In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.
As we’ll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.
How did the Equifax breach happen?
Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.
Most of the discussion in this section and the subsequent one comes from two documents: A detailed report from the U.S. General Accounting Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. A top-level picture of how the Equifax data breach happened looks like this:
- The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax’s internal processes, wasn’t.
- The attackers were able to move from the web portal to other servers because the systems weren’t adequately segmented from one another, and they were able to find usernames and passwords stored in plain text that then allowed them to access still further systems.
- The attackers pulled data out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
- Equifax did not publicize the breach until more than a month after they discovered it had happened; stock sales by top executives around this time gave rise to accusations of insider trading.
To understand how exactly all these crises intersected, let’s take a look at how the events unfolded.
When did the Equifax breach happen?
The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening up the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have done so didn’t. Equifax’s IT department ran a series of scans that were supposed to identify unpatched systems on March 15; there were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.
While it isn’t clear why the patching process broke down at this point, it’s worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to assess their systems. Mandiant warned Equifax about multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony within a few weeks.
Forensics analyzed after the fact revealed that the initial Equifax data breach date was March 10, 2017: that was when the web portal was first breached via the Struts vulnerability. However, the attackers don’t seem to have done much of anything immediately. It wasn’t until May 13, 2017 — in what Equifax referred to in the GAO report as a “separate incident” — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in earnest. (We’ll revisit this time gap later, as it’s important to the question of who the attackers were.)
From May through July of 2017, the attackers were able to gain access to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor data governance practices made their romp through Equifax’s systems possible. But how were they able to remove all that data without being noticed? We’ve now arrived at another egregious Equifax screwup. Like many cyberthieves, Equifax’s attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn’t being inspected.
The expired certificate wasn’t discovered and renewed until July 29, 2019, at which point Equifax administrators almost immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.
It took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many top Equifax executives sold company stock in early August, raising suspicions that they had gotten ahead of the inevitable decline in stock price that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.
What data was compromised and how many people were affected?
Equifax specifically traffics in personal data, and so the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially affected 143 million people — more than 40 percent of the population of the United States — whose names, addresses, dates of birth, Social Security numbers, and drivers’ licenses numbers were exposed. A small subset of the records — on the order of about 200,000 — also included credit card numbers; this group probably consisted of people who had paid Equifax directly in order to order to see their own credit report.
This last factor is somewhat ironic, as the people concerned enough about their credit score to pay Equifax to look at it also had the most personal data stolen, which could lead to fraud that would then damage their credit score. But a funny thing happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable after this breach: it never happened. And that has everything to do with the identity of the attackers.
Who was responsible for the Equifax data breach?
As soon as the Equifax breach was announced, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of data that might be connected to it. They waited, and waited, but the data never appeared. This gave rise to what’s become a widely accepted theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, not theft.
The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues beyond the fact that the stolen data never seems to have leaked. For instance, recall that the initial breach on March 10 was followed by more than two months of inactivity before attackers began abruptly moving onto high-value targets within Equifax’s network. Investigators believe that the first incursion was achieved by relatively inexperienced hackers who were using a readily available hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that point and easy to exploit. They may have found the unpatched Equifax server using a scanning tool and not realized how potentially valuable the company they had breached was. Eventually, unable to get much further beyond their initial success, they sold their foothold to more skilled attackers, who used a variety of techniques associated with Chinese state-backed hackers to get access to the confidential data.
And why would the Chinese government be interested in Equifax’s data records? Investigators tie the attack into two other big breaches that similarly didn’t result in a dump of personally identifying data on the dark web: the 2015 hack of the U.S. Office of Personnel Management, and the 2018 hack of Marriott’s Starwood hotel brands. All are assumed to be part of an operation to build a huge “data lake” on millions of Americans, with the intention of using big data techniques to learn about U.S. government officials and intelligence operatives. In particular, evidence of American officials or spies who are in financial trouble could help Chinese intelligence identify potential targets of bribery or blackmail attempts.
In February of 2020, the United States Department of Justice formally charged four members of the Chinese military with the attack. This was an extremely rare move — the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives — that underscored how seriously the U.S. government took the attack.
How did Equifax handle the breach?
At any rate, once the breach was publicized, Equifax’s immediate response did not win many plaudits. Among their stumbles was setting up a separate dedicated domain, equifaxsecurity2017.com, to host the site with information and resources for those potentially affected. These sorts of lookalike domains are often used by phishing scams, so asking customers to trust this one was a monumental failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped up that URL used it for good, directing the 200,000 (!) visitors it received to the correct site.
Meanwhile, the real equifaxsecurity2017.com breach site was judged insecure by numerous observers, and may have just been telling everyone that they were affected by the breach whether they really were or not. Language on the site (later retracted by Equifax) implied that just by checking to see if you were affected meant that you were giving up your right to sue over it. And in the end, if you were affected, you were directed to enroll in an Equifax ID protection service — for free, but how much do you trust the company at this point?
What happened to Equifax after the data breach?
What, ultimately, was the Equifax breach’s impact? Well, the upper ranks of Equifax’s C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would’ve imposed fines on credit-reporting agencies that get hacked went nowhere in the Senate.
That doesn’t mean the Equifax breach cost the company nothing, though. Two years after the breach, the company said it had spent $1.4 billion on cleanup costs, including “incremental costs to transform our technology infrastructure and improve application, network, [and] data security.” In June 2019, Moody’s downgraded the company’s financial rating in part because of the massive amounts it would need to spend on infosec in the years to come. In July 2019 the company reached a record-breaking settlement with the FTC, which wrapped up an ongoing class action lawsuit and will require Equifax to spend at least $1.38 billion to resolve consumer claims.
Was I affected by the Equifax breach?
This was a lot of anguish just to find out if you were one of the unlucky 40 percent of Americans whose data was stolen in the hack. Things have settled down in the subsequent years, and now there’s a new site where you can check to see if you’re affected, with yet another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.
That settlement eligibility website actually isn’t hosted by Equifax at all; instead, it’s from the FTC.