DOCSLIB.ORG

How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach United States Senate PERMANENT SUBCOMMITTEE ON INVESTIGATIONS Committee on Homeland Security and Governmental Affairs Rob Portman, Chairman Tom Carper, Ranking Member HOW EQUIFAX NEGLECTED CYBERSECURITY AND SUFFERED A DEVASTATING DATA BREACH STAFF REPORT PERMANENT SUBCOMMITTEE ON INVESTIGATIONS UNITED STATES SENATE HOW EQUIFAX NEGLECTED CYBERSECURITY AND SUFFERED A DEVASTATING DATA BREACH TABLE OF CONTENTS EXECUTIVE SUMMARY ......................................................................................................... 1 The Subcommittee’s Investigation ..................................................................................... 6 Findings of Fact and Recommendations ........................................................................... 6 I. BACKGROUND ............................................................................................................ 12 A. Consumer Reporting Agencies ................................................................................ 14 1. Equifax ......................................................................................................................... 15 2. Experian ....................................................................................................................... 15 3. TransUnion ................................................................................................................. 16 B. Federal Regulation of Consumer Reporting Agencies ....................................... 16 C. The Federal Government’s Role in Sharing Information on Cybersecurity Threats .............................................................................................. 18 D. Data Breach Notification Standards ..................................................................... 20 II. EQUIFAX WAS AWARE OF CYBERSECURITY WEAKNESSES FOR YEARS............................................................................................................................. 21 A. Equifax Learned of Significant Cybersecurity Deficiencies in 2015 .............. 21 1. Purpose of the Audit .................................................................................................. 21 2. The Audit Highlighted a Backlog of over 8,500 Vulnerabilities with Overdue Patches ........................................................................................................ 22 3. Key Audit Findings Demonstrate Equifax’s Ineffective Patch and Configuration Management .................................................................................... 23 a. Equifax Did Not Follow Its Own Schedule for Remediating Vulnerabilities ......................................................................................................... 24 b. Equifax Lacked a Comprehensive IT Asset Inventory................................... 25 c. Equifax Had a Reactive Patching Process ........................................................ 25 d. Equifax Used an “Honor System” for Patching ............................................... 26 e. Equifax Did Not Consider the Criticality of IT Assets When Patching ..... 27 4. Equifax Conducted No Follow-Up Audits After the 2015 Audit ..................... 28 B. Patching Issues Remained Leading up to the Breach in 2017 ........................ 29 1. Equifax’s Scan Process Was Global; Patch Management Was Regional ...... 29 2. It Was Unclear Whether IT Was Following Patch Management and Vulnerability Management Procedures ................................................................ 30 3. Equifax Needed a New Scanning Tool .................................................................. 30 III. EQUIFAX’S RESPONSE TO THE VULNERABILITY THAT FACILITATED THE BREACH WAS INADEQUATE AND HAMPERED BY ITS NEGLECT OF CYBERSECURITY .......................................................................... 31 A. The Tools Necessary to Exploit the March 2017 Apache Struts Vulnerability Were Publicly Available and Easy to Use .................................. 33 B. Equifax Did Not Follow Its Patch Management Policy When Responding to the Apache Struts Vulnerability ................................................. 35 1. Equifax’s Patch Management Policy Required the IT Department to Patch Critical Vulnerabilities Within 48 Hours ................................................. 35 2. Equifax Did Not Patch the Apache Struts Vulnerability Until August 2017 ................................................................................................................ 37 C. Equifax Held Monthly Meetings to Discuss Threats and Vulnerabilities, but Follow-Up Was Limited and Key Senior Managers Did Not Attend ..... 37 1. Equifax Highlighted the Apache Struts Vulnerability in Its March GTVM Meeting ........................................................................................................... 38 2. Prior to the Breach, Senior Managers from Equifax Security Teams Did Not Regularly Participate in These Monthly Meetings .................................... 39 D. The Equifax Employee Who Was Aware of Equifax’s Use of Apache Struts Software Was Not on the Relevant Email Distribution List .............. 40 E. Equifax Scanned Its Systems and Servers for the Vulnerable Versions of Apache Struts and Found No Vulnerability ........................................................ 41 F. Expired SSL Certificates Delayed Equifax’s Ability to Detect the Breach for Months ................................................................................................................... 43 G. Once Inside Equifax’s Online Dispute Portal, the Hackers Accessed Other Equifax Databases......................................................................................... 45 H. Equifax Waited Six Weeks to Inform the Public of the Breach....................... 