INTRODUCTION
Credit is a broad term, which understanding changes with context. For instance, credit generally means acquiring something of value (monetary/physical) through a mechanism with the condition to return it to the lender in the future (mostly with interest). However, in an accounting context, credit is an accounting entry, which may either increase the liability or decrease the assets. In this academic exercise, the term credit will imply a loan that is borrowed from the lender at a particular price. This price is called interest rate, and it strongly influences the demand and supply for credit. At macro or strategic levels, interest rates are altered to realize various kinds of objectives, which include the size of investment in an economy (Finn, Wrightson and Jones).
In the contemporary capitalist economy, credit plays a major role. It is because, in a capitalist or free-market economy, it is the private sector that steers the economy (the engine of growth and cause of economic stability. The capacity of the private sector is directly linked to factors such as access to loans and ease of doing business. Access to and granting of loans or credit depends upon various factors; however, one of the relevant factors is the capacity of the borrower to return and the credit history of the borrower. This information is vital, as it allows creditors to take more informed decisions (Passi).
There are several agencies, Consumer Credit Reporting Agencies, which systematically collect information about the borrowers (information about their account, etc.) and provide it to the lenders. It facilitates the creditors to evaluate different loan markets. Since the role of information and technology has increased in the financial realm, these agencies are not able to collect relevant information from across the globe. It has globalized financial/loan markets, allowing large credit companies or agencies to operate in different economies around the world (Morgan).
One of such Consumer Credit Reporting Agencies is Equifax. The company operates all across the globe, and it collects information from around eighty-eight million individuals and around eighty-eight million businesses. The company was founded in Atlanta in 1899. Since its birth, it has expanded its presence gradually and improved its operations. Currently, Equifax is considered not only one of the largest credit reporting agencies of the United States, but also of the world (Irby).
The specialty of the company is to monitor businesses and account information to gather information, which it then sells to various loan companies. The agency also employs modern technology to provide its clients with high-quality services, such as bankruptcy alert, etc. However, despite its large size and its claims about high efficiency, Equifax faces many challenges and controversies. These challenges and controversies include complaints from the individual customers and businesses and massive security breaches in 2017. Our emphasis would be the security breach that dented the image and credibility of Equifax (Brewster).
THE BREACH
Equifax is one of the biggest credit-reporting agencies not only in the United States but also the world. The company obtains user information and data through credit card companies, banks, lenders, and retailers. Even if the person hasn’t signed up for Equifax, they could still have their sensitive information (Federal Trade Commission). It recently faced one of the biggest data breaches ever, risking information of over 143 million Americans, their Social Security numbers, date of birth, addresses and other sensitive information. The Equifax data breach also affected people in Canada and the United Kingdom. Like the recent Cambridge Analytica (CA) data scandal, where users had shared their information on Facebook willingly, in the Equifax data breaches the user might not even have signed up and they would still have their information (Meredith). It was one of the worst data breaches in America’s history due to all the sensitive information that was exposed to the world which could’ve been easily misused. The information of over 209,000 Americans was exposed along with personal identifying information of 182,000 customers.
In the paper, we would further discuss if there have been similar data breaches in the past, and how the data is sold and what the price for each datum is. We would also discuss why data breaches happen, how much it affects their reputation, how people react to it and if there have been any lawsuits. We would also discuss the technical issues related to it and how data breaches can be prevented. Lastly, our paper would include what measures Equifax has taken to ensure such data breaches never happen again and that people’s sensitive information is secured (Fleishman).
Causes of Data Breach and How Sensitive Data is sold
The Equifax data breach took place between May and July 2017, but Equifax discovered that their system was hacked on July the 29th. The world was informed of the breach on 7th September 2017. Equifax states that the hackers had exploited the Equifax U.S website and obtained sensitive information from its customers. The reason the data breach took place was that of Equifax’s vulnerable and outdated security systems. Their tool apache Struts was used by Equifax that was keeping the private information was easily hacked because they hadn’t updated their online security. The company had been aware of the security flaw yet did not do anything about it. The hackers were able to hack into all the private information such as social security numbers, addresses, date of birth, Driver’s license numbers, phone numbers, etc. (Fitzgerald).
The data breach of enormous corporations can cost the company millions and billions of dollars, especially if the data breach contain sensitive and personal information of the third party. If a company faces a data breach, it would not only cost them financially but also their entire reputation. Once a company loses its reputation people would always be skeptical about whether they want to use their services again or not. Equifax still faces huge criticism due to the data breach that occurred last year. All the trust that was developed between the two parties is lost as the company people trusted could not even keep their information safe. Data breach costs have reached around $4 million annually (Cheng, Liu and Yao).
