Equifax Data Breach: Analysis of Finance, Governance, and Control

Verified

Added on 2023/05/30

AI Summary

This report provides an in-depth analysis of the Equifax data breach, examining its implications for corporate finance, corporate governance, and risk management. It explores the company's business operations, including consumer and business solutions, credit scores, and data storage. The report delves into the nature of the breach, the stolen data, and the company's response, including delayed public notification and executive stock sales. It assesses the impact on capital investments, governance, and control, highlighting the role of the board of directors and the importance of effective patching and risk management. The analysis also considers the company's ESG rating, the decline in stock value, and the strategies implemented to address the issue, such as hiring a chief information security officer and investing in security infrastructure. The report concludes with a discussion on the loss of consumer trust and the challenges faced by Equifax in the aftermath of the breach.

Institution affiliated
Students’ name
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Introduction
Equifax Inc. is one of the top credit bureaus and a leading global provider in consumer and
business solutionsSchaefer, Labude and Nasir, 2018). It brings buyers and sellers through
management of information, customer relationship management, transactions and direct
marketing, and transaction processing. Equifax has diversified customers and clients, that is,
individuals, financial institutions, governments and corporations. The company provides credit
scores to consumers, risk analysis to clients, and credit histories (Jeffery and Arnold, 2014).
Products and services of the company are stored in databases which contain business and
consumer information. The information is derived from public record, marketing data, credit,
demographic, and finance. This helps further in coming up with modified visions, services
processing, and decision-making solutions for business. It offers human resources services and
provides outsourced payroll. It helps consumers make informed financial decisions by making
them understand and protect their personal information(Schaefer, Labude and Nasir, 2018).
Although the company operates around the world most of its businesses are in US.
Corporate finance deals with decisions of finance and investment of a company (Fracassi, 2016).
It focuses on increasing the value of the shareholder through financial planning and
implementation of strategies which can be long-term or short-term(Fracassi, 2016). Activities of
corporate finance are investment decisions on capital and investment banking. The decision
process of capital investment deals with capital budgeting. This helps the company identify
capital costs, estimate the flow of money proposed on capital projects, relate planned
investments with possible income while deciding which schemes best suits capital budget.
Capital investment is the most crucial task in corporate finance and at the same time cause major
implications when it comes to business(Fracassi, 2016). Poor budgeting on capital affects the

financial position of the company either due to excess financing costs or having an under-funded
operating capacity.
After the Equifax’s 2017 breach of data, many were angered after learning that the company had
known it earlier but was slow in letting the public know (Zou and Schaub, 2018). Failure to let
them know earlier compromised personal information of many which damaged the company’s
public trust and in turn made their stock prices tumble. After the attack it’s not clear whether the
company will recover or continue to suffer with its stakeholders. Equifax’s breach teaches an
important lesson on keeping personal information safely (Moore, 2014). Investment index
company MSCI gave Equifax the lowest possible social, environmental and corporate
governance (ESG) rating in July 2017. MSCI pointed out that the company faces a high risk of
data theft and associated reputational consequences(Gressin, 2017). ESG ratings provide another
point of help to investors and help them in understanding the company. MSCI applies a scale that
uses a range of AAA to CCC. Companies with AAA ratings show leaders on ESG issues while
companies with B or CCC ratings are considered laggards like the case of Equifax. Low ESG
shows areas of weaknesses relative to other companies. Report from AQR capital management
found that stocks with poor ESG ratings may occur and cause higher volatility experience or
risks than stock with strong ESG ratings. Mishandling of people’s personal data can greatly
affect privacy and financial well-being(Berghel, 2017). ESG funds still holds Equifax shares. To
maintain a socially responsible portfolio is a priority when it comes to investment. Investors pay
attention to ESG ratings. Equifax’s stock in the year 2017 dropped by 31% after the breach. The
company’s market capitalization value went down.