46 1. Some Companies Have Disclosed Data Breaches Days After Discovering Them ...................................................................................................... 48 2. Other Companies Made Public Disclosure Years Later or Simply Declined to Notify ....................................................................................................................... 50 I. Several Current and Former Senior Equifax Employees Believe Equifax Acted Appropriately in Responding to the Apache Struts Vulnerability ..... 51 IV. EQUIFAX’S LARGEST COMPETITORS, TRANSUNION AND EXPERIAN, WERE ABLE TO QUICKLY IDENTIFY WHERE THEY WERE RUNNING VULNERABLE VERSIONS OF APACHE STRUTS AND PROACTIVELY BEGAN PATCHING .................................................................................................... 55 A. CRAs Had Different Timelines for Patch Management .................................... 55 1. TransUnion ................................................................................................................. 55 2. Experian ....................................................................................................................... 56 B. CRAs Generally Performed Vulnerability Scans on a Regular Basis ............ 57 1. TransUnion ................................................................................................................. 57 2. Experian ....................................................................................................................... 58 C. Other CRAs Maintained an IT Asset Inventory ................................................. 58 1. TransUnion ................................................................................................................. 58 2. Experian ....................................................................................................................... 58 D. CRAs Lacked Written Policies for Tracking the Validity of SSL Certificates .................................................................................................................. 59 1. TransUnion ................................................................................................................. 59 2. Experian ....................................................................................................................... 59 E. Equifax’s Two Largest Competitors, TransUnion and Experian, Avoided a Cybersecurity Breach ............................................................................................ 60 1. TransUnion ................................................................................................................. 60 2. Experian ....................................................................................................................... 61 V. EQUIFAX FAILED TO PRESERVE A COMPLETE RECORD OF EVENTS SURROUNDING THE BREACH ........................................................... 62 A. Equifax’s Document Retention Policy ................................................................... 63 1. Equifax’s Document Retention Schedule.............................................................. 63 2. Equifax’s Legal Hold Policy ..................................................................................... 64 B. Equifax’s Use of Lync ................................................................................................ 65 C. Equifax Employees Used Lync to Discuss Business Matters, Including Events Surrounding the 2017 Data Breach ........................................................ 65 HOW EQUIFAX NEGLECTED CYBERSECURITY AND SUFFERED A DEVASTATING DATA BREACH EXECUTIVE SUMMARY The effects of data breaches are often long-lasting and challenging to reverse.
Load more

Recommended publications
  • UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re
    Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 In re: Equifax Inc. Customer No. 1:17-md-2800-TWT Data Security Breach Litigation CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 [email protected] /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 [email protected] /s/ Norman E.
    [Show full text]
  • GEORGIA – COSTA RICA Economic Development Connection
    GEORGIA – COSTA RICA Economic Development Connection Government & Commerce The University System of Georgia offers at least 35 study abroad programs to Costa Rica Atlanta is home to the Consulate General of the including programs in art, culture, education, Republic of Costa Rica. Ms. Joanne Leigh Noriega medicine, ecology, biology and creative writing. serves as Consul General. The Consulate serves According to the 2012 U.S. Census Bureau, there the states of Alabama, Georgia, Kentucky, North are more than 3,100 residents in Georgia with Carolina, South Carolina and Tennessee. Costa Rican heritage. The Georgia Institute of Technology created the Costa Rica Trade, Innovation and Productivity Trade Relationship (TIP) Center through a partnership among Georgia Tech, the Foreign Trade Corporation of EXPORTS: In 2013, Georgia exports to Costa Rica Costa Rica and the Chamber of Industries in Costa totaled $150 million a .93% increase from 2012. th Rica. The center focuses on utilizing research, Costa Rica is currently the 50 largest export innovation and education to increase trade across market for Georgia. borders and make existing trade more productive Top exports from Georgia to Costa Rica include to benefit the Costa Rican economy and scientific kraft paper, automatic data processing machines, community. The focus is currently on digital refrigerators and freezers, electric water heaters, services and food products. civilian aircraft, engines and parts and wood The University of Georgia has a 160 acre satellite pulp. campus in San Luis de Monteverde, Costa Rica, Georgia leads the nation in the export of the where it offers classes in a variety of fields ranging following goods to Costa Rica: paper and from ecology to business.
