Case 9 - Case study PDF

Preview

Summary

Case study...

Description

Case Study 8 – “Is the Equifax Hack the Worst Ever – and Why?”

By: Alan Liu

161

Submitted To

Dr. Middleton Ted Rogers School of Information Technology Management

In partial fulfillment for the requirements for ITM102 – Business Information Systems l

November 5, 2019

Ryerson University

1

Summery: This case study discusses the lack of safety and the security dangers involved in the credit reporting business such as Equifax. Credit reporting bureaus incorporate the personal information on tens of millions of people and plays an indispensable role in assisting the financial needs of consumers. Due to their incompetence in management, organization and technology in the general security field, the company faced a security breach in 2017. The Hackers was granted access to their information system. This enabled them to obtain the economic information on tens of millions of consumers, information such as names, social security numbers, addresses, drivers license, credit card numbers, etc. These types of information being obtained by an unauthorized figure has the possible risks of committing fraud. Although this incidence was a serious and troublesome event, the case discusses the lack of changes in business enterprise in relations to the ever-changing cyber market and variabilities relating to those fields. Equifax failed to patch up identified vulnerably points in a timely fashion which contributed to worsening of security breach. Due to the sizeable quantity of information held within the company, the case additionally discusses the lack of upgrading to their IT infostructures through the company’s expansion phase. These factors contributed in creation of vulnerabilities in Equifax, allowing hackers to easily gain access into the information systems at Equifax. Credit bureaus are accountable for constantly regulating the privacy of their accumulated data as well as additional aspects such as encryption, technology upgrades, and immediate attention to vulnerabilities to enhance security.

2

Question 1: Identify and describe the security and control weakness discussed in the case. There were many security weak points discussed in the case study, both hardware based, and software based. The first example that was briefly touched on was Equifax’s inability to upgrade their hardware to keep up with their aggressive growth strategy as the company was more focused on growing data. There is also a management factor involved as the 2017 breach of data included a known vulnerability point in Apache Stutz that could have been patched months prier to the incident. Equifax management issue also lead to them being behind in basic maintenance. This resulted in them having poor web service security, application security, and software patching. A security analysis done by Fair Isaac Corporation reported that Equifax had web issues such as expired certificates, making it difficult to validate the user’s connection the web is secure and legitimate. Though these are the examples brought up in the case study, there were probably more factors involved leading to the second largest data leak in history. Question 2: What management, organization, and technology factors contributed to these problems? Management -

Recognize the outbreak of the breach and respond in a timely manner

-

Failed to publicize the breach immediately after the incident

-

As a result, three of the company’s executives’ officers were let go

Organization

3

-

Failed to expand their IT capabilities parallel to their expansion

-

Unable to secure and control all parts of their security infrastructure

-

Lack of security layers

Technology -

Lack of upgrades in regard to their computer hardware and software

-

Prioritized their expansion rather than the cyber security of their data and expired certificates

Question 3: Discuss the impact of the Equifax hack. The hack had a huge impact both on internal stakeholders and external stakeholders. After the breach, Equifax let their Chief Executive Officer Richard Smith go, along with the Chief Information Officer David Webb, and Chief Security Officer Susan Mauldin. As the news of the breach hit the market, Equifax’s stock dropped to 2/3 of it’s original listing price on the New York Stock Exchange. Not only that, 147 million Americans were affected by the breach. Their stolen personal information floating around the dark web. This included social security numbers, drivers license, photos, addresses, as well as other information. All of which can be used to register a credit card. Although the impact was devastating, there was little to no government reforms set in place to prevent another breach. Question 4: How can future data breaches like this one be prevented? Explain your answer. Future data breaches can be prevented by improving the company’s management, organization priority, and hardware and software technology. By improving management, the

4

company will be able to be up to date on the basic maintenance needed to identify vulnerabilities. Better management will be able to patch vulnerabilities as soon as they are discovered instead of when it is too late as in the case of Equifax’s 2017 breach. By re-evaluating a company’s priorities and placing security above all else, the company will be able to divert more funding towards the company’s IT department. This will allow the IT department to invest in up to date hardware, which in return assists in developing more sophisticated IT software.

References Kenneth C. L., & Jane P. L. (2019). Management information systems: Managing the digital firm. New York, NY: Pearson Education.

5...