Corporate governance refers to rules, practices and policies under which a firm is controlled and
operates with (Tricker and Tricker, 2015). It involves balancing the needs and interests of
different stakeholders in a company, who are the customers, financiers, suppliers, shareholders,
government, community and the management. A company’s governance focuses on the
objectives, management, and structure of plans, the rate of performance, internal controls and
corporate exposures(Tricker and Tricker, 2015). Governance dictates the corporate behavior. A
company’s board of directors is important when it comes to governance. They are the primary
stakeholders and influence greatly on governance. Good governance brings up a transparent set
of rules and controls in which directors, shareholders and officers have aligned
incentives(Filatotchev and Nakajima, 2014). Every company works to achieve the best corporate
governance. Sound corporate governance, environmental awareness and ethical behavior bring
about good corporate citizenship(Tricker and Tricker, 2015).
Governance and control in Equifax Inc. is directed by Board of Directors that serve the interests
of the shareholder in management and growth of a successful business and increasing financial
returns that are long-term (Filatotchev and Nakajima, 2014). The board ensures the company
achieves these results. It ensures management carries out their responsibility irrespective of the
challenges facing the company. Equifax’s board is responsible for overseeing how effective the
management policies and decisions are and how its strategies are to be executed(Filatotchev and
Nakajima, 2014).Equifax as a reporting credit agency provides consumers with credit
information regarding businesses while selling products and services to them (Schaefer, Labude
and Nasir, 2018). Many businesses including banks, retailers, and insurance firms rely on
Equifax for information when issuing credit cards and credit-checking loans for customers. As a
result, the company has millions of profiles of people worldwide(Schaefer, Labude and Nasir,

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2018). This prompted a target by the hackers where Social Security numbers and PII are used by
perpetrators to commit theft and fraud.
Nature of the issue facing Equifax
In the year 2017, the company was breached several times with the latest on September 29th.
(Gressin, 2017). Hackers had stolen Social Security numbers, names, driver’s licenses, birth
dates, addresses and numbers of 143 million consumers (Berghel, 2017). They also compromised
209000 credit card numbers stored by the company for credit services. In the month of May the
same year hackers targeted the company’s TALX payroll division which offers online tax, HR
and payroll services. They gained access to employee data (Gressin, 2017). The company was
hacked again two months later and in large scale. In the month of March the hackers used a
crafted HTTP header to remotely carry out commands on the company’s Apache (Luszcz, 2018).
Either the company did not patch the vulnerability of the website which was deemed critical for
more than two months; this gave more room to the hackers. This was critical for an organization
keeping sensitive data.
Strategy for dealing with breach
Many businesses have tried to implement patching best practices. Either automated patching
solution has not been implemented by many organizations but instead they rely on manual
processes that are slow and high risk to error. Many organizations also come up with a patching
schedule of a range of one week to one month to protect critical vulnerabilities (Privette, Carlton
and Kelly-Kilgore, 2014). Lack of effective patching exposes an organization to severe risks of
attack like the one faced by the Apache Struts at Equifax (Luszcz, 2018). The risk could have
been avoided if the company carried out an efficient patching program. Many people used media

to criticize Equifax due to poor response to the incident(Zou and Schaub, 2018). The company
had discovered the breach on 29th of July, 2017 but alerted the public on September 7th. The
affected customers should have been notified as soon as possible through electronic means, mail,
or telephone regarding the breach(Pereira, 2014). After the discovery of the breach, three top
executives of the company sold around $2 million of their Equifax stock. They later claimed they
were unaware of the incident at the time they sold their shares. FBI and SEC are now
investigating on the three executives for possible violation of trade laws (Moore, 2014).
To protect its customers, Equifax set up a website to enable them check whether they had been
affected (Moore, 2014). To do this one is required to enter their last name and the last six digits
of their Social Security number to check out. The company also came up with a free mobile and
desktop application, Lock and Alert that enables users to control access to their report. The app is
available to all Equifax users whether affected or not(Pereira, 2014). The tool allows one to shut
off access to the credit report and blocks the hackers from opening new accounts in their name
(Pereira, 2014). The company also considers freezing of credit report to prevent thieves from
accessing personal information (Zou, et al, 2018). Security leaders and stakeholders should be
clear with a visible role and responsibilities; there should have been no delays during crisis
management(Privette, Carlton and Kelly-Kilgore, 2014). Risk management and assessment
should have carried out according to perceived risk to data. Appropriate scenarios should have
been identified and understood. Regular risk assessment would have identified the risk exposal to
the company. Control assessment should have been done to assess how effective the operational
security controls especially those related to patching. The company also made a number of
changes in governance. The roles of chairman and CEO were separated. Two new independent