    [Show full text]
  • In Re Equifax Inc. Securities Litigation 17-CV-03463-Consolidated Class
    Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 1 of 198 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION IN RE EQUIFAX INC. SECURITIES Consolidated Case No. LITIGATION 1:17-cv-03463-TWT CONSOLIDATED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 2 of 198 TABLE OF CONTENTS Page I. PRELIMINARY STATEMENT .....................................................................2 II. PARTIES .......................................................................................................10 A. Lead Plaintiff ...................................................................................... 10 B. Defendants .......................................................................................... 10 1. Equifax, Inc. ............................................................................. 10 2. Individual Defendants .............................................................. 12 III. JURISDICTION AND VENUE ....................................................................13 IV. SUMMARY OF THE FRAUD .....................................................................13 A. Equifax’s Business is to Collect and Sell Sensitive Personal Information About Global Consumers ............................................... 13 B. Defendants Knew that Securing the Information Equifax Collected Was Critical to the Company’s Business ........................... 16 C. Defendants Issue Statements Touting Cybersecurity, Compliance with
    [Show full text]
  • THE PROTECTIVE STATE the PLANT FLOOR? the Evolving Role of Governments in Cybersecurity
    BROUGHT TO YOU BY THE VISIONEXPERTISE DELIVERED STRAIGHT FROM THE FRONTLINES OF CYBER ATTACKS PAGE 3 STATE OF THE NATIONS A global look at the rise in State sponsered cyber attacks in 2018 PAGE 4 A FINANCIAL STRONGHOLD How one bank is winning the war on cyber crime PAGE 6 WHAT ABOUT THE PROTECTIVE STATE THE PLANT FLOOR? The evolving role of Governments in cybersecurity different threats. With cybersecurity vital to a governments are not even the primary security POLITICAL properly functioning and prosperous economy, provider, such as when they don’t provide it is critical that governments take the lead, and close supervision of, or operational control The role of governments as their that this is recognized by its citizens. over, critical infrastructures operated by the nations’ primary provider of private sector. security against all threats is as So far, the 21st century has seen continued compelling as ever. Yet few still wide scale deregulation and privatisation, This changing global landscape shouldn’t Our six subversive concerns for with many nations’ critical infrastructure – in mean a lesser responsibility for governments industrial environments have difficulty in grasping the rapid increase in interconnectedness and sectors such as energy, transport, finance as legitimate providers of security, but rather and medicine – now in the hands of the that they should work to understand the interdependency to determine how private sector. These sectors are constantly changing world and their role within this new best to use a Regulate, Facilitate, under threat, not least because of increased environment of increasing interconnectedness. PAGE 8 FOLLOW Collaborate (RFC) model for the THE MONEY globalisation of societies and economies.
    [Show full text]
  • Sample Debt Validation Letter (Send Via Certified Mail, Return Receipt Requested)
    Sample Debt Validation Letter (Send via certified mail, return receipt requested) Date: Your Name Your Address Your City, State, Zip Collection Agency Name Collection Agency Address Collection Agency City, State, Zip RE: Account # (Fill in Account Number) To Whom It May Concern: Be advised this is not a refusal to pay, but a notice that your claim is disputed and validation is requested. Under the Fair Debt collection Practices Act (FDCPA), I have the right to request validation of the debt you say I owe you. I am requesting proof that I am indeed the party you are asking to pay this debt, and there is some contractual obligation that is binding on me to pay this debt. This is NOT a request for “verification” or proof of my mailing address, but a request for VALIDATION made pursuant to 15 USC 1692g Sec. 809 (b) of the FDCPA. I respectfully request that your offices provide me with competent evidence that I have any legal obligation to pay you. At this time I will also inform you that if your offices have or continue to report invalidated information to any of the three major credit bureaus (Equifax, Experian, Trans Union), this action might constitute fraud under both federal and state laws. Due to this fact, if any negative mark is found or continues to report on any of my credit reports by your company or the company you represent, I will not hesitate in bringing legal action against you and your client for the following: Violation of the Fair Debt Collection Practices Act and Defamation of Character.
