University of the
The following research paper is
about Equifax Data Breach and what an Organization can learn about the role of
the risk analysis/risk assessment/security from Equifax Data Breach.
Equifax, which is one of the major consumer credit reporting agency
around the world was attacked by hackers and was breached, which is one of the
biggest data breach in the history of cyber-attacks, where more 143 million
consumer’s private information have been compromised.
Keywords: Introduction, Security and Privacy, Timing is key, Preparation is key, Proactive
Equifax Inc. is a consumer credit reporting agency.
It collects and keeps the information related to the identity and like social security,
Driver’s license, credit card details of over 800 million consumers and around
88 million business organization around the world. Along with Experian and
TransUnion, it is one of the three largest credit agencies.
Equifax Data Breech is one of the
biggest breech in the history of cyber-attacks where more 143 million
consumer’s private information have been compromised.
Equifax was attacked by a cyber
security breach in the month of July 29, 2017 which was announced by or
reported to public in the month of September 2017. This attack affected around
146 million of Equifax U.S. consumers where their personal details like Social
Security Number, Driver’s License number Date of Birth, Address, Bank
Information, Full Names were stolen. It was confirmed by Equifax that at least
209,000 credit card details of the Equifax consumers were stolen by the
attackers. The breach also impacted Residents of United Kingdom and Canada.
Choosing Between Security and Privacy:
is always asked to choose sides between privacy and security. Which seems to be
incorrect after the Equifax breech. The Equifax data breech undoubtedly
challenges that way of looking at things that says the privacy depends on
security, and vice versa. In the Equifax case, the privacy of more than 143
million customers was compromised or violated. This breach of privacy has introduced
a further potential risk of cascading breaches where security is based on the
details which have already been stolen, like social security numbers, driver
license numbers and other sensitive personal information
is no doubt that a better security leads to a greater privacy protection for
consumers whose data is aggregated by companies but an increased emphasis on improving
the privacy protection of the data will further help to create a culture that
values security. A culture that is willing to put forward the needed effort to
ensure its security. Security is not an end but it is a mechanism to protect
important values and privacy is one of them.
Timing is Key in Reporting the Stakeholders
has been discovered that the Equifax had discovered the breach in their system
on July 29 but still they did not disclose it and kept it secret for a month
and reported it on September 7. As per European regulation mandate, a breach
must be notified within 72 hours and if there are any delays then it should be
explained to the notifying party.
notification of the breach should not be arbitrary or an afterthought. The
length of the time a company has to take to report breach should be determined
based on the following: Would buying more time to report the breech and making
a more organized response reduce the impact of breach or the cyber damages that
the breech would do or It would be better for the affected individuals to act
earlier as soon as the breach has happened to reduce some of the potential
of the perfectly assumed reason behind Equifax taking extended time to report
the breach was that they wanted to sell their stocks before declaring the
breach which is highly unacceptable. This extended period of time further
blemished the company’s image.
company should have a pre-defined timing and post-breach strategy to minimize
the effect of the breach and should take responsibility to notify all the
customers about the breach within reasonable period of time after the breach. If
companies are expected to provide guidance to their customers on how to deal
with the breach then they should be providing guidelines beforehand. If it’s
not possible to provide the guidelines before the breach then the guidance
should be provided within a reasonable period of time and if not then the
company should be taking the full responsibility of their inability of
providing the guidance as they are by law obliged to protect the identity of
Preparation is Key:
on the response from Equifax we can say that they were not prepared for the
data breech of this high magnitude. The reason behind the breech might be the
inadequate cyber security they had but the response after the breech was highly
irresponsible and publicly unacceptable from such an esteemed organization.
Assessment Should Be Done – Cyber security preparation is a business strategic
decision and it should to be made at the top office. Having the proper
assessment done is the best decision any organization can take in favor of protecting
the business data. Not every business needs to be level 5 security business.
The more cyber security protection any organization has, the more freedom and
flexibility it gives up. So having a qualified partner to do the assessment,
who can determine how much cyber security is required is important.
Proactive Cyber-Security Monitoring:
the advancement in the technology the cyber-attacks too are getting more
common. Proactive monitoring allow teams to understand how services are
performing, along with identifying potential areas of risk 7 days a week, 24
hours a day. Proactive monitoring devices help in monitoring any unusual
activity and proactively report such suspicious activities. It’s better for an organization
use these proactive monitoring tools to monitor cyber-attacks instead of
reacting post- breach.