directors and a new CEO were appointed. The company strengthened its claw back policy while
it added its performance measure on cyber security to its compensation program.
Nature of the issue facing the company
The company has also tried to explain why top executives sold of their stock days after the
breach and why the company long to discover the hacking and inform the public (Jeffery and
Arnold, 2014). Investors and consumers also hit the company hard while legal and political
powers also demanded for answers and justice. Federal Trade Commission and several states
opened their own investigations while Members of Congress demanded for criminal
investigations and the company’s account for what happened (Gressin, 2017).
Strategy of dealing with the issue
The company hired a chief information security officer. The company has also made efforts to
change the corporate and data security methodology. It has also invested $200 million on
security infrastructure of their data. it aims at improving patching process. There are also better
detection and programs in place to respond to new problems in case they arise (Gressin, 2017).
Conclusion
Equifax has faced large breaches which led to hacking of sensitive consumer information that
left millions of Americans social security numbers compromised. Equifax’s slow response made
media and other clients’ critic the company. As a result of the breach the company faced
challenges in capital investments and governance and control. Many consumers lost trust in the
company. Some of the executives also resigned and sold their shares days after the hack.as a

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

result the company came up with ways to counter the damages caused by looking for ways to
help the consumers and the company’s investments.

References
Berghel, H., 2017. Equifax and the Latest Round of Identity Theft Roulette. Computer, (12),
pp.72-76.
Filatotchev, I. and Nakajima, C., 2014. Corporate governance, responsible managerial behavior,
and corporate social responsibility: Organizational efficiency versus organizational
legitimacy?. Academy of Management Perspectives, 28(3), pp.289-306.
Fracassi, C., 2016. Corporate finance policies and social networks. Management Science, 63(8),
pp.2420-2438.
Gressin, S., 2017. The Equifax data breach: What to do. Federal Trade Commission,
Washington, DC.
Jeffery, P. and Arnold, D., 2014. Disrupting banking. Business Strategy Review, 25(3), pp.10-15.
Luszcz, J., 2018. Apache Struts 2: how technical and development gaps caused the Equifax
Breach. Network Security, 2018(1), pp.5-8.
Moore, R., 2014. Cybercrime: Investigating high-technology computer crime. Routledge.
Pereira, S.A., 2014. The impacts of identity theft to its victims and how to prevent future
attacks (Doctoral dissertation, Utica College).
Privette, H.M., Carlton, D.S. and Kelly-Kilgore, S., 2014. SEC Guidance on Cybersecurity
Measures for Public Companies, The. LA Law., 37, p.14.
Schaefer, G.O., Labude, M.K. and Nasir, H.U., 2018. Big Data: Ethical Considerations. In The
Palgrave Handbook of Philosophy and Public Policy (pp. 593-607). Palgrave Macmillan, Cham.

Tricker, R.B. and Tricker, R.I., 2015. Corporate governance: Principles, policies, and practices.
Oxford University Press, USA.
Zou, Y., Mhaidli, A.H., McCall, A. and Schaub, F., 2018, August. I've got nothing to lose:
consumers' risk perceptions and protective actions after the equifax data breach. In Proceedings
of the Fourteenth USENIX Conference on Usable Privacy and Security (pp. 197-216).USENIX
Association.
Zou, Y. and Schaub, F., 2018, April. Concern But No Action: Consumers' Reactions to the
Equifax Data Breach. In Extended Abstracts of the 2018 CHI Conference on Human Factors in
Computing Systems (p. LBW506). ACM.