    [Show full text]
  • View Final Report (PDF)
    TABLE OF CONTENTS TABLE OF CONTENTS I EXECUTIVE SUMMARY III INTRODUCTION 1 GENESIS OF THE PROJECT 1 RESEARCH QUESTIONS 1 INDUSTRY SITUATION 2 METHODOLOGY 3 GENERAL COMMENTS ON INTERVIEWS 5 APT1 (CHINA) 6 SUMMARY 7 THE GROUP 7 TIMELINE 7 TYPOLOGY OF ATTACKS 9 DISCLOSURE EVENTS 9 APT10 (CHINA) 13 INTRODUCTION 14 THE GROUP 14 TIMELINE 15 TYPOLOGY OF ATTACKS 16 DISCLOSURE EVENTS 18 COBALT (CRIMINAL GROUP) 22 INTRODUCTION 23 THE GROUP 23 TIMELINE 25 TYPOLOGY OF ATTACKS 27 DISCLOSURE EVENTS 30 APT33 (IRAN) 33 INTRODUCTION 34 THE GROUP 34 TIMELINE 35 TYPOLOGY OF ATTACKS 37 DISCLOSURE EVENTS 38 APT34 (IRAN) 41 INTRODUCTION 42 THE GROUP 42 SIPA Capstone 2020 i The Impact of Information Disclosures on APT Operations TIMELINE 43 TYPOLOGY OF ATTACKS 44 DISCLOSURE EVENTS 48 APT38 (NORTH KOREA) 52 INTRODUCTION 53 THE GROUP 53 TIMELINE 55 TYPOLOGY OF ATTACKS 59 DISCLOSURE EVENTS 61 APT28 (RUSSIA) 65 INTRODUCTION 66 THE GROUP 66 TIMELINE 66 TYPOLOGY OF ATTACKS 69 DISCLOSURE EVENTS 71 APT29 (RUSSIA) 74 INTRODUCTION 75 THE GROUP 75 TIMELINE 76 TYPOLOGY OF ATTACKS 79 DISCLOSURE EVENTS 81 COMPARISON AND ANALYSIS 84 DIFFERENCES BETWEEN ACTOR RESPONSE 84 CONTRIBUTING FACTORS TO SIMILARITIES AND DIFFERENCES 86 MEASURING THE SUCCESS OF DISCLOSURES 90 IMPLICATIONS OF OUR RESEARCH 92 FOR PERSISTENT ENGAGEMENT AND FORWARD DEFENSE 92 FOR PRIVATE CYBERSECURITY VENDORS 96 FOR THE FINANCIAL SECTOR 96 ROOM FOR FURTHER RESEARCH 97 ACKNOWLEDGEMENTS 98 ABOUT THE TEAM 99 SIPA Capstone 2020 ii The Impact of Information Disclosures on APT Operations EXECUTIVE SUMMARY This project was completed to fulfill the including the scope of the disclosure and capstone requirement for Columbia Uni- the disclosing actor.
    [Show full text]
  • APT28: a Window Into Russia's Cyber Espionage Operations? | Fireeye
    SPECIAL REPORT APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS? SECURITY REIMAGINED APT 28: A Window into Russia’s Cyber Espionage Operations? CONTENTS EXECUTIVE SUMMARY ................................................................................................................................................................................................................................................................................... 3 APT28 TARGETING REFLECTS RUSSIAN INTERESTS ........................................................................................................................................................................ 6 APT28 interest in the Caucasus, Particularly Georgia ........................................................................................................................................................... 7 APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA) ....................................................................................... 8 APT28 Targeting of the Georgian Ministry of Defense ....................................................................................................................................... 9 APT28 Targeting a Journalist Covering the Caucasus ...................................................................................................................................... 10 APT28’s Other Targets in the Caucasus ......................................................................................................................................................................................
