Equifax data breach FAQ: What happened, who was affected, what was the bear upon?

In 2017, attackers exfiltrated hundreds of millions of customer records from the credit reporting agency. Here's a timeline of the security lapses that immune the breach to happen and the company'southward response.

Contributing writer, CSO |

Equifax breach > Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images
Table of Contents
  • How did the Equifax alienation happen?
  • When did the Equifax breach happen?
  • What data was compromised and how many people were affected?
  • Who was responsible for the Equifax data breach?
  • How did Equifax handle the breach?
  • What happened to Equifax after the data breach?
  • Was I affected by the Equifax alienation?
  • How does the Equifax settlement work?
  • What are the lessons learned from the Equifax breach?

Prove More than

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial wellness of nearly anybody in the U.s..

Equally we'll encounter, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and tiptop executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.

How did the Equifax breach happen?

Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of information.

Almost of the discussion in this section and the subsequent one comes from ii documents: A detailed study from the U.Southward. Full general Accounting Function, and an in-depth analysis from Bloomberg Businessweek based on sources within the investigation. A superlative-level picture of how the Equifax data alienation happened looks similar this:

  • The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax'south internal processes, wasn't.
  • The attackers were able to move from the web portal to other servers because the systems weren't fairly segmented from ane some other, and they were able to find usernames and passwords stored in plain text that and then immune them to admission still further systems.
  • The attackers pulled information out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
  • Equifax did not publicize the breach until more a calendar month after they discovered it had happened; stock sales past top executives around this fourth dimension gave rise to accusations of insider trading.

To understand how exactly all these crises intersected, let'southward have a look at how the events unfolded.

When did the Equifax breach happen?

The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, forth with thousands of other websites, uses. If attackers sent HTTP requests with malicious lawmaking tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening upward the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March nine, Equifax administrators were told to apply the patch to whatever affected systems, but the employee who should have done so didn't. Equifax's It department ran a serial of scans that were supposed to place unpatched systems on March fifteen; there were in fact multiple vulnerable systems, including the aforementioned web portal, merely the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.

While it isn't clear why the patching process broke down at this point, it's worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit bureau had hired the security consulting firm Mandiant to assess their systems. Mandiant warned Equifax about multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony inside a few weeks.

Forensics analyzed later the fact revealed that the initial Equifax data breach date was March 10, 2017: that was when the web portal was first breached via the Struts vulnerability. However, the attackers don't seem to accept done much of anything immediately. It wasn't until May 13, 2017 — in what Equifax referred to in the GAO report as a "separate incident" — that attackers began moving from the compromised server into other parts of the network and exfiltrating information in earnest. (We'll revisit this time gap later, as it'south important to the question of who the attackers were.)

From May through July of 2017, the attackers were able to proceeds access to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor data governance practices made their romp through Equifax's systems possible. Only how were they able to remove all that data without being noticed? Nosotros've at present arrived at another egregious Equifax screwup. Like many cyberthieves, Equifax's attackers encrypted the data they were moving in lodge to brand it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and so re-encrypted internal network traffic, specifically to sniff out information exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must exist annually renewed. Equifax had failed to renew one of their certificates nigh 10 months previously — which meant that encrypted traffic wasn't being inspected.

The expired document wasn't discovered and renewed until July 29, 2019, at which betoken Equifax administrators almost immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.

Information technology took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many top Equifax executives sold company stock in early August, raising suspicions that they had gotten alee of the inevitable decline in stock cost that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.

What information was compromised and how many people were afflicted?

Equifax specifically traffics in personal data, and and then the information that was compromised and spirited abroad by the attackers was quite in-depth and covered a huge number of people. Information technology potentially affected 143 million people — more than forty percent of the population of the United states — whose names, addresses, dates of nativity, Social Security numbers, and drivers' licenses numbers were exposed. A minor subset of the records — on the guild of most 200,000 — too included credit carte du jour numbers; this group probably consisted of people who had paid Equifax straight in order to order to see their own credit report.

This last factor is somewhat ironic, every bit the people concerned enough about their credit score to pay Equifax to look at it also had the nigh personal data stolen, which could lead to fraud that would then harm their credit score. But a funny thing happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable later this breach: it never happened. And that has everything to do with the identity of the attackers.

Who was responsible for the Equifax data breach?

As shortly as the Equifax alienation was announced, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of data that might be connected to information technology. They waited, and waited, but the information never appeared. This gave ascent to what's become a widely accepted theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, not theft.

