Skip to content

WA1. The Equifax Data Breach

Statement

Please read the case study entitled “The Equifax Data Breach” from the chapter 1 of the Business Ethics textbook. Based on what you have learned in this unit, answer the following questions:

  • Which elements of this case might involve issues of legal compliance? Which elements illustrate acting legally but not ethically? What would acting ethically and with personal integrity in this situation look like?
  • How do you think this breach will affect Equifax’s position relative to those of its competitors? How might it affect the future success of the company?
  • Was it sufficient for Equifax to offer online privacy protection to those whose personal information was hacked? What else might it have done?

Answer

The text will start by giving a brief overview of the Equifax data breach, then it will answer the questions in the statement.

The Equifax data breach is a cyber security incident where the personal information of customers where leaked (or breached), and it is considered one of the largest data breaches in history. Equifax is one the largest credit reporting agencies in the United States (Byars & Stanberry, 2022).

Investigations revealed that the attack started in May, 2017 and was discovered by the company on July 29, 2017, and reported to the public on September 7, 2017. The breach affected 143 million people (almost 40% of the US population) where their names, social security numbers, birth dates, addresses, and driver’s license numbers were stolen. The breach also included more than 200K credit card numbers (Epic, 2017).

The Equifax response to the incident included running security updates, setting up a website to provide information to the public, and offering free credit monitoring and identity theft protection to the victims, and spending over 1.4 billion dollars to improve its security systems in the next two years. Before the announcement of the breach, senior executives of the company sold their shares as they anticipated drop in the stock price after the announcement (Fruhlinger, 2020).

To determine the legal compliance of the company, we need to know that the company has written processes to handle such cases, and (Fruhlinger, 2020) states that company ran security scans before the breach (although they were false negative); the company was doing the required reporting and external audits; the company was in direct contact with the relevant government bodies and responded well to their enquiries. All of these actions confirms that the company was acting legally and it was legally compliant.

Although the company was acting legally, it did not go the extra mile to act ethically. The company delayed the public announcement where the top executives took advantage of that time; although it is not illegal to sell shares, it is unethical to take advantage of the situation to make personal gains. The company’s response included a website with a domain name that looks like phishing websites https://www.equifaxsecurity2017.com/ and its social media accounts mistakenly directed customers to a different website https://securityequifax2017.com/ (Fruhlinger, 2020); it is legal to have such a domain or to make such a mistake, but it is unethical not to think twice about the potential confusion that may be caused to customers who are already in a state of panic, and the their trust in the company is in its lowest.

Acting ethically and with personal integrity in this situation would have been to announce the breach as soon as it was discovered, and to face the consequences just like every stakeholder in the company; it also requires showing empathy to the victims and try to reduce their suffering and panic, this also requires transparency, honesty, and calmness in the company’s communication with the public.

The breach affected the company and put it in a bad position relative to its competitors. The company’s stock price dropped significantly after the announcement of the breach; Moody’s downgraded the company’s financial rating (Fruhlinger, 2020). The company also had to compensate the victims and pay 1.4 billion dollars to improve its security systems. The most significant impact was the loss of trust and the damage to the company’s reputation which simultaneously favored the company’s competitors.

The breach affected the company’s future as well as the entire industry, with more regulations being imposed to protect customers’ data; and the company spent a significant amount of money to improve its security systems, plus it is a company with long history that goes back to more than a century, so although it was affected, it did not go out of business, and it is still a major player in the industry.

It was not sufficient for Equifax to offer online privacy protection to those whose personal information was hacked. Whatever happened can not be undone; but the company need to do more to assure customers that such a breach will never happen again and improving its internal processes and accountability programs; the company should properly apply security updates and patches and other best practices, and run security scans and audits more ofter; and suspecting false negatives even more. The company should partner with educational bodies to ensure that all employees have the most up-to-date knowledge and that they are applying this knowledge in their work.

To conclude, the Equifax data breach was a significant event in the history of the company and the industry; the company itself acted legally but not ethically; while some executives acted illegally and were charged for that. The breach shaken the company and the entire country, but on a positive note, more regulations were imposed to protect customers’ data and ensure that such a breach will never happen again.

References

‌ ‌