    [Show full text]
  • Cyber Evolution: En Route to Strengthening Resilience in Asia-Pacific 3
    En Route to Strengthening CYBER Resilience in Asia-Pacific EVOLUTION WHITE PAPER 2 WHITE PAPER CONTENTS Executive Summary 3 The shifting cyber threat landscape across Asia-Pacific 4 Recent cyber trends in Asia-Pacific 8 Key drivers of cyber challenges in Asia-Pacific 18 Asia-Pacific’s evolving regulatory climate 20 How companies can build cyber resilience 22 A call to action 24 AUTHORS Jaclyn Yeo Rob van der Ende Senior Research Analyst Vice President, Asia Pacific & Japan MMC Asia Pacific Risk Center Mandiant, a FireEye Company [email protected] [email protected] CONTRIBUTORS FireEye Marsh & McLennan Companies Bryce Boland Matthew McCabe, Marsh, US Vivek Chudgar Stephen R Vina, Marsh, US Patty Hullinger Richard D Green, Marsh, Asia Patrick Neighorn Douglas Ure, Marsh Risk Consulting, Asia Tony Sapienza Kelly Butler, Marsh, Australia Lynn Thorne Leslie Chacko, MMC Global Risk Center Timothy Wellsmore Wolfram Hedrich, MMC Asia Pacific Risk Center CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFIC 3 Knowing no boundaries, cyber incidents or data fraud and thefts that originate from North America or the European continent quickly impact APAC. Executive Summary The cyber threat landscape is morphing Cyber challenges in APAC, such as low constantly and dramatically. Around the world, cybersecurity investments and long dwell times, cyber dependency grows as increasing digital can be attributed to the complex geopolitical interconnection among people, things, and tensions, exposed critical infrastructure, and organizations expand. Asia-Pacific (APAC) is the severe shortage of cybersecurity talents in no different. the region. Knowing no boundaries, cyber incidents or data Fortunately, the regulatory climate in APAC is fraud and thefts that originate from North changing – slowly but surely.
    [Show full text]
  • Hacks, Leaks and Disruptions | Russian Cyber Strategies
    CHAILLOT PAPER Nº 148 — October 2018 Hacks, leaks and disruptions Russian cyber strategies EDITED BY Nicu Popescu and Stanislav Secrieru WITH CONTRIBUTIONS FROM Siim Alatalu, Irina Borogan, Elena Chernenko, Sven Herpig, Oscar Jonsson, Xymena Kurowska, Jarno Limnell, Patryk Pawlak, Piret Pernik, Thomas Reinhold, Anatoly Reshetnikov, Andrei Soldatov and Jean-Baptiste Jeangène Vilmer Chaillot Papers HACKS, LEAKS AND DISRUPTIONS RUSSIAN CYBER STRATEGIES Edited by Nicu Popescu and Stanislav Secrieru CHAILLOT PAPERS October 2018 148 Disclaimer The views expressed in this Chaillot Paper are solely those of the authors and do not necessarily reflect the views of the Institute or of the European Union. European Union Institute for Security Studies Paris Director: Gustav Lindstrom © EU Institute for Security Studies, 2018. Reproduction is authorised, provided prior permission is sought from the Institute and the source is acknowledged, save where otherwise stated. Contents Executive summary 5 Introduction: Russia’s cyber prowess – where, how and what for? 9 Nicu Popescu and Stanislav Secrieru Russia’s cyber posture Russia’s approach to cyber: the best defence is a good offence 15 1 Andrei Soldatov and Irina Borogan Russia’s trolling complex at home and abroad 25 2 Xymena Kurowska and Anatoly Reshetnikov Spotting the bear: credible attribution and Russian 3 operations in cyberspace 33 Sven Herpig and Thomas Reinhold Russia’s cyber diplomacy 43 4 Elena Chernenko Case studies of Russian cyberattacks The early days of cyberattacks: 5 the cases of Estonia,
    [Show full text]
  • Threat Report the State of Influence Operations 2017-2020
    May 2021 Threat Report The State of Influence Operations 2017-2020 The State of Influence Operations 2017-2020 2 TABLE OF CONTENTS Executive Summary 3 Introduction 9 Section 1: Defining IO 11 Section 2: The State of IO, 2017- 2020 15 Threat actors 15 Trends in IO 19 Section 3: Targeting the US Ahead of the 2020 Election 28 Section 4: Countering IO 34 Combination of automation and investigations 34 Product innovation and adversarial design 36 Partnerships with industry, government and civil society 38 Building deterrence 39 Section 5: Conclusion 41 Appendix: List of CIB Disruptions, 2017-May 2021 44 Authors 45 The State of Influence Operations 2017-2020 3 Executive Summary Over the past four years, industry, government and civil society have worked to build our collective response to influence operations (“IO”), which we define as “c oordinated efforts to manipulate or corrupt public debate for a strategic goal.” The security teams at Facebook have developed policies, automated detection tools, and enforcement frameworks to tackle deceptive actors — both foreign and domestic. Working with our industry peers, we’ve made progress against IO by making it less effective and by disrupting more campaigns early, before they could build an audience. These efforts have pressed threat actors to shift their tactics. They have — often without success — moved away from the major platforms and increased their operational security to stay under the radar. Historically, influence operations have manifested in different forms: from covert campaigns that rely on fake identities to overt, state-controlled media efforts that use authentic and influential voices to promote messages that may or may not be false.