The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues across the fact that the stolen data never seems to have leaked. For instance, recall that the initial alienation on March ten was followed by more than two months of inactivity before attackers began abruptly moving onto high-value targets within Equifax's network. Investigators believe that the first incursion was accomplished by relatively inexperienced hackers who were using a readily available hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days one-time at that point and easy to exploit. They may take found the unpatched Equifax server using a scanning tool and not realized how potentially valuable the visitor they had breached was. Eventually, unable to go much further beyond their initial success, they sold their foothold to more skilled attackers, who used a variety of techniques associated with Chinese land-backed hackers to go access to the confidential information.

And why would the Chinese government exist interested in Equifax's data records? Investigators tie the attack into two other large breaches that similarly didn't result in a dump of personally identifying data on the night web: the 2015 hack of the U.Southward. Part of Personnel Management, and the 2018 hack of Marriott's Starwood hotel brands. All are assumed to exist function of an operation to build a huge "data lake" on millions of Americans, with the intention of using big data techniques to acquire about U.S. government officials and intelligence operatives. In particular, evidence of American officials or spies who are in financial problem could assist Chinese intelligence identify potential targets of blackmail or bribery attempts.

In February of 2020, the United States Department of Justice formally charged four members of the Chinese war machine with the attack. This was an extremely rare motility — the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives — that underscored how seriously the U.S. regime took the attack.

How did Equifax handle the breach?

At any rate, once the breach was publicized, Equifax's immediate response did not win many plaudits. Among their stumbles was setting up a separate dedicated domain, equifaxsecurity2017.com, to host the site with information and resources for those potentially affected. These sorts of lookalike domains are often used by phishing scams, so asking customers to trust this one was a monumental failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped up that URL used it for good, directing the 200,000 (!) visitors information technology received to the correct site.

Meanwhile, the real equifaxsecurity2017.com breach site was judged insecure by numerous observers, and may accept just been telling anybody that they were afflicted by the breach whether they really were or not. Language on the site (later on retracted past Equifax) implied that just by checking to come across if you lot were afflicted meant that you lot were giving upwards your correct to sue over it. And in the end, if you were affected, y'all were directed to enroll in an Equifax ID protection service — for gratis, simply how much exercise yous trust the company at this point?

What happened to Equifax afterward the data breach?

What, ultimately, was the Equifax breach's impact? Well, the upper ranks of Equifax's C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would've imposed fines on credit-reporting agencies that go hacked went nowhere in the Senate.

That doesn't mean the Equifax breach price the company nothing, though. Two years later the alienation, the visitor said it had spent $1.4 billion on cleanup costs, including "incremental costs to transform our applied science infrastructure and meliorate application, network, [and] data security." In June 2019, Moody's downgraded the company's fiscal rating in part because of the massive amounts it would demand to spend on infosec in the years to come. In July 2019 the company reached a record-breaking settlement with the FTC, which wrapped upwards an ongoing form action lawsuit and will crave Equifax to spend at least $1.38 billion to resolve consumer claims.

Was I affected past the Equifax alienation?

This was a lot of anguish simply to find out if you were i of the unlucky 40 percentage of Americans whose data was stolen in the hack. Things accept settled down in the subsequent years, and now there's a new site where you can check to see if you're affected, with all the same another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.

That settlement eligibility website actually isn't hosted by Equifax at all; instead, it's from the FTC.

How does the Equifax settlement work?

The Equifax settlement dangles the prospect that you lot might become a cheque for your troubles, but at that place are some catches. The settlement mandates that Equifax compensate anyone affected by the alienation with credit monitoring services; Equifax wants you to sign up for their ain service, of course, and while they will too give y'all a $125 check to go buy those services from somewhere else, you accept to show that you practise have alternate coverage to get the money (though you could sign upward for a complimentary service).

More cash is available if you've actually lost money from identity theft or spent significant amounts of fourth dimension dealing with the fallout, just here, as well, documentation is required. And that $125 is just a maximum; it almost certainly will go downwards if too many people asking checks.

What are the lessons learned from the Equifax breach?

If nosotros wanted to make a case study of the Equifax alienation, what lessons would nosotros pull from it? These seem to be the big ones:

  • Get the basics right. No network is invulnerable. But Equifax was breached because it failed to patch a basic vulnerability, despite having procedures in place to make sure such patches were practical promptly. And huge amounts of information was exfiltrated unnoticed because someone neglected to renew a security document. Equifax had spent millions on security gear, merely it was poorly implemented and managed.
  • Silos are defensible. In one case the attackers were inside the perimeter, they were able to motion from machine to machine and database to database. If they had been restricted to a single machine, the damage would've been much less.
  • Data governance is cardinal — especially if data is your concern. Equifax's databases could've been stingier in giving upwards their contents. For instance, users should simply be given access to database content on a "need to know basis"; giving general access to whatsoever "trusted" users means that an attacker can seize control of those user accounts and run wild. And systems demand to keep an eye out for weird behavior; the attackers executed up to ix,000 database queries very rapidly, which should've been a red flag.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.