Subject Code :- PICT840
Title :- Cyber Crime And Cyber Policing
Living in a Post-Identity Theft World: A Case Study on the Equifax Hack
I. Introduction :-
On September 7, 2017, Equifax one of the largest aggregators of personal consumer data in the world announced that data had been breached from its servers.1 In a press release, Equifax said “approximately 143 million U.S. consumers” were potentially affected by the breach.2 Equifax also stated that “limited personal information for certain UK and Canadian residents” was also accessed.3 In the ensuing months Equifax experienced upheaval in the senior ranks of its executive teams, had its former CEO grilled by the U.S. Congress in the presence of a Monopoly character, unwittingly directed worried consumers to a phishing site was skewered by elite tech media companies and leading researchers and became a case study on what not to do after experiencing a data breach.
PICT840 Cyber Crime And Cyber Policing Assignment
This paper explores the 2017 Equifax data hack. It begins with a chronology and technical explanation of the hack. It then looks at the investigation, initial public disclosure and response, subsequent disclosures of additional affected users, and the remediation actions taken in the wake of the hack. Next it looks at adjacent issues related to the hack that caused additional reputational damage such as criminal allegations and convictions of insider trading by senior leadership. Finally the paper looks at what the hack means to consumers across the globe.
II. The Motherlode
Most companies engaged in electronic commerce use low-fee or free software to create their web-based systems. From PHP and Python to Lunix and Apache vulnerabilities exist across most software used to power the web. The sheer number of installations of this software is helpful to both hackers and IT security personnel alike. It is helpful to hackers because they can focus much of their efforts on targeting known vulnerabilities, with a plethora of targets available to attack. But it is also helpful to IT security personnel because security researchers all over the world are consistently searching for and reporting previously unknown vulnerabilities. Most hacks that lead to data breaches occur when there is a disconnect in time between discovery of these vulnerabilities and the time the vulnerabilities are patched by security personnel. Many times this occurs because of the original bug human error. In the case of the Equifax hack this was the crux many problems in more ways than one.
In late February 2017 a security researcher discovered a vulnerability that affected the Jakarta Multipart parser in certain versions of the Apache Struts 2 software, and on March 6th the Apache Software Foundation4 released a patch to fix it.5 On March 10, 2017, the vulnerability was added to the National Vulnerability Database (NVD) by the Apache Software Foundation. 6 This vulnerability was given a CVSS
PICT840 Cyber Crime And Cyber Policing Assignment
over all score of 10 and dubbed critical issue.7 Specifically, the vulnerability “allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.”8 In layman’s terms the bug allowed anyone on the web, with the right freely-available software, to write a script send it to a website and eventually take complete control of its server. Once inside the web server, the remote user may be able to laterally navigate through to any other system connected to the web server. On the same day the venerability was added to the NVD, hackers discovered that an online dispute portal run by Equifax was affected by the venerability,9 and by May 13, hackers had slipped into Equifax’s network where they would stay until at least July 30th, siphoning the data of over 100 million consumers from its systems.10 During the attack the hackers also setup about 30 secret pages to act as backdoors which would allow continued access to the network in case the original vulnerability was patched.11 It is unclear from publicly available data if there was any exfiltration of data through these backdoors after July 30th. So when did Equifax realize something was amiss?
According to former CEO, Richard Smith, Equifax first received notification of the Struts 2 vulnerability on March 9th after receiving a warning from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team.
12 At that time, Equifax disseminated the warning to the proper internal channels of its security teams.13 On March 15, the security teams ran scanners on systems that may have been affected by the vulnerability, but the scanners failed to identify the affected servers.
