Presentation is loading. Please wait.

Presentation is loading. Please wait.

Equifax Data Breach Analysis

Published byΝεφέλη Καλάρης Modified over 6 years ago

Similar presentations

Presentation on theme: "Equifax Data Breach Analysis"— Presentation transcript:

1 Equifax Data Breach Analysis
Linlan Chen Rouying Tang Mustafa Aydin Somayeh Keshtkar Khawlah Alswailem Adam M Joskowicz

2 Agenda Equifax Background What Happened? How Happened?
Impact to the Business Missing Controls Recommendation References

3 Equifax background and industry
Consumer credit reporting agency 800 million individual consumers US$ 3.1 billion in annual revenue 9,000 employees in 14 countries Operates or has investments in 24 countries

4 Achievements for the company
Top 100 American Banker FinTech Forward list ( ) Top Technology Provider on the FinTech 100 list ( ) InformationWeek Elite 100 Winner ( ) Top Workplace by Atlanta Journal Constitution ( ) One of Fortune’s World’s Most Admired Companies ( ) One of Forbes’ World’s 100 Most Innovative Companies ( )

5 Information Names Social Security numbers Birth dates, addresses
In some instances, driver’s license numbers Credit cards

6 Company Timeline

7 What happened? On Sept. 7, 2017, Equifax, discovered the application vulnerability on one of their websites led to a data breach that exposed The breach was discovered on July 29 Equifax suffered the largest data breaches ever that affected about 143 million consumers in the US. UK and Canada was influenced as well people’s credit card numbers and 182,000 personal identifying information are stolen

8 How happened? Tool called Apache Struts
Equifax aware the vulnerabilities Took a long time for the vulnerability to be identified and to be patched A month to alert its customers and shareholders about the hack

9 Root Cause of the Issue Attackers entered Equifax's system in mid-May through a web-application vulnerability that had a patch available in March. The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. CVE Apache Struts vulnerability is the root cause behind Equifax data breach.

10 Root Cause of the Issue

11 Root Cause of the Issue “Patching can take time, even for large corporations with dedicated security staff, which Equifax presumably had.” The process of patching the flaw isn’t as simple as just downloading. Vulnerability Identification and Patch Acquisition Risk Assessment and Prioritization Patch Testing Patch Deployment and Verification The Equifax data compromise was due to Equifax's failure to install the security updates provided in a timely manner.

12 Consequences | Impact to the business
Impact on Consumers: 143 million US consumers: Social Security Numbers Drivers’ License Numbers Birthdates Addresses Credit Card Numbers Affecting at least 44% of American Population Equifax added that 209,000 credit card numbers were stolen, in addition to "certain dispute documents with PII for approximately 182,000 U.S. consumers. Others in the U.K. and Canada were also impacted, but Equifax hasn't said how many.

13 Consequences | Impact to the business
Financial Loss Estimated: After insurance, costs tied to dealing with crisis could run between $200 million and $300 million. According to attorneys in Chicago: Equifax will pay more than $1 billion Most of the cash going directly to those affected. Offering 12 months free Trusted ID Premier credit monitoring Investors Wall Street has rendered an estimate: $4 billion lost stock market value Equifax shares have dropped over 20% Investors are bracing for lawsuits, lost business, and increased regulation. Three Equifax top executives sold shares in company days after breach was discovered, but not announced...

14 Consequences | Impact to the business
Reputational Loss CFO: John Gamble Jr. Workforce Solutions President: Rodolfo Ploder U.S. Information Solutions President: Joseph Loughran Combined, sold nearly $2 million in shares in the company days after cyber attack Congressional Scrutiny Justice Dept, SEC Holding Open Investigation Multiple Hearings Ex CEO Richard Smith set to testify before four separate congressional committees

15 Consequences | Impact to the business
Reputational Loss (Cont.) Richard Smith In an interview with The Atlanta Business Chronicle on August 1st, two days after breach discovery.. Smith answered the keys to CEO’s building higher level of trust… "Transparency, candor, consistency, and humility. Employees want an appropriate level of transparency about decisions and they expect us to be candid with them. Employees will detect a disconnect in a heartbeat, so we must be consistent in our words, our actions, and appearances. The final ingredient depends on the CEO. We have to remain humble if we’re going to build trust. That means not just listening to people at all levels, but trusting that what they have to say matters. Leaders in particular must build trust by giving trust." Buried in Terms and Service Language barring those who enroll in Equifax credit checker program from participating in any class-action lawsuits that may arise from the incident.

16 Consequences | Impact to the business
Eric Schneiderman NY Attorney General Took action publically and privately One of many public figures that publically criticized Equifax on the weak apology as well as the embedded language.

17 Missing Controls Patch Management Governance
Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches.

18 Missing Controls 2. Defense in Depth Using a typical web application architecture without enough defense in depth. The web application has full read and write access to the underlying data store. The web application code is the sole arbiter of access.

19 Missing Controls 3. Inefficiency of applying IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) Executives should give power to risk assessment management [teams] and hire reputable third parties to audit their security policies. Equifax could have patched the vulnerability or received alerts through an IDS (Intrusion Detection System) or IPS (Intrusion Prevention System). Both are built to detect network behavioral changes, so if a company has segmentation in place, they can kill a network connection where needed to avoid losing vital data.

20 Recommendation “ Effective cybersecurity requires consistent, comprehensive, timely patch management for all of your critical clients, servers, applications, and operating systems.” The first five of these Controls, listed below, can eliminate the vast majority of cybersecurity vulnerabilities. And patch management is essential to maintaining secure hardware and software configurations. Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges

21 CONCLUSION Data breach.
We need pay more attention on protecting the confidential information!!!

22 REFERENCES

23 Questions? THANKS!

Download ppt "Equifax Data Breach Analysis"

Similar presentations

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Morgan Stanley December 7th, 2004 By Adam Freda.

Morgan Stanley December 7th, 2004 By Adam Freda.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.

The Financial Impact of Cyber Security 50 Questions Every CFO Should Ask A publication of the American National Standards Institute and the Internet Security.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
Fraud and Prevention: Lessons from the Fire Service August 24, 2015 1.

Fraud and Prevention: Lessons from the Fire Service August 24,
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Pro-active Security Measures

Pro-active Security Measures
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Similar presentations

Ads by Google