Education Please Help Me With My Homework Due Saturday Midnight

MANAGEMENT BRIEFING REPORT

EQUIFAX INC.

Marty Claw

COMM 3300

April 23rd, 2019

April 23, 2019

Mr. Luke Combs

Equifax Inc.

Chairman and CEO

1550 Peachtree Street, N.W.

Atlanta, GA 30309

Dear Mr. Combs,

Thank you for taking the time to introduce us here at AC Consulting, LLC to the current issues within Equifax. As mentioned during our presentation last week, we have researched the facts from the data breach at hand and have produced a few recommendations to improve on these measures.

Within this report, you will find our review and analysis on Equifax Inc., and all changes and adaptations that are recommended from AC Consulting. This report will give you an insight on our findings and main concerns regarding the issue at hand.

AC Consulting has generated this report to review the event in question with eyes on the consumers and stakeholders, along with recommended tactics that could be put in place to stop future incidents from happening at Equifax Inc.

If you have any questions or would like further information on the report, please contact AC Consulting.

Sincerely,

Marty Claw

Consultant

AC Consulting, LLC.

[email protected]

Table of Contents

List of Figures …………………………..………………………………………………… 4

Executive Summary ………………………………………………………………………. 5

Research and Investigation ………………………………………………………………6-9

Company History ………………………………………………………………… 6

Severity of Breach ……………………………………………………………….. 6

How it Happened ………………………………………………………………… 7

Equifax Response ……………………………………………………………….7- 8

The Aftermath ………………………………………………………………….. 8- 9

Recommendations: Crisis Management …………………………………………………. . 9

References ………………………………………………………………………………. . 10

List of Figures

Figure 1. Equifax Data Breach by Numbers 6

Figure 2. Equifax Data Breach Response Tool 8

Figure 3. Equifax Stock Decrease 9

Executive Summary

On July 29th, 2017, Equifax experienced one of the largest security breaches in United States history. Equifax took nearly 40 days to announce the breach to consumers, leaving them vulnerable to even more potential risk without their acknowledgement. Hackers were able to steal personal information from nearly 147.7 million Americans from the company’s servers. Information stolen during the breach included some of the following:

· Names

· Birthdays

· Social Security Numbers

· License Numbers

After the breach was brought the light, Equifax address it in manners that did not satisfy all their consumers and left most feeling more worried. Many consumers were looking for answers within a company that simply did not have them. Over the course of the next few months, more individuals were added to the list of affected. It was not until about a year later that the full number of victims were reported and counted.

We highlight specific events throughout the crisis management tactics, and areas for improvement within this. Some recommendations include:

· Address issue sooner

· Address media coverage properly

· Tackle any security issues at hand

· Communication across all channels

Equifax has never experienced a security breach this massive, and our hope is that with the help of this report from AC Consulting, they will not experience it again, or in an unfortunate circumstance, they had better handle it if it does.

Research and Investigation

Company History

Equifax Inc. is one of the largest consumer credit reporting agencies in the United States supplying an extensive list of resources and services to consumers. The company offers information about consumers including insurance, finance, banking, and credit card information (Pollard, Forbes 2017). Equifax, which was founded in 1898, starting out with only offering insurance, but as worked to expand their services throughout the years. Equifax offers consumers the ability to review personal information such as their credit score, but also provides this information to clients whom are looking into the consumer.

Severity of the Breach

In July of 2017, one of the largest consumer credit reporting agencies experienced one of the largest data breaches recorded in the United States history. The breach put the personal information of 147.7 million Americans in the hands of hackers, who have access to the information for weeks before it was fully addressed and stopped. With roughly 44% of the entire U.S. population affected, Americans were found living in fear not knowing the extent of their information that was stolen. It took Equifax nearly a year to fully disclose the complete list of victims to be presented to the public. The information that was stolen from victims included names, address, birthdays, and social security numbers, along with multiple other areas of personal information.

Figure 1 From: https://www.marketwatch.com/story/the-equifax-data-breach-in-one-chart-2018-09-07, 2018

Equifax fully disclosed all the elements of data that was stolen, which can be seen in Figure 1 above. As seen in the figure, while name, date of birth and social security numbers were amongst the highest stolen, elements such as phone numbers and driver’s license numbers. All information was in the hands of hackers, whom were able to open accounts and other fraudulent charges against the victims.

How it Happened

Equifax reported that the breach came from a flaw in a tool designed to create web applications. The company explained that the breach was due to an Apache Struts vulnerability. Apache Struts is a free, open-source software used to create Java web applications (Weise, USA Today 2017). It was reported that Equifax knew about the flaw in the tool months prior to the breach, leaving them with room to correct the issue before a catastrophic event took place. If it was a known flaw, it needs to be clear how long the company knew about it and how long consumers’ personal information was left vulnerable to hackers and outside sources. In many cases, that software that was being used by the company is to be known as one of the safest, but only when it is appropriately monitored and protected. The biggest questions that have come from this event is how hackers were able to obtain all this information without anyone knowing, and why Equifax took so long to address and stop the attack.

