Equifax data breach FAQ: What happened, who was affected, what was the touch on?

In 2017, attackers exfiltrated hundreds of millions of customer records from the credit reporting bureau. Here's a timeline of the security lapses that allowed the breach to happen and the company's response.

Contributing writer, CSO |

Equifax breach > Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images
Table of Contents
  • How did the Equifax alienation happen?
  • When did the Equifax alienation happen?
  • What data was compromised and how many people were afflicted?
  • Who was responsible for the Equifax data breach?
  • How did Equifax handle the breach?
  • What happened to Equifax afterwards the data breach?
  • Was I afflicted by the Equifax breach?
  • How does the Equifax settlement work?
  • What are the lessons learned from the Equifax alienation?

Prove More

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, 1 of the credit reporting agencies that assess the financial wellness of near everyone in the United States.

Equally we'll run across, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the alienation, and height executives were defendant of corruption in the aftermath. And the question of who was backside the breach has serious implications for the global political mural.

How did the Equifax breach happen?

Like plane crashes, major infosec disasters are typically the issue of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.

Most of the discussion in this section and the subsequent 1 comes from two documents: A detailed report from the U.S. Full general Bookkeeping Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. A tiptop-level picture of how the Equifax data breach happened looks similar this:

  • The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should take been patched merely, due to failures in Equifax's internal processes, wasn't.
  • The attackers were able to move from the web portal to other servers because the systems weren't fairly segmented from ane another, and they were able to observe usernames and passwords stored in plain text that then immune them to access withal farther systems.
  • The attackers pulled information out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on i of their internal security tools.
  • Equifax did non publicize the breach until more than a month later they discovered information technology had happened; stock sales by tiptop executives around this fourth dimension gave rise to accusations of insider trading.

To understand how exactly all these crises intersected, let's take a expect at how the events unfolded.

When did the Equifax breach happen?

The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-blazon header, Struts could be tricked into executing that code, and potentially opening up the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to whatsoever affected systems, just the employee who should have done and so didn't. Equifax's Information technology department ran a series of scans that were supposed to place unpatched systems on March 15; at that place were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.

While it isn't clear why the patching procedure bankrupt down at this betoken, it'southward worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to appraise their systems. Mandiant warned Equifax almost multiple unpatched and misconfigured systems, and the relationship devolved into in anger inside a few weeks.

Forensics analyzed after the fact revealed that the initial Equifax data breach engagement was March 10, 2017: that was when the spider web portal was get-go breached via the Struts vulnerability. However, the attackers don't seem to have washed much of annihilation immediately. Information technology wasn't until May xiii, 2017 — in what Equifax referred to in the GAO report every bit a "split up incident" — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in hostage. (Nosotros'll revisit this time gap later, as it's important to the question of who the attackers were.)

From May through July of 2017, the attackers were able to gain admission to multiple Equifax databases containing data on hundreds of millions of people; as noted, a number of poor data governance practices fabricated their romp through Equifax'due south systems possible. But how were they able to remove all that data without beingness noticed? We've now arrived at some other egregious Equifax screwup. Similar many cyberthieves, Equifax's attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. Merely in order to re-encrypt that traffic, these tools demand a public-cardinal certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn't existence inspected.

The expired certificate wasn't discovered and renewed until July 29, 2019, at which point Equifax administrators nigh immediately began noticing all that previously obfuscated suspicious action; this was when Equifax starting time knew about the breach.

It took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many summit Equifax executives sold company stock in early August, raising suspicions that they had gotten ahead of the inevitable pass up in stock price that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.

What information was compromised and how many people were afflicted?

Equifax specifically traffics in personal information, and and so the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially afflicted 143 million people — more than 40 percent of the population of the United States — whose names, addresses, dates of birth, Social Security numbers, and drivers' licenses numbers were exposed. A minor subset of the records — on the guild of about 200,000 — also included credit menu numbers; this group probably consisted of people who had paid Equifax direct in order to order to run into their own credit report.

This last cistron is somewhat ironic, as the people concerned plenty about their credit score to pay Equifax to await at it likewise had the about personal data stolen, which could lead to fraud that would then damage their credit score. But a funny thing happened as the nation braced itself for the moving ridge of identity theft and fraud that seemed inevitable after this alienation: it never happened. And that has everything to exercise with the identity of the attackers.

Who was responsible for the Equifax information breach?

As soon as the Equifax breach was announced, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of information that might be connected to it. They waited, and waited, but the information never appeared. This gave rise to what'due south get a widely accepted theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, not theft.

