Saturday, November 11, 2017

Equifax Breach: Stolen personal data (2017)

Equifax headquarters in Atlanta, Georgia 
On September 15th, 2017, the consumer credit reporting giant Equifax announced a massive cyber-security breach to the world affecting approximately 143 million Americans. It soon came to light that although Equifax reported this breach in September, they had actually been the target of numerous breaches going as far back as May. Despite discovering these breaches internally in late July, Equifax had delayed informing the millions of people whose personal information was now vulnerable for nearly 6 weeks.
Founded in 1899 in Atlanta, Georgia, Equifax began as a small credit company which quickly grew over the ensuing decades. Today they are known as one of the 3 largest consumer reporting agencies in the world, servicing hundreds of millions of individuals. As a credit reporting agency, Equifax had collected the personal information of millions of consumers in order to perform credit checks for businesses worldwide. Equifax kept information such as names, birthdays, and even social security information on file in order to make credit checks. However due to an outside breach caused by hackers, Equifax quickly found itself under public scrutiny for their apparent lack of security and is now facing what may be the largest class-action lawsuit in US history. While Equifax has officially kept quiet as to why they had waited so long to inform the public about the breaches, further investigation into the breach has brought some troubling findings to light, only deepening Equifax’s woes.
The underlying issue to the breaches could be traced to an exploit present in the Equifax software framework that allowed the hackers to access sensitive information. As it turned out the patch for this exploit was released nearly 2 months before the first breach and had it been applied to the system the breach would not have happened. Despite the patch being readily available, Equifax’s tech employees failed in up-keeping their internal systems. Additionally, since 2015, the company had been lobbying lawmakers to lessen the amount they would have to pay in lawsuits by consumers, only making the company seem further reckless and inconsiderate about their own actions. In response to complaints, Equifax offered customers free credit monitoring service for a year and the ability to freeze their credit for free. However, the monitoring service is also owned by Equifax, putting themselves in a position to eventually profit off of those signing up for the service.
Using some of the most prevalent ethical theories including Individualism, Utilitarianism, Kantianism, and Virtue Theory, this post will look into whether or not Equifax was ethical in their actions following the breach.

Size of the breach compared to recent incidents
Equifax is a large consumer credit reporting agency which collects and reports information on people and business worldwide. As such, between shareholders, employees, consumers, and those with their information stored by Equifax, the amount of stakeholders around the globe can be estimated to be well over 800 million individuals with 143 million in the US alone. When the breaches were eventually announced, millions of Americans found themselves at risk of identity theft after learning that their information was potentially stolen. Once it became clear how serious the breaches were, Equifax's stock tumbled nearly 25% to its lowest value in years. As a result, Equifax's quarterly earnings performed less than expected making the company's future uncertain. The CEO at the time, Richard Smith, was also forced to resign over the uproar which he failed to contain. However, those who had their information breached are the worst affected, as these people are now at risk for identity theft, putting their entire livelihoods at risk.
Equifax stocks suffered due to the incident
Individualism is the concept of putting a company's profits first so long as they're remaining lawful. In the company's own right, they had not broken any clear laws. They had lawfully obtained people's data from companies, banks, lenders, retailers and others in order to use this information to rate how creditworthy a given person or business is. Consumers allow their information to be shared whenever they use these services and agree to their terms, which is how Equifax is able to gather their data. While Equifax also took well over a month to announce the breach, they were still within the necessary deadlines to inform consumers of a breach in accordance to US law. With most state laws not having firm deadlines on how quickly a company needs to inform consumers of breach, the shortest amount of time is typically a month. Because Equifax was operating within the law and because most laws on informing consumers are relatively lax, Equifax was partly ethical from an Individualist standpoint. However, the major issue was the hit on Equifax's profits that occurred due to their actions. The company was more than likely going to suffer public backlash due to the leak however waiting so long only made matters worse and hurt their previously unremarkable reputation. Because of this an Individualist would consider Equifax to be unethical.
Utilitarianism is the theory that happiness or pleasure are the only things of intrinsic value. If a company is not actively trying to spread the most good to the maximum amount of people by carefully thinking about its actions then it is not following the utilitarian ethics model. In this case Equifax was responsible for ensuring the maximum amount of happiness for its stakeholders which include consumers, stock holders, businesses, and employees. As a credit reporting agency Equifax held the confidential data of millions of people, data which included people's names, social security numbers, birthdays, and even addresses. Due to the sensitivity of information Equifax kept, the stakes of a breach were huge as the information could harm consumers if put in the wrong hands. For a Utilitarian, its crucial to think carefully before any action in order to ensure maximum happiness. By failing to safeguard all of this information and not informing consumers straight away Equifax actually made its stakeholders extremely upset. A Utilitarian would have seen it as absolutely necessary to ensure the safety of such valuable data and carefully thinking of ways to keep it safe. By failing to give consumers peace of mind and keeping them safe from identity theft, Equifax was unethical from a Utilitarian standpoint.