14 Thus the servers were not updated with the patch. Four months later, on July 29th, security personnel at Equifax noticed “suspicious network traffic associated with . . . the online dispute portal [and] . . . blocked [the traffic.]”15 The next day, “additional suspicious activity” was observed, and Equifax took the dispute portal offline.16 The then-CEO, Richard Smith, was told about the suspicious activity on July 31st, and security incident response protocols were initiated on August 1st. 17
III. Trusting the Process Even When It Goes Wrong
A. The Investigation
Per the procedures in its security incident response, Equifax “(1) retained the cybersecurity group at the law firm of King & Spalding LLP to guide the investigation and provide legal and regulatory advice (2) engaged . . . the independent cybersecurity forensic firm, Mandiant, to investigate the suspicious activity and (3) contacted the Federal Bureau of Investigation”18 Equifax’s internal security team and Mandiant spent several weeks analysing forensic data to determine how the hack occurred whether the attack was on going and what data if any had been exfiltrated.19 On August 17th the senior leadership team had a debriefing on the status of the investigation and learned that large volumes of consumer data  had been compromised. 20 On August 22nd Equifax’s presiding director of the Board of Directors Mark Feidler and some business unit heads were notified of the data breach21 And by August 25th all of the Board of Directors was made aware of the issue.
22 “[A] list of approximately 143 million23 consumers whose personal identifying information [(PII)] was believed to have been impacted was created by September 4th and a strategy for public disclosure was being developed.24 As part of this strategy Equifax (1) setup a new website at the URL equifaxsecurity2017.com where consumers would be able to seek information on the breach (2) prepared a dedicated call centre to field consumer questions and (3) prepared to launch a free credit monitoring and “identity theft protection package for all U.S. consumers.”25
On September 7th, Equifax published a press release informing the public that a cybersecurity incident potentially impacting approximately 143 million U.S. consumers had occurred.26 The press release stated [t]he information accessed primarily includes names, Social Security numbers, birth dates addresses and in some instances driver’s license numbers.”27 It also said that “credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, [was] accessed.28 It continued, stating it “also identified unauthorized access to limited personal information for certain UK and Canadian residents.”29 Further the release noted the credit monitoring and identity theft products available, informed consumers about the call centre and the new website where they could find out if they were likely affected by the breach and stated Equifax would “send direct mail notices to consumers whose credit card numbers or dispute documents with [PII] were impacted.”30 Finally the release included an apology from Richard Smith that said “I apologize to consumers and our business customers for the concern and frustration this causes”.
B. Issues in the Response
Public condemnation of the response began immediately after the announcement. The denouncements ranged from issues related to the fact that Equifax hadn’t patched a known critical vulnerability and the amount of time that passed before it publicly announced the breach, to multiple issues about the informational website itself. Many commenters also raised the alarm on this being one of the most serious breaches of data to ever occur. One of the first pieces written on the breach was released by the New York Times on the day of the Equifax announcement. The piece noted security researchers were criticizing Equifax for the fact that its primary product personal consumer data was compromised via a “simple website vulnerability”.
32 One researcher explained that “Equifax should have multiple layers of controls.33
After a better understanding of the attack vector used, a remote command execution with an existing patch came to be known and ARS Technica implied the breach occurred because the labour-intensive software patch procedures had not been followed using a graphic of Rodin’s Thinker performing a face palm to help ascribe the publishers view of the matter.34 ARS Technica also noted roughly 44 percent of the U.S. population was potentially affected and the breach was “very possibly  the most severe . . . for a simple reason: the breath-taking amount of highly sensitive data it handed over to criminals.”35
The time between discovery and disclosure was also an issue for many. State-level law enforcement officials and lawmakers were quick to chime in, with questions coming from at least five state attorney generals in the month after the disclosure.36 The attorney general of Massachusetts was so concerned she filed a lawsuit alleging Equifax failed to provide ‘timely notice in September.37 Some lawmakers also started a push for national standards on disclosure times for data breaches,38 but over a year later those have still not materialized in the U.S. Additionally some professionals in the field explained the need to balance the risk of disclosure of incomplete information about a breach, the need to give immediate information to consumers is not always an easy task, and any federal legislation needed to be crafted in a thoughtful way.39
PICT840 Cyber Crime And Cyber Policing Assignment
The equifaxsecurity2017.com domain was another point of contention. The domain had many issues including: (1) not initially being registered to Equifax (2) having a name that could easily be spoofed (3) asking users to input more data about themselves (4) not being robust enough and (5) serving as an attempt to railroad consumers into a forced arbitration clause. First it was reported that the domain was initially registered to an entity other than Equifax.40 There was also apparently a security certificate problem which caused users of Cisco’s OpenDNS service to have access to the site blocked in their browsers. Next the name was easy to spoof. When setting up domains many companies purchase similar domain names that could be used by phishing sites.