    [Show full text]
  • Onboard Analysis Workbook 2019.Xlsx
    sort ranking Revenues legal name 1 The Home Depot, Inc. F500 & Top 50 108203 2 United Parcel Service, Inc. F500 & Top 50 71861 3 Delta Air Lines, Inc. F500 & Top 50 44438 4 The Coca-Cola Company F500 & Top 50 31856 5 The Southern Company F500 & Top 50 23495 6 Aflac Incorporated F500 & Top 50 21758 7 Genuine Parts Company F500 & Top 50 18735 8 WestRock Company F500 & Top 50 16285.1 9 SunTrust Banks, Inc. F500 & Top 50 10431 10 Pultegroup, Inc. F500 & Top 50 10188.331 11 Mohawk Industries, Inc. F500 & Top 50 9983.6 12 AGCO Corporation 1 F500 & Top 50 9352 3 Veritiv Corporation F500 & Top 50 8696.2 14 Asbury Automotive Group, Inc. F500 & Top 50 6874.4 15 NCR Corporation F500 & Top 50 6405 16 Intercontinental Exchange, Inc. F500 & Top 50 6276 17 HD Supply Holdings, Inc. F500 & Top 50 6047 18 Graphic Packaging Holding Com F500 & Top 50 6023 19 Invesco Ltd. Top 50 5314.1 20 Total System Services, Inc. Top 50 4028 21 Flowers Foods, Inc. Top 50 3951.852 22 Aaron's, Inc. Top 50 3828.9 23 Acuity Brands, Inc. Top 50 3680.1 24 Carter's, Inc. Top 50 3462.3 25 Equifax Inc. Top 50 3412.1 26 Global Payments Inc. Top 50 3366.366 27 GMS Inc. Top 50 3116 28 BlueLinx Holdings Inc. Top 50 2862.85 29 FleetCor Technologies, Inc. Top 50 2433.492 30 SiteOne Landscape Supply, Inc. Top 50 2112.3 31 Beazer Homes USA, Inc. Top 50 2107 32 Primerica, Inc.
    [Show full text]
  • Equifax: Anatomy of a Security Breach Ashton Glenn Georgia Southern University
    Georgia Southern University Digital Commons@Georgia Southern University Honors Program Theses 2018 Equifax: Anatomy of a Security Breach Ashton Glenn Georgia Southern University Follow this and additional works at: https://digitalcommons.georgiasouthern.edu/honors-theses Part of the Accounting Commons Recommended Citation Glenn, Ashton, "Equifax: Anatomy of a Security Breach" (2018). University Honors Program Theses. 378. https://digitalcommons.georgiasouthern.edu/honors-theses/378 This thesis (open access) is brought to you for free and open access by Digital Commons@Georgia Southern. It has been accepted for inclusion in University Honors Program Theses by an authorized administrator of Digital Commons@Georgia Southern. For more information, please contact [email protected]. Equifax: Anatomy of a Security Breach An Honors Thesis submitted in partial fulfillment of the requirements for Honors in the College of Business Administration, School of Accountancy. By Ashton Glenn Under the mentorship of Dr. Thomas Buckhoff ABSTRACT The infamous 2017 Equifax breach not only compromised millions of citizens’ data, but the breach also left Equifax vulnerable to lawsuits that claim the company acted negligently. This thesis analyzes the events and facts behind the incident to determine the probable outcome of the main case against Equifax. A claim of a breach can come from either Equifax’s data protection or breach response. This thesis concludes the results of the case depends on the final court to determine if Equifax acted negligently with its data protection. If the case ends in the Eleventh District Court of Appeals, the court will probably decide Equifax was negligent. If the case ends in the Supreme Court, the Court will probably decide Equifax was not negligent.
    [Show full text]