It took nearly 6 weeks for Equifax to inform consumers
Kantianism focuses on acting rationally, respecting the autonomy of others, and being motivated by good will. The Formula for Humanity, a major principle in Kantianism, quite simply states to treat others as you would yourself, always as an end but never a mean. In this way of thought, exploiting others and treating them badly for personal gain is looked down upon. By not having a secure system in place, failing to alert consumers as soon as possible, and having people sign up for another one of their own services, Equifax fails this test. In today's world, private data such as those leaked can cause huge amounts of suffering to those whose information was stolen. Another major principle of Kantianism is giving the people adequate resources to make their own rational decisions. Because most people unknowingly provided Equifax with their private information and weren't informed about the breach until months after it happened, a Kantian would be absolutely appalled by Equifax's handling of the matter and the entire data collection model they employ. In no way shape or form was Equifax being ethical from a Kantian perspective.
Virtue Theory
Virtue theory covers four various virtues, honesty, courage, temperance, and justice. When it came to honesty for coming forward with the breach, Equifax failed miserably. When it was first discovered that there had been a breach they waited nearly 6 weeks before alerting consumers when damages could have already been done. Equifax also fails when it comes to courage as they were likely looking at their own best interests before coming clean with the breach. It sounds simple that if people's information were at risk that they should have alerted consumers however they chose to wait as they were likely afraid of the consequences. As for temperance Equifax didn't seem to have reasonable expectations for the situation either. Coming out sooner would have benefited those affected by the leak and by waiting so long they would inevitably be hurting themselves and their own credibility. Unsurprisingly delaying the announcement only made the situation worse and made for a bigger mess for everyone. In terms of justice Equifax is now looking like the faceless, uncaring company that isn't concerned for people's well beings. They couldn't store private information safely and as a result the stakeholders are being hurt the most from the situation. By also recommending their own services for credit monitoring, it would appear that they're also trying to help themselves in the fallout which certainly isn't justice by any means. Therefore by virtue theory Equifax also wasn't ethical as they failed to even consider if their actions were following these simple virtues. Had they put these virtues in mind with their decision making it would have made the whole situation much better for everyone.


Siegel, Tara. “Equifax Says Cyberattack May Have Affected 143 Million in the U.S.” The New York Times,  7 Sept. 2017,

Shepardson, David. “Equifax Failed to Patch Security Vulnerability in March: Former CEO.”Reuters, Thomson Reuters, 2    .............Oct. 2017,        .............former-ceo-idUSKCN1C71VY.

Rapoport, Michael, and AnnaMaria Andriotis. “Equifax Lobbied for Easier Regulation Before Data Breach.” The Wall          .............Street  Journal, Dow Jones & Company, 11 Sept. 2017,                  .............regulation-before-data-breach-1505169330.

Harney, Kenneth. "Equifax breach already taking a toll on consumers." Chicago Tribune, 21, Nov.                                            .............2017,

Merle, Renae. "Before the breach, Equifax sought to limit exposure to lawsuits." The Washington Post, 19, Sept. 2017, 
.............              ...........lawsuits/2017/09/19/8e6c8020-9d47-11e7-9083-fbfddf6804c2_story.html?utm_term=.5c8e0fefd5da

No comments:

Post a Comment