There has been a rise in data breaches over the last two decades. The stolen data can be sold for millions if it contains personal information that could benefit the third party. In today’s age, any sort of personal information is valuable and Equifax data breach exposed sensitive information that could be misused in millions of ways to gain benefit. The greater is the information, the more it’s worth which is why more hackers are finding ways to breach data containing sensitive information.
The Damage Equifax faced
Equifax took a lot of damage financially and to its reputation after the massive data breach exposing personal information of over 143 million Americas. The data breach was a disaster for the company, and the lawmakers weren’t happy with what occurred. They were called upon by the Congress that took action right away by calling upon Equifax to answer some important questions regarding the breach and what measures they have taken to tackle the issue. Equifax had offered free credit monitoring service to its customers upon sign up, but the lawmakers state that giving free data monitoring services was not the solution to the problem they are dealing with.
Precautionary preventive measures need to be taken by the company, so such data breaches do not occur again. Lawmakers said that the reason Equifax offered free credit monitoring services to its users was to prevent liability and to get away with the consequences. Offering free credit monitoring services would provide the clients with peace of mind, but it is in no way a viable long-term solution.
Equifax was widely criticized not only by Americans but also for the world as the biggest credit information company could not keep its servers secure from hackers. The information that was leaked could’ve been misused in thousands of ways and could’ve potentially harmed people. Equifax did offer free credit monitoring service to the victims who would give up their suing rights to the company. It faced a lot of criticism as the company was the one to cause the damage and asked the clients to give up their rights to use them to help prevent further damage.
Equifax is still the top choice for most people in America, but if Equifax does not take solid measures to ensure the security of people’s personal information, nobody in the future will trust the company with their sensitive information. Equifax has spent over $200 million on security measures after the data breach to ensure the customers that their information would remain safe in their hands, but only time would tell if they have been successful in securing information or not.
Organization/Group Responsible for the Breach
From the scrutiny of available information, it is evident that the breach was caused by lack of professionalism. According to Equifax, the cause of the breach was an IT expert, who failed to implement the devised strategy as per requirements. The CEO of Equifax did not provide any information regarding the group/individual, who was able to intrude into the company’s system. However, initial investigations suggest that the hack has the hallmarks of the state-sponsored intrusion (Riley). Investigators have asserted that the intrusion into the company’s system has many similarities with other intrusions, such as Yahoo hack, which was linked to the nation-state hackers. In previous investigations of similar intrusions are the precedents, then we can project that it will be very difficult to identify and apprehend the culprits?
Was the operation a success?
In hacking events, the criterion for the success is simple, which is the access to information; however, it is also essential to acknowledge that a successful hacking do not leave any digital evidence/clue behind that could lead investigators to the intruders. For instance, when hackers can access the information and retrieve it without being traced, such events of hacking are considered a success. IN case of Equifax, the hacker(s) was able to access the sensitive information of 146 million individuals. The size of the accessed, retrieved or compromised data is enormous. Also, investigations have failed to trace and apprehend the hacker(s). Therefore, we can assert that hacking operation was a success by any standard or definition.
Challenges/Limits
We have already established that data-leakages cost enormously to the corporation and governmental agencies, especially when the data leaked or breached is of a sensitive nature. Studies reveal that most common types of cost, associated with data leakages or breaches, are 1) financial cost and 2) reputational cost; however, it is the blemishing of reputation, which affects the affected organization not only in the short-run but also in the long – run. For instance, when sensitive data of a company is breached, or it gets leaked, the trust of clients on the organization’s security apparatus designed to safeguard sensitive information diminishes drastically. As the size of the consolidated cost of a data breach has augmented in recent years, the challenges for the companies have also augmented. As per estimates, the cost of a data breach has reached alarming $4 million per year.
In the modern era, information has enormous monetary worth, as information can be employed to realize various objectives. The greater the size of sensitive and relevant information, greater the monetary worth of the breached data is. It implies that when the size of the leaked or stolen data is large, its monetary worth is also large. Therefore, we are witnessing an alarming increase in data breaches or leakages in the recent past.
As the breaching of data has become a lucrative endeavor, hackers are developing more potent and sophisticated instruments to breach into a system. From the systematic review of the literature, we learn that firms/companies and government agencies are responding to these threats rather than acting proactively to eliminate the threat. For instance, the Intrusion Prevention & Detection Systems are mostly equipped to counter the type of threats that are known. They find it very difficult to detect and prevent such intrusions that are relatively new and that are more complex.