However Equifax did not have the foresight to take this preventive step and a developer setup a similarly named site.41 Nick Sweeting setup a domain named securityequifax2017.com copied the full html from the actual Equifax domain and set a banner at the top reading Cybersecurity Incident & Important Consumer Information Which Is Totally Fake Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”.42 Not only was he able to do this Equifax’s own official twitter account tweeted links to the fake site multiple times telling worried consumers to look there for assistance.43 Another issue with the site was the fact that it asked consumers to enter their last name and last six digits of their social security numbers. Given that the company had just experienced a data breach asking consumers whose data may not already be in Equifax’s system though unlikely to enter in more info about themselves in order to find out if they were possibly affected did not sit well with many consumers. Another issue raised by researchers was the fact that the website continuously timed out likely because of the incoming volume of traffic.44 To compound the issue at least one reporter after finding the website unresponsive also had trouble being connected on the customer support number phone number given in the disclosure.45 The website traffic issues and lack of staff to handle the incoming calls also made its way into the Congressional hearings featuring former CEO Richard Smith in October.46
The final major issue complained about was the credit monitoring signup. As previously mentioned when loading the page, consumers were asked to enter PII into the system to discover if they had been affected by the breach. When a consumer took this action and when the site worked it did not positively confirm if the consumer was affected instead it just said Thank You” and directed the consumer to wait until a certain date in the future and browse to a different URL faq.truste did premier.com in order to enrol in credit monitoring on or after the date displayed.47 Then when the date arrived and the consumer went to sign up for the identity theft protection being offered the terms of service (TOS) of the product included a clause mandating arbitration regarding any future dispute with Equifax regarding the product.48 To be fair forced arbitration clauses are the norm in terms of service on most web-based and non-web based products and the language was likely copied from other TOSs that were on the computers of corporate counsel.49 But the fallout over this particular issue caused quite a commotion in the press and in many consumer’s minds, up to and including an interesting situation that arose during the Congressional hearings.
When Richard Smith was giving his testimony to the Senate Committee on Banking Housing and Urban Affairs in October Amanda Werner a consumer protection advocate from Public Citizen was seated a few rows behind Smith.50 Werner was also dressed head to toe in a costume posing as the world wide known Rich Uncle Money bags complete with top hat white moustache monocle tuxedo and a wad of fake money to wipe her brow.
51 She was dressed this way throughout the hearing to bring attention to the arbitration clause, a major issue of her advocacy. In the days after the breach Equifax did release a statement saying it would not force consumers to abide by the forced arbitration clause for those that agreed to it,52 though, because of integration clauses in the TOS this statement doesn’t necessarily have any legal bearing on the matter under U.S. contract law in most states. Equifax also amended the TOS applicable to future users of the site.53
C. Additional Releases and Post-Response Issues
After the forensic investigation was completed on October 2nd Equifax released an updated statement announcing an additional 2.5 million consumers were also affected bringing the total number of U.S. consumers reported up to 145.5 million. 54 But this number would again be adjusted upward to 146.6 million U.S. consumers in a disclosure to the SEC in May 2018.55 The statement also revised the number of Canadian customers from a previously released number of 100,000, down to 8,000 and promised to send letters to the additionally affected U.S. and Canadian consumers. 56 The statement also had a new apology this time from Interim CEO Paulino do Rego Barros Jr.57 A few days later, Equifax Ltd (U.K.) released a statement with updated numbers affecting U.K. consumers totalling 15.2 million.58
PICT840 Cyber Crime And Cyber Policing Assignment
IV. The Fallout for Equifax: What Else Could Go Wrong?
In the aftermath of the data breach Equifax faced a shake-up of its leadership structure additional hacks the loss of a major government contract a falling stock price lawsuits and allegations and convictions of criminal behaviour.
On September 15th 2017 Equifax announced personnel changes to the leadership team in a press release and after being presses by CNN Money released an updated press release confirming the Chief Security and Chief Information Officers of the company were retiring.59 Later in the month on September 26th the retirement of CEO Richard Smith was announced after he was called on to testify before Congress.
