Title: Equifax Data Breach – What happened? Who was affected?

What was
the impact? – An Ethical Case Study
Name: Prateen Balaji Ravikumar
Student ID: 23268650
Email ID: prateen.ravikumar2@mail.dcu.ie
Course Name: MSC Computing (Data Analytics)
Module code: CA640
Date of Submission: 17/11/2023

I acknowledge the University's stance on academic honesty and the seriousness of plagiarism. I'm
familiar with DCU's Academic Integrity and Plagiarism Policy and am aware of the consequences
for any violations. I have properly cited all information, thoughts, perspectives, and words from
other sources in my assignment. All materials from books, articles, the internet, and other
references are credited accordingly. Should I use generative AI or searches, I will detail this in an
appendix. The work I'm presenting for evaluation is solely my creation, except where referenced.
By moving forward with this submission, I attest to its originality and my understanding of DCU's
Academic Integrity and Plagiarism Policy.

Signed Name: Prateen Balaji Ravikumar

Date: 17/11/2023
Equifax Data Breach – What happened? Who was affected?
What was the impact? – An Ethical Case Study
1. Introduction:
Equifax Inc. is a prominent player in the global credit reporting sector, known for its significant
role in financial data analytics and consumer credit reporting. Founded in 1899 and headquartered
in Atlanta, Georgia, Equifax stands as one of the three major credit reporting agencies in the United
States, alongside Experian and TransUnion.

In September 2017, the world witnessed one of the most significant data breaches in history,
perpetrated against Equifax, one of the three largest credit agencies in the United States. This
breach compromised the sensitive personal information of approximately 147 million people,
including names, Social Security numbers, birth dates, addresses, and, in some cases, driver's
license numbers.

The Equifax breach transcended the typical concerns of financial loss, going to the heart of privacy
rights and the ethical stewardship of personal information. It raised pressing questions about the
obligations of companies to safeguard consumer data, the adequacy of existing cybersecurity
measures, and the ethical responsibilities in the aftermath of a breach.

2. Literature Review:
2.1 Seven Pillars Institute:
The Equifax Data Breach case study reveals significant flaws in the management of Credit
Reporting Agencies (CRAs), with Equifax being a prime example. The breach exposed the
personal information of millions, raising serious questions about data security and corporate
responsibility [1].

The institute discusses the ethical implications of the breach, focusing on Equifax's failure to
protect consumer data, transparency issues, and inadequate compensatory justice. It highlights the
increased responsibilities of CRAs due to their access to sensitive personal information and their
role in the economy [1].
2.2 Business Ethics Advisors:
This source emphasizes Equifax's ethical duties in terms of data security and transparency. The
breach was linked to a known vulnerability in Apache Struts, raising questions about the company's
internal controls and ethical practices. The delay in breach notification is critiqued for depriving
consumers and financial institutions of crucial response time [2].

Management and Governance Failure: It underscores the failure of Equifax's leadership in

adhering to its corporate code of ethics, especially in the context of insider trading allegations. [2]

2.3 Ethics Unwrapped:

The article provides an overview of the breach, noting it was not Equifax's first incident of data
compromise. It also discusses the company's previous breaches and their responses [3].

Corporate Response Analysis: It examines the timeline of Equifax's response to the breach,
highlighting the delay in public notification and the company's initial attempt to limit consumers'
legal rights when checking if their data was compromised [3].

3. Liffick’s Analysis on the Equifax Data Breach:

Liffick's analysis methodology will be applied in this section to analyze the Equifax Data Breach
that has occurred in 2017. This analysis involves the detailed case study on who was involved,
what was the impact, what happened after the legal considerations

3.1 The main players involved in the Equifax Data Breach included:
• Richard Smith: CEO and Chair of Equifax during the breach.

• Susan Mauldin: Chief Security Officer responsible for cybersecurity policies.

• David Webb: Chief Information Officer managing global technology strategy.

• Equifax's IT and Security Teams: Handled patch management and security

vulnerabilities.