For instance, the training of Intrusion Detection and Prevention Models relies on the datasets. Most of these datasets, such as NLS-KDD dataset, train the systems to detect and prevent threats that are already in the knowledgebase, making the systems vulnerable to the more recent type of threat. However, it is also a fact that because of data mining, the efficiency of datasets that are used for the training of an Intrusion Detection and Prevention Models, which has reduced significantly the total number of intrusions (collectively).
Studies also reveal that sometimes, it is employees, who exploit their position and access to sensitive information to steal sensitive information or data. Prevention of incidents in which employees are responsible for data leakage is primarily the obligation of the company. Study on data leakages and breaches unearth that breaches and leakages caused by external factors have reduced significantly; however, the instances of data leakages and breaches because of the internal causes/factors/reasons have increased in comparison. It again suggests that the efficiency of Intrusion detection and intrusion prevention systems have improved because of the greater availability of efficient datasets.
Can hackers strike Equifax or other such organizations again?
Equifax data was breached because of two reasons; 1) its instruction detection and prevention system were obsolete, 2) the company failed to implement the security plan effectively. For instance, the employee, who worked in the IT department, ignored the instructions and detection warnings. Data companies, around the world, have upgraded their intrusion detection and prevention systems, which has made it difficult for the hackers to introduce into a company system; however, it is also a fact that the intrusion-related threat is evolving significantly. Therefore, another major intrusion that aims to steal sensitive information at biblical scale is very much possible. The fact is that several hacking attempts are registered every day, and with every attempt, hacking or intrusion tools and instruments evolve; thus, the nature of the threat evolves every day.
The type of information available and ho readily this information is available?
Information, regarding hacks or intrusion, improves the nature intrusion detection systems and the implementation of strategies about intrusion detections and preventions. When we study the fact how much of the information about intrusion detection is available, we learn that very limited information is available. One of the reasons is that affected companies are usually reluctant to provide information regarding the nature and size of intrusion. Even during the investigations, companies do not provide a full account of a hacking event. As there is very limited authentic and relevant information available; therefore, hacking is still a very obscure subject.
Recently, companies have begun to provide data with the objective of improving intrusion detection and prevention systems that are allowing IT companies to produce effective and potent intrusion detection and protection systems.
Prevention
We have already discussed, at length, the causes of the breach. One of the major causes of the breach was a Single Internet-facing Web server that was not equipped with the intrusion detection and prevention software that is imperative to detect and prevent different kinds of apparent or subtle intrusions. The system was so poor that it took almost seventy-six days for the company to identify the intrusion or breach of the data. It is evident that threat emerged from outside and it managed to penetrate the system because the security apparatus devised in the system was out-of-date. It is apparent that Equifax is allocating financial resources to upgrade the system, which is highly vulnerable to various kinds of cyber-attacks. As per reports, Equifax has spent around $200 million in the current year to address the breach and leakage related challenges. The emphasis is up-gradation of security and technology to meet the challenges.
There are different types of data systems, which use different techniques for the detection and prevention of system intrusions (internal and external). The most contemporary of these institution systems are based on algorithms and probability techniques, which increase the efficiency of Intrusion Detection and Prevention models. Equifax must use device system to reduce the chances of intrusion that must be flexible and partly-self evolving (records different kinds of intrusions and analyzes them). Intrusion detection and prevention systems must be updated regularly. By regularly updating these models and systems, we can effectively secure sensitive data. Investing in technology and security will reduce the vulnerability of the entire setup, which has already cost Equifax heavily.
Another aspect, which Equifax must emphasize, reducing the possibility of intrusion to almost zero, is manageable. Reports about the breach also revealed that not only Equifax poorly managed the security of the system, but also sold the stocks after the breach (the management did not reveal to buyers that the system had been breached). During the congressional hearing of the incident, the role of the management was criticized severely. Congress subtly hinted that breach was the consequence of poor management. Therefore, it is essential to address the management issues, which resulted in the data breach that went undetected for an upsetting seventy-six days.
Reports suggest that Equifax is introducing various types of management controls to prevent such incidents in the future. For instance, it intends to devise sophisticated mechanisms that regularly examine the health of the security system (intrusion detection & prevention system). Also, it aims to improve various aspects of access to sensitive data. For instance, only authorized individuals must have access to the data, and they can access that data in a particular fashion or manner. The duration of the access must be recorded, and the system must record what type of data has been accessed and retrieved. Also, management must investigate whenever data are accessed retrieved or both for reasons that are not known to the management.
