Beginning on May 13, 2017 hackers successfully breached Equifax’s customer dispute portal. The hackers used an Apache Struts vulnerability, a months-old issue that Equifax knew about but failed to patch, and gained access to login credentials for three servers. Those login credentials in turn allowed the hackers to access another 48 servers containing personal information. The hackers spent 76 days within the Equifax network before they were detected. Equifax didn’t discover the attack until July 29, and cut off the hackers’ access on July 30. The breach exposed the personally identifiable information of over 147 million Americans. This information included social security numbers, names, addresses, birthdates, credit card numbers and driver’s license numbers. Personally identifiable information of British and Canadian citizens was also compromised.In your initial post, please answer both of the following questions:
- Choose a federal law (Equifax is a credit reporting agency and subject to special laws) or a US state data breach law or the EU GDPR (check our reading materials and PowerPoint slides, the links below, and ncsl.org for descriptions of applicable law) and explain how it applies or has already been applied to Equifax for its data security breach. You use the FTC settlement page as a source for your discussion or include a discussion of any private litigation. Alternatively, since 4 members of the Chinese People’s Liberation Army have recently been indicted, you may choose to discuss whether this indictment represents an example of state-sponsored cyber warfare. Remember to distinguish in your own mind the difference between Equifax’s liability for the security/data breach and the hackers’ liability for carrying out the breach.
- Using your best judgment, what would you recommend to create and maintain an infrastructure for Equifax that would most robustly and effectively protect against future breaches and the liabilities resulting from those breaches? Include any specifics you may be familiar with such as hardware and software recommendations, compliance with specific US and international laws, industry best practices, and any appropriate third-party vendor solutions.