• Hackers: Exploited the Apache Struts vulnerability to access Equifax’s data.

 • Federal Authorities: Including the FBI, FTC, and CFPB, which investigated the breach.

• Certain Equifax Executives: Investigated for possible insider trading related to the
breach.

3.2 Reduced List of the Equifax Data Breach:

CEO and Chair of Equifax, Chief Security Officer (CSO) of Equifax, Chief Information Officer
(CIO) of Equifax, Federal Authorities Agencies like the FBI, FTC, and CFPB, which conducted
investigations into the breach are the key players in this Data Breach.

3.3 Legal considerations in the Equifax Data Breach:

• Consumer Protection Laws: The breach raised issues concerning the violation of
consumer protection laws, as it involved the exposure of personal information of millions
of consumers.

• Data Breach Notification Laws: The delay in informing the public about the breach
brought into question the adherence to data breach notification laws, which require timely
disclosure of such incidents to affected individuals.

• Insider Trading Allegations: The sale of Equifax stock by executives before the breach
became public led to investigations for potential insider trading, a serious legal violation.

• Class Action Lawsuits: The breach led to numerous lawsuits from affected consumers,
alleging negligence and breach of contract among other claims.

• Settlements and Fines: Equifax faced significant fines and was required to make
settlements with various regulatory bodies and states, compensating for the breach and its
mishandling.

• Regulatory Scrutiny: The incident called for increased regulatory oversight of credit
reporting agencies to ensure better protection of consumer data.

3.4 Possible Options for Participants in the Equifax Data Breach:

• For Equifax:
 1. Implement stronger cybersecurity measures.
2. Revise internal policies for data protection and breach response.
3. Enhance transparency and communication strategies with consumers and
stakeholders.
• For Consumers Affected by the Breach:
1. Enroll in credit monitoring services.
2. Place fraud alerts or credit freezes on their accounts.
3. Participate in class-action lawsuits or seek individual legal redress.
• For Regulatory Bodies:
1. Increase oversight and regulations for credit reporting agencies.
2. Impose stricter penalties for data breaches and non-compliance.
3. Mandate regular audits and compliance checks.
• For Lawmakers:
1. Propose and enact legislation to strengthen data protection laws.
2. Consider establishing more stringent requirements for breach notifications.
• For the Cybersecurity Community:
1. Develop more robust security solutions and practices.
2. Share knowledge and collaborate on preventing similar breaches.

3.5 Possible Justification for Participants in Equifax Data Breach:

• Equifax's Response:
Justification could be based on the complexity and scale of the breach, requiring time to
accurately assess the impact and plan an effective response.
• Consumers Seeking Legal Recourse:
Justification lies in the need to hold Equifax accountable for the breach and to seek
compensation for potential damages suffered.
• Regulatory Actions:
Justified by the need to enforce existing data protection laws and to ensure similar breaches
are prevented in the future through stricter regulations.
• Legislative Responses:
 Justified as a means to strengthen data protection and privacy laws in response to growing
cyber threats and vulnerabilities in the digital age.

3.6 Key Statements in Equifax Data Breach:

• "The Equifax Data Breach exposed sensitive personal information of millions, highlighting
critical vulnerabilities in data security practices."

• "Equifax faced legal and ethical scrutiny for its delayed response and handling of the
breach."

• "The incident triggered a reassessment of regulatory frameworks governing data protection

and privacy."

• "Consumers impacted by the breach sought legal action, emphasizing the need for
corporate accountability in personal data management."

3.7 Questions raised in this case of in Equifax Data Breach:

• How did the breach occur despite existing cybersecurity measures?

• Why was there a delay in notifying the public and affected consumers?

• What steps did Equifax take to mitigate the impact of the breach?

• How effective were the regulatory responses and legal actions in addressing the breach?

• How can consumer trust be restored after such a significant data breach?

3.8 Analogies employes in this Equifax Data Breach Case:

• "A Fortress with a Forgotten Gate": This analogy could represent Equifax's
cybersecurity measures, which were extensive but failed to address a critical vulnerability,
much like a fortress that is well-guarded but has a neglected, unsecured gate.