Measures that Equifax Has Taken
The major emphasis, of Equifax, is on updating its security system. As mentioned earlier, Equifax claims to have spent around $200 million on technology and security; however, there is little information regarding the details of the spending. Also, the management related measures that are devised to avoid such instances in the future are few and vague. Since there is a lack of transparency, we are not sure how effective these measures are. Also, critics question the spending of $200 million to upgrade the intrusion detection and prevention system.
Are these measures Adequate?
As we do not have the information which reveals to us the nature and scope of the measures; therefore, it is very difficult to determine how adequate these measures are. For instance, we do not know the nature and structure of recently installed intrusion detection and prevention system. Also, we do not know what the components of a new data protection strategy are. As such vital information is missing or obscured; therefore, it is very difficult to pass judgment on the adequacy of the measures that are taken to protect the data of more than eight hundred million people.
CONCLUSION
In the end, from the methodical review of studies about Data Protection and Big Data, it is apparent that information or data has great relevance for corporate and financial corporations. For instance, data about consumer behavior of a particular region or social class allow firms to understand demand, which facilitates them in taking more informed decisions that promise higher dividends. Access to these large chunks of data requires permission and companies must state the reason for accessing and retrieving data in such large volumes (data mining).
As the monetary value information/data are high; therefore, many individuals and groups try to steal the data and sell it to the highest bidders. Some presume that corporate/financial firms also covertly attempt to steal data; however, such claims lack evidence. Nevertheless, firms that have large blocks of data must not only take measures to protect data, but also examine the protective measures regularly as threats are always evolving.
Equifax has already taken measures to improve the intrusion detection and prevention systems. However, only time will tell how effective those measures are. About management, the measures that Equifax has taken are considered inadequate. Also, we do not have much information about the nature of the remedies/strategies and how they will be implemented.
Lessons We Learn
Technology has facilitated organizations in retrieving data on a large scale. Also, techniques have allowed companies to select the most relevant data from data-pools. Companies like Equifax have collected data on more than 800 million individuals, which allow them to understand the loan or the credit markets in better ways than the most. However, the managing of such huge data is becoming a serious issue for credit reporting agencies. One of the issues is poor intrusion detection and prevention models, which run on out-of-date software. Another issue is the lack of an adequate system that ensures valid and authorized access to the protected or sensitive information. Regular examination of the system is necessary to ensure 1) performance of the system and 2) to access what requirements are required.
Work Cited
Brewster, Thomas. “A Brief History Of Equifax Security Fails.”Forbes. Forbes, 8 September 2017. Web. 21 September 2018. https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/?ref=techbullets#4734437677c0.
Cheng, Long, Fang Liu and Danfeng Yao. “Enterprise data breach: causes, challenges, prevention, and future directions.” WIREs Data Mining and Knowledge Discovery 7.5 (2017): 1-14.
Federal Trade Commission. “The Equifax Data Breach”.Federal Trade Commission. Federal Trade Commission, 31 December 2017. Web. 21 September 2018. https://www.ftc.gov/equifax-data-breach.
Finn, Margot C, Keith Wrightson and Colin Jones. The Character of Credit: Personal Debt in English Culture, 1740-1914. 2. Cambridge University Press, 2003. e-book.
Fitzgerald, Kate. “Fraud after the Equifax crisis.”Payments Source.Payments Source,11 July 2018. Web. 21 September 2018. https://www.paymentssource.com/slideshow/data-fraud-after-the-equifax-data-breach.
Fleishman, Glenn. “Equifax Data Breach, One Year Later: Obvious Errors and No Real Changes, New Report Says.” Fortune. Fortune, 8 September 2018. Web. 21 September 2018. http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/.
Irby, Latoya. “Who Are the Major Credit Reporting Agencies?” The Balance.The Balance,31 May 2018. Web. 21 September 2018. https://www.thebalance.com/who-are-the-three-major-credit-bureaus-960416.
Meredith, Sam. “Here’s everything you need to know about the Cambridge Analytica scandal.” CNBC. CNBC, 1 January 2018. Web. 21 September 2018. https://www.cnbc.com/2018/03/21/facebook-cambridge-analytica-scandal-everything-you-need-to-know.html.
Morgan, Kyle. “What are the three major credit reporting bureaus?” Finder. Finder, 18 August 2018. Web. 21 September 2018. https://www.finder.com/understand-credit-bureaus.
Passi, Kirti. “Importance of Credit in the Economic Development!!”LinkedIn. LinkedIn, 21 April 2017. Web. 21 September 2018. https://www.linkedin.com/pulse/importance-credit-economic-development-kirti-passi.
Riley, Michael. “The Equifax Hack Has the Hallmarks of State-Sponsored Pros.” Bloomberg. Bloomberg, 29 September 2017. Web. 28 September 2018. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.