60 But the security woes for Equifax continued to mount. On October 11th a security researcher discovered while browsing Equifax’s site that a malicious and fake Flash Player update tried to run on his computer.61 Equifax would later release a statement assuring the public that this code was due to a third-party vendor and that they could confirm [their] systems were not compromised and that the reported issue did not affect our consumer online dispute portal. 62 As a result of the presence of this code the Internal Revenue Service temporarily suspended a lucrative contract with Equifax.63 Its contract was also not renewed,64 likely in part because of the various Equifax data security issues.
Another issue found by a researcher showed that using the data gained from the original hack an actor could retrieve the salary history of hundreds of thousands of employees of corporations government agencies and universities through the weaknesses found in an Equifax subsidiary’s website.65
Other financial and legal issues also plagued Equifax after the breach. Hundreds of class-action lawsuits were filed against Equifax in the months after the breach, including a rare 50-state law suit.66 But a year later none of these lawsuits have had a jury empanelled and Equifax is fighting to have all the law suits dropped. Additionally some consumers used localized small claims courts to sue Equifax with some winning as much as $7,400.67 The stock price of Equifax also took a hit.
On September 6th, 2017 the closing price was $141.39 USD, and by September 15th the closing price was $92.98 USD, a 34.2% decrease. 68 But the markets forget quickly or don’t care about consumers and by September 6th 2018 the closing price had mostly recovered at $135.76.69 Additionally although the breach may have cost Equifax its entire $200 million direct-to-consumer business that makes up only about 6% of its total revenue 70 and its adjusted earnings in Q2 of 2018 were higher than expected.71 Finally it seems Equifax hasn’t lost any major clients due to the breach 72 but they have lost a few additional team members.
When the Equifax breach was revealed it also came to light that three top executives had sold stock between the tie of the actual breach and the time of the disclosure.73 Some high-profile people in finance and politics were calling for their heads.74 How ever a special committee setup by Equifax cleared the executives said they had followed all the rules, and were not aware of the breach at the time of sale.75 That doesn’t mean that no one at the company cheated though. The SEC has indicted two former employees of Equifax for making trades after learning of the breach, including a software engineering manager and the Chief Information Officer of the North American Division.76 Over all Equifax has probably come out of the data breech with many scars but very little damage. But who attacked them in the first place?
PICT840 Cyber Crime And Cyber Policing Assignment
V. So Who Attacked Equifax?
Since the breach little has been publicly revealed about the investigation techniques and methods to find the identity of the intruders. The FBI has not released an official statements on the matter and Mandiant has only said that although there are some indications that a nation state may be involved there is no concrete proof of that conclusion.77 Because of the secrecy of the investigation it is very difficult to gain any substantive knowledge on the matter, and thus, the question of who hacked Equifax may remain eternal.
As has been shown, the reasons behind Equifax being hacked, and the poor responses to the data breach mostly revolve around human error. Humans disregarded the warnings of the vulnerability, humans made decisions to use an unnatural domain for consumers humans setup that domain in a rushed way that caused alarm from security researches humans pointed affected members of the public to a possible phishing site humans tried to shield the company from liability and inserted an arbitration clause into the TOS and humans decided to take likely criminal actions to make money off the breach.
One of the bigger societal problems in the hack is the misaligned incentives for a company like Equifax to take security seriously.
They lost very little in financial value, and since the people affected were not their customers they seemed to take little regard in ensuring the response was helpful to those people. In the final aftermath the U.S agency in charge of protecting consumers has recently all but washed its hands of the probe into the breach 78 and a human made that decision too. Overall the Equifax breach is one of the largest breaches of data in history but it likely will not maintain that place for long. It may also be the most dangerous breach we have ever encountered. As recently pointed out by Smith & Mulrain the data held by providers like Equifax include “the most intimate details of Americans’  lives,79 and “[t]he national security implications . . . are un precedented.”80 In the end, humans must be more careful, because they are the key. But when the consumers are not customers but instead they are the product there may be little hope of main taining one’s own security in this post-identity theft world.
Excellent Assignment Help
We Aim At:
- Lowest Price.
- 100% Uniqueness.
- Assignment Fastest Delivery.