.com/case-study-

equifax-data-breach-lessons-learned/
Task 3:

3.1 Root Causes

Root cause 1: Neglect of Patch on a Known Weakness

This breach occurred because Equifax had not addressed a particular vulnerability that involved

Apache Struts, a popular web application framework (CVE-2017-5638). Even as far as the

vulnerability became public in March 2017, Equifax failed to use the patch, which contributed to

the leakage of data of over 147 million consumers. It thus remained open to the public for any

attackers to take advantage of and exploit the flaw by May 2017.

Root cause 2: Weak security practices and oversight

Equifax had no efficient and functional patch management policy in its organization. A lack of

cooperation between IT and security departments also extended the time to counter threats. Also,

there were inadequate systems in the organization to detect and prevent the attacks; what

compounded the problem was that they had old systems in place, and the attackers remained

undetected for more than two months.

3.2 Actions taken

Action 1: Disclosure and Public Notification (September 2017)

Equifax announced the breach on September 7, 2017, even though the organization became

aware of the break on July 29, 2017. After getting approval from within the company, they

informed the FBI and hired Mandiant to look into the situation. That is why a public website was

set up for people to check whether their information had been leaked. This action involved top

management, lawyers, legal advisors, and the public relations actions department.
Action 2: Executive Restructuring and Security Overhaul

After the breach, Equifax changed its executive management by merely seeing its CEO step

down from his position and hiring a new CISO. To address the threat, the company sought to

update the IT systems, change the organizational patch management policies, and increase the

hiring of cybersecurity staff (Ikezuruora, 2024). They also offered free credit monitoring to those

affected customers; they spent quite a lot of money on the ramifications and preventing future

mishaps.

3.3 The Effectiveness and Timeliness

The Effectiveness

The breach response process, which was later effective in identifying the issue, was delayed and

poorly communicated. Mandiant’s forensic investigation demonstrated the chronology of events

more clearly but was carried out too late to hinder the act of data exfiltration.

The Timeliness

Equifax took more than two months after realizing the breach before informing the public of

something improper and attracting criticism and regulatory attention.

3.4 Successes, gaps, and failures

Successes
As a result of their integrated efforts, Equifax and its partners, including the FBI and Mandiant,

were able to quickly respond and contain the actual breach, as well as assess the actual exposure

impact. The company also introduced credit monitoring and free identity theft protection to the

affected persons, hence getting some trust back.

Gaps

The fifth reason was that communications between directors and internal institution

representatives were severely lacking, and the government held no one accountable for finances.

Despite the fact that it has been a well-documented fact that Windows was inclined to these

viruses, the patching did not undergo proper verification or follow-up. This was worrying due to

the fact that there was no consistent way of checking the implementation of such security

directives.

Failures

The following are some of the blunders that were made: One is that Equifax took quite some

time to disclose the data breach. Though having gotten the information about the breach in the

middle of July 2017, it took the company almost one and a half months to make public the

information. Delaying these reports meant that it lost transparency and generated customers’

anger as well as regulatory concerns.

3.5 Impacts on the organization

Operational disruption and finance losses

In the short term, Equifax faced operational loss due to the consequences of the breach,

investigation, and legal pressure rollout. The breach resulted in $700 million in related costs.
Organizational operations were disrupted when people switched to the role of managing the

crisis (Ikezuruora, 2024). This financial and resource containment affected performance and

stakeholders’ confidence in the organization.

Reputational and Strategic Damage

At the tactical level, one of the biggest losses was the impact on the public, its trust, and the

brand. Equifax can be considered a credit bureau, which is highly dependent on data and

customer trust, both of which were threatened. This was also sustained by a long-term regulatory

failure and called for changes in the subsequent cybersecurity governance structures, risk

management, and compliance (Ikezuruora, 2024). On the internal level, it brought about a

change in the organizational culture of organizations on the need to embrace security in all its

departments. In contrast, on the external level, it helped establish a new trend of corporations

being held legally liable for security.

3.6 Lessons learned

Importance of Timely Patch Management

One of the main deficiencies was the absence of a procedure for Equifax to address an already

known vulnerability promptly. This also shows that a good security practice involves the timely

and strict implementation of patch management in organizations, and therefore, it's very

important.
The importance of corporate governance & communication systems

It raised concerns about internal communication and accountability within the assaulted party.

There should be proper cybersecurity governance, and these are to be enforced so that any alerts

and responsibilities are responded to effectively.

3.7 Recommendations

Establish a Robust Patch Management Policy

All the known vulnerabilities should be vulnerable to an automated and well-documented. This

must be done as frequently as possible to ensure they meet compliance standards, and IT should

be tasked with ensuring compliance is done on time.

Strengthen Cybersecurity Governance and Incident Response

Develop a clear structure of the approaches to cybersecurity management in an organization

about determined roles, responsibilities, and actions in case of emergencies. Simulated exercises

should be performed periodically to enhance the preparedness of IT, legal, and executive

departments to address future cases.

3.8 My Conclusions

The Equifax data breach is a case that can be used to demonstrate that the threat landscape is

dynamic and even simple precautions must not be disregarded. For Equifax, this breach entailed
significant alterations in governance, infrastructure, and management of crises (Wang et al.,

2018). The entire industry noted that the organization lacked proper seriousness in managing

vulnerability, coordination between departments, and preparedness to tackle threats and attacks

(Ikezuruora, 2024).

Among the common characteristics that are evident in this and similar breaches is the lack of

response to threats that are already well understood, a situation that remains rife even with added

consciousness (Wang et al., 2018). Altogether, the Equifax case has served to have positive long-

term impacts, such as improving the regulatory standards for organizations, increasing customer

demands concerning data privacy, and encouraging organizations to embrace positive

cybersecurity measures. It also shows that security threats are not simply an IT problem; they are

corporate ones.