The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues across the fact that the stolen data never seems to have leaked. For instance, recall that the initial alienation on March ten was followed past more than than two months of inactivity before attackers began abruptly moving onto loftier-value targets within Equifax'southward network. Investigators believe that the first incursion was achieved by relatively inexperienced hackers who were using a readily bachelor hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that betoken and easy to exploit. They may accept establish the unpatched Equifax server using a scanning tool and non realized how potentially valuable the visitor they had breached was. Eventually, unable to get much further beyond their initial success, they sold their foothold to more skilled attackers, who used a diverseness of techniques associated with Chinese state-backed hackers to get admission to the confidential information.

And why would the Chinese government exist interested in Equifax'south data records? Investigators tie the set on into ii other big breaches that similarly didn't result in a dump of personally identifying data on the dark web: the 2015 hack of the U.S. Function of Personnel Management, and the 2018 hack of Marriott's Starwood hotel brands. All are assumed to be part of an operation to build a huge "data lake" on millions of Americans, with the intention of using large data techniques to learn near U.S. authorities officials and intelligence operatives. In item, evidence of American officials or spies who are in fiscal trouble could aid Chinese intelligence identify potential targets of bribery or blackmail attempts.

In February of 2020, the United States Department of Justice formally charged four members of the Chinese armed forces with the attack. This was an extremely rare movement — the U.S. rarely files criminal charges against strange intelligence officers in order to avert retaliation against American operatives — that underscored how seriously the U.S. regime took the set on.

How did Equifax handle the breach?

At any rate, one time the breach was publicized, Equifax's immediate response did not win many plaudits. Among their stumbles was setting upward a divide dedicated domain, equifaxsecurity2017.com, to host the site with information and resource for those potentially affected. These sorts of lookalike domains are often used by phishing scams, so request customers to trust this 1 was a monumental failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped upwards that URL used it for good, directing the 200,000 (!) visitors it received to the correct site.

Meanwhile, the real equifaxsecurity2017.com breach site was judged insecure by numerous observers, and may take just been telling everyone that they were affected by the breach whether they really were or non. Linguistic communication on the site (later retracted by Equifax) unsaid that but past checking to see if you were affected meant that you were giving up your right to sue over information technology. And in the end, if y'all were afflicted, you were directed to enroll in an Equifax ID protection service — for gratis, but how much practice you trust the company at this point?

What happened to Equifax later the information breach?

What, ultimately, was the Equifax breach's impact? Well, the upper ranks of Equifax's C-suite chop-chop turned over. Legislation sponsored by Elizabeth Warren and others that would've imposed fines on credit-reporting agencies that go hacked went nowhere in the Senate.

That doesn't mean the Equifax breach cost the company nothing, though. 2 years after the breach, the company said information technology had spent $ane.4 billion on cleanup costs, including "incremental costs to transform our technology infrastructure and better application, network, [and] data security." In June 2019, Moody'southward downgraded the company's fiscal rating in part considering of the massive amounts it would need to spend on infosec in the years to come up. In July 2019 the visitor reached a tape-breaking settlement with the FTC, which wrapped up an ongoing class activity lawsuit and will require Equifax to spend at least $i.38 billion to resolve consumer claims.

Was I affected by the Equifax alienation?

This was a lot of anguish just to find out if you were one of the unlucky 40 pct of Americans whose data was stolen in the hack. Things have settled down in the subsequent years, and now there's a new site where you can check to see if you're affected, with all the same another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.

That settlement eligibility website actually isn't hosted by Equifax at all; instead, it'due south from the FTC.

How does the Equifax settlement work?

The Equifax settlement dangles the prospect that you might get a check for your troubles, but there are some catches. The settlement mandates that Equifax compensate anyone afflicted by the breach with credit monitoring services; Equifax wants you to sign up for their ain service, of grade, and while they will too give you a $125 bank check to become buy those services from somewhere else, you accept to prove that you do have alternating coverage to get the money (though you could sign upwardly for a gratuitous service).

More cash is available if you've actually lost coin from identity theft or spent significant amounts of time dealing with the fallout, simply here, likewise, documentation is required. And that $125 is simply a maximum; information technology almost certainly will get down if too many people request checks.

What are the lessons learned from the Equifax alienation?

If we wanted to make a case report of the Equifax breach, what lessons would we pull from it? These seem to be the large ones:

  • Get the nuts right. No network is invulnerable. But Equifax was breached because it failed to patch a bones vulnerability, despite having procedures in place to make sure such patches were practical promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
  • Silos are defensible. Once the attackers were within the perimeter, they were able to move from machine to machine and database to database. If they had been restricted to a single motorcar, the harm would've been much less.
  • Information governance is key — especially if data is your business. Equifax'due south databases could've been stingier in giving up their contents. For instance, users should only exist given admission to database content on a "need to know basis"; giving full general access to whatsoever "trusted" users means that an attacker can seize command of those user accounts and run wild. And systems need to keep an middle out for weird behavior; the attackers executed upwards to 9,000 database queries very speedily, which should've been a red flag.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.