Equifax Response

The company took approximately 40 days to address the data breach to its consumers and stockholders. When consumers were made aware that the breach took place on July 29th, but they did not learn about it until September 7th, they were in utter fear. To make matters worse, as stated about, Equifax confessed to knowing about the breach a few months prior to the full breach taking place. They noted that they found a flaw in the system but did not respond appropriately to stop it from getting any further. In response to the attack, Equifax offered consumers two tools to aid in the aftermath:

1. A webpage to detect if one is a part of the breach

2. The ability to lock accounts temporarily

Equifax quickly experienced a loud uproar from consumers whom simply wanted to know if their information was breached, and exactly what information had been stolen from them. The company needed a way to address the concerns from millions of consumers at once, thus they put creating this website into play. The webpage was set up to informing consumers if the data breach had affected them. Upon the announcing of the breach, consumers were directed to the website where they found a quick “look up tool” that would allow them to know in seconds if they were victims to this breach. Consumers had to input their last name along with the last six digits of their Social Security Numbers and they were then told if their information had been breached. Equifax was quick to come up with this tool and tried to soothe upset consumers by ensuring that it was completely accurate.

Figure 2 From: https://www.cnbc.com/2017/09/08/equifax-response-to-data-breach-leaves-many-consumers-confused.html

Consumers were prompted to the Equifax website and after inputting their information into the breach retrieval tool; consumers were shown notification such as the one seen in Figure 2. Consumers reported that tool did not always give them a definite yes or no, leaving them confused and even more worried (O’Brien, CNBC 2017).

Equifax also allowed consumers to lock their accounts for a brief time. This option was available to all consumers, even those who did not know if they have been directly affected yet. The biggest downside to this choice was, although it sounds secure, it did not ensure that it was safe from hackers. Besides the fact that the information was already out into the cyber world, hackers were still able to obtain information from other credit service websites such as TransUnion. Equifax also offered this service for only 90 days free, after the 90 days expired consumers had the option of stopping the locking of account or pay a $5-$10 fee each month thereafter (O’Brien, CNBC 2017).

The Aftermath

With 147.7 million consumers affected, lawsuits merged from all over the country. When the breach first became known, the total number of victims was at 145 million. After roughly a year when the second round of victims became known, Equifax experienced an uproar of complaints, concerns, and lawsuits. Many consumers were at one point told they had any need affected, but after a second look, they found that many had gone unreported due to the narrowed search of data stolen. Equifax not only experienced lawsuits from consumers, they also had many stakeholders that ordered lawsuits against the company. Most stakeholders were upset that the communication within the company was so delayed, leaving them completely in the dark, that they choose to file lawsuits, and many sold their stock just days after the breach was confirmed (Consumer Reports, 2018).

Not only did Equifax experience many lawsuits, they also experienced a major decrease in stock prices. At the beginning of the breach, stock prices plummeted but began to slowly increase again after the breach was being handled. Then, after the announcement of the other 2.2 million consumers affected, stock prices took another hit in December of 2018, leaving the company scrambling and at an all-time low.

Figure 3 from https://www.marketwatch.com/story/the-equifax-data-breach-in-one-chart-2018-09-07

As seen in Figure 3, stock prices dropped dramatically from October 2018 and did not begin to rise until early 2019. Equifax will continue to feel the heat from this breach and will continue to see unexpected and dramatic changes within their stock prices over the next few years. It is hard for a company to bounce back from a data breach this large, but consumers will eventually feel comfortable trusting them once again (Owens, MarketWatch 2018).

Recommendations: Crisis Management

Equifax could improve in the mist of another security issue such as this data breach in a few areas. To begin, this breach should have been addressed in a timelier manner. It is understandable for a company to want to wait to ensure all that has happened, but 40 days is a bit excessive and inexcusable. The company also needs to communicate consistently across all channels, stakeholder groups and regions. Communication needs to be offered in language that everyone understands, not corporate or legal talk. It is scary to think that this major breach could have been avoided if Equifax would have tackled the security issue when it first came into question. They did not act on the issue until full damage was done, leaving it beyond repair. Equifax also needs to work on their empathy about issues such as this.

It was noted by consumers that they felt the company did not show concern or make them feel like they did not genuinely care about the situation that they had put them through. Equifax needs to work on not only their announcing timeframe, but also needs to work to ensure that consumers feel that they care and are working to make matters better for all involved. The way that a company responds to an issue such as this, can help pave the way for how the situation will be handled and addressed by consumers and stakeholders involved. It will take some time for Equifax to fully bounce back and gain the complete trust that was once invested into them, but if they work to ensure that security measures are taken and continue to work with those affected, it will be possible one day.

References

Consumer Reports.. (2018, March 1). Equifax data breach affected 2.4 million more consumers. Retrieved from https://www.consumerreports.org/credit-bureaus/equifax-data-breach-was-bigger-than-previously-reported/

Johnson, A. (2018, May 8). Equifax breaks down just how bad last years data breach was. Retrieved from https://www.nbcnews.com/news/us-news/equifax-breaks-down-just-how-bad-last-year-s-data-n872496

Owens, J. (2018, Sept 10). The Equifax data breach, in one chart. Retrieved from https://www.marketwatch.com/story/the-equifax-data-breach-in-one-chart-2018-09-07

Pollard, J. (2017, Sept 8). Equifax does more than credit scores. Retrieved from https://www.forbes.com/sites/forrester/2017/09/08/equifax-does-more-than-credit-scores/#48ad605219d8

O’Brien, S. (2017, Sept 8). Equifax response to data breach leaves many consumers confused. Retrieved from https://www.cnbc.com/2017/09/08/equifax-response-to-data-breach-leaves-many-consumers-confused.html

1