Equifax data breach 2017 case study

For the exclusive use of Z. Liu, 2020. 9 -1 1 8 -0 3 1 REV: APRIL 25, 2019 SURAJ SRINIVASAN QUINN PITCHER JONAH S. GOLDBERG Data Breach at Equifax It was October 4, 2017, and Richard Smith, the former CEO of Equifax, had just finished testifying before the U.S. Senate Committee on Banking, Housing, and Urban Affairs. He had been called before the Committee to address the data breach Equifax had experienced between May and July earlier that year, which exposed personal information about over 145 million Americans. Smith had resigned just over a week earlier, the latest casualty of the massive crisis at the credit reporting agency, which had claimed the jobs of two other executives and spawned insider trading allegations, investigations, and dozens of lawsuits. a Observers were critical of Equifax’s cybersecurity preparedness, as reports surfaced that the company had been notified about the software vulnerability exploited by its attacker in early March but had failed to fix it on time. They were also critical of the company’s response to the breach, especially the delay between when Equifax discovered the breach (July 29) and when it disclosed it to the public (September 7). Others questioned why the board was not notified until three weeks after the breach was uncovered and whether the board’s response was adequate. Smith’s replacement, interim CEO Paulino do Rego Barros, Jr., and the board needed to respond to these criticisms. Facing an onslaught of lawsuits and investigations, Equifax had to improve its cybersecurity systems and convince both consumers and public officials that it remained a reliable steward of sensitive information. Accomplishing this, however, appeared easier said than done. Equifax Founded in 1899, Equifax Inc. (Equifax) was a U.S. credit reporting company. Along with Experian and TransUnion, Equifax was one of the three main credit reporting companies, responsible for collecting and providing information on income and credit-worthiness to organizations and a The multiple congressional investigations into the breach (by the Senate Committee on Banking, Housing, and Urban Affairs, the Senate Committee on Homeland Security and Government Affairs, and the House of Representatives Committee on Oversight and Government Reform) produced a number of reports detailing the causes and consequences of the exfiltration of consumer data. These reports will be referenced throughout the case as the products of Congressional investigations. Professor Suraj Srinivasan and Research Associates Quinn Pitcher and Jonah S. Goldberg prepared this case. This case was developed from published sources. Funding for the development of this case was provided by Harvard Business School and not by the company. HBS cases are developed solely as the basis for class discussion. Cases are not intended to serve as endorsements, sources of primary data, or illustrations of effective or ineffective management. Copyright © 2017, 2018, 2019 President and Fellows of Harvard College. To order copies or request permission to reproduce materials, call 1-800545-7685, write Harvard Business School Publishing, Boston, MA 02163, or go to www.hbsp.harvard.edu. This publication may not be digitized, photocopied, or otherwise reproduced, posted, or transmitted, without the permission of Harvard Business School. This document is authorized for use only by Zeen Liu in ITEC 467-667 Cybersecurity Governance taught by Heng Xu, American University from Aug 2020 to Dec 2020. For the exclusive use of Z. Liu, 2020. 118-031 Data Breach at Equifax individuals. “Powering the world with knowledge,” the company’s slogan, captured its aspirations. The company wrote in its 2016 annual report that: We leverage some of the largest sources of consumer and commercial data, along with advanced analytics and proprietary technology, to create customized insights which enable our business customers to grow faster, more efficiently and more profitably, and to inform and empower consumers.