The Equifax Incident
This paper centers on the Equifax incident of 2017. Here is an excerpt:
“On September 7, 2017, US credit reporting company Equifax publicly announced that it had been the target of a cyberattack and that the personal information of over 145 million customers – including Social Security Numbers, driver’s license numbers, email addresses, and credit card numbers – had been stolen. The announcement sparked a massive backlash, as consumers and public officials questioned how a company that managed sensitive personal information for over 800 million individuals could have allowed such a breach to happen. It became apparent that Equifax had been criticized for a lack of cybersecurity preparedness.
The case discusses the events leading up to the massive data breach at Equifax, one of the three U.S. credit reporting companies, the organizational and governance issues that contributed to the breach, and the consequences of the breach. The case supplement provides details of how Equifax recovered from the breach and changes the company made. On September 7, 2017, Equifax announced that the personal information of over 140 million consumers had been stolen from its network in a catastrophic data breach, including people’s Social Security numbers, driver’s license numbers, email addresses, and credit card information. The announcement sparked a massive backlash, as consumers and public officials questioned how a company that managed sensitive personal information about over 800 million individuals could have such insufficient security measures. It came to light that Equifax had been aware of critical faults in its cybersecurity infrastructure, policies, and procedures for years but had failed to address them. Equifax’s public response also received criticism. CEO Richard Smith and numerous other executives resigned, and Equifax was left facing dozens of lawsuits, government investigations, and the potential for new regulation.”1
1 Srinivasan, Suraj, Quinn Pitcher, and Jonah S. Goldberg (2017, revised 2019). “Data Breach at Equifax.” (Links to an external site.) Harvard Business School Case 118-031.
Overview
Read the Equifax Case Study. Given your knowledge of the Equifax case, develop a risk scenario accounting for threat agent, threat, vulnerability, and possible event characteristics, such as possible time, location, and other circumstances. Feel free to make up additional data if you choose, but ensure you have already exhausted information from the Equifax case. Ensure your paper addresses the following questions:
Who are the stakeholders affected by this risk scenario?
What approach did you use to develop the scenario, top-down or bottom-up? Choose only one and justify your choice.
Which of the following did your scenario address: asset, process, or organizational structure? You can address one, two, or all of them.
Evaluate and categorize risk with respect to technology; with respect to individuals, and in the enterprise, and recommend appropriate responses. [NSA SRA 3]
Your paper must be APA-formatted, 1200 to 1500 words, double-spaced, 12-point font size in Times New Roman.
Action Items
Read the case study Data Breach at Equifax (Links to an external site.).
Write your paper according to the directions in the overview.
Read the paper rubric to understand how your work will be assessed.
This assignment is also used to assess a Cybersecurity Program Learning Outcome (PLO) through the rubric. The PLO assessment will appear as a separate row within the rubric; it will not contribute points to the paper.
For your information, the following PLO is being assessed:
PLO 3: Employ quantitative and qualitative means to analyze risk in information systems.