• "Fire Alarm with a Delayed Response": This could describe Equifax’s delayed
notification to the public, similar to a fire alarm system that only alerts occupants long after
a fire has started.
 • "Patchwork Quilt with Missing Patches": This might represent the patch management
policy of Equifax, where the overall structure existed but critical components (patches)
were missing or not implemented in time.

• "Sinking Ship with Delayed Evacuation": This could analogize the situation of
consumers post-breach, where the necessary actions (like credit freezes and fraud alerts)
were akin to lifeboats deployed too late.

3.9 ACM Code of Ethics employed in Equifax Data Breach Case:

• Commitment to Public Good: The ACM Code emphasizes prioritizing public interest and
societal welfare. Equifax's delay in breach notification and inadequate preventive measures
demonstrate a failure in this regard.

• Avoiding Harm: The breach led to significant harm to millions of individuals,

contravening the ACM principle of avoiding harm to others.

• Honesty and Trustworthiness: Equifax's delayed response and initial lack of transparency
conflict with the ACM's emphasis on honesty in communications.

• Responsibility to Protect Privacy: The breach indicates a lapse in Equifax's responsibility

to protect the privacy and confidentiality of user data, a key tenet of the ACM Code.

3.10 Alternate Proposals for in Equifax Data Breach Case:

• Comprehensive Overhaul of Data Security Protocols: Implement state-of-the-art

cybersecurity measures, continuous monitoring, and rapid response systems. This approach
would significantly enhance data protection, building consumer trust and potentially
preventing future breaches. The downside is the substantial investment required.

• Minimal Compliance Approach: Do just enough to meet legal requirements without

proactively enhancing security systems. This approach saves costs in the short term but
leaves systems vulnerable to future breaches and erodes public trust.
 • Incremental Security Enhancements with Regular Audits: Gradually improve security
measures while conducting regular audits and transparency reports. This balanced
approach manages costs while progressively enhancing data protection, but may not fully
prevent breaches in the short term.

4. Conclusion:
The Equifax Data Breach case study serves as a crucial lesson in the realms of cybersecurity,
corporate responsibility, and ethical conduct. It underscores the profound impact of digital
vulnerabilities in an increasingly interconnected world. The breach not only exposed significant
shortcomings in Equifax's data protection measures but also highlighted the broader challenges
faced by entities holding sensitive personal information. The case reinforces the need for stringent
cybersecurity practices, transparent communication strategies, and a strong ethical framework
governing corporate actions. It acts as a stark reminder to all organizations about the importance
of safeguarding consumer data and the far-reaching consequences of failing to do so.

5. Bibliography/References:

1. Miyashiro, I. (2021). Case study: Equifax Data Breach. [online] Seven Pillars Institute.
Available at: https://sevenpillarsinstitute.org/case-study-equifax-data-breach/

2. Business Ethics Advisors | Ethics Experts. (2017). What are the Ethical Implications of the
Equifax Data Breach? [online] Available at: https://businessethicsadvisors.com/equifax-
data-breach/.

3. Ethics Unwrapped. (n.d.). Equifax’s Breach of Trust. [online] Available at:

https://ethicsunwrapped.utexas.edu/video/equifaxs-breach-of-trust [Accessed 27 Apr.
2020].

4. Thomas, Jason. (2019). A Case Study Analysis of the Equifax Data Breach 1 A Case Study
Analysis of the Equifax Data Breach. 10.13140/RG.2.2.16468.76161.
https://www.researchgate.net/publication/337916068_A_Case_Study_Analysis_of_the_E
quifax_Data_Breach_1_A_Case_Study_Analysis_of_the_Equifax_Data_Breach

5. Daswani, Neil & Elbayadi, Moudy. (2021). The Equifax Breach. 10.1007/978-1-4842-
6655-7_4. https://www.researchgate.net/publication/349557061_The_Equifax_Breach