Equifax data breach FAQ: What happened, who was affected, what was the touch?

In 2017, attackers exfiltrated hundreds of millions of customer records from the credit reporting agency. Here'due south a timeline of the security lapses that allowed the breach to happen and the visitor's response.

Contributing writer, CSO |

Equifax breach > Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images
Tabular array of Contents
  • How did the Equifax breach happen?
  • When did the Equifax breach happen?
  • What data was compromised and how many people were affected?
  • Who was responsible for the Equifax data alienation?
  • How did Equifax handle the breach?
  • What happened to Equifax later the data breach?
  • Was I affected past the Equifax breach?
  • How does the Equifax settlement work?
  • What are the lessons learned from the Equifax breach?

Testify More than

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, i of the credit reporting agencies that assess the financial health of most anybody in the United States.

Every bit nosotros'll see, the alienation spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were defendant of corruption in the aftermath. And the question of who was behind the alienation has serious implications for the global political landscape.

How did the Equifax alienation happen?

Like plane crashes, major infosec disasters are typically the consequence of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of information.

Most of the discussion in this section and the subsequent one comes from two documents: A detailed report from the U.S. Full general Accounting Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. A top-level moving-picture show of how the Equifax information breach happened looks like this:

  • The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.
  • The attackers were able to move from the web portal to other servers because the systems weren't adequately segmented from one another, and they were able to find usernames and passwords stored in manifestly text that then allowed them to access nonetheless further systems.
  • The attackers pulled data out of the network in encrypted grade undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
  • Equifax did non publicize the breach until more a month after they discovered it had happened; stock sales by superlative executives around this fourth dimension gave rise to accusations of insider trading.

To understand how exactly all these crises intersected, let's have a await at how the events unfolded.

When did the Equifax breach happen?

The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source evolution framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious lawmaking tucked into the content-blazon header, Struts could be tricked into executing that lawmaking, and potentially opening up the organisation Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March ix, Equifax administrators were told to apply the patch to whatsoever affected systems, only the employee who should take done and so didn't. Equifax'southward IT department ran a series of scans that were supposed to place unpatched systems on March 15; there were in fact multiple vulnerable systems, including the same web portal, just the scans seemed to accept not worked, and none of the vulnerable systems were flagged or patched.

While information technology isn't clear why the patching process bankrupt down at this bespeak, it's worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit bureau had hired the security consulting firm Mandiant to appraise their systems. Mandiant warned Equifax most multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony inside a few weeks.

Forensics analyzed after the fact revealed that the initial Equifax information breach appointment was March 10, 2017: that was when the web portal was first breached via the Struts vulnerability. However, the attackers don't seem to have done much of annihilation immediately. It wasn't until May 13, 2017 — in what Equifax referred to in the GAO report equally a "separate incident" — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in hostage. (We'll revisit this time gap afterward, as it's important to the question of who the attackers were.)

From May through July of 2017, the attackers were able to gain admission to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor data governance practices made their romp through Equifax's systems possible. But how were they able to remove all that data without existence noticed? We've at present arrived at some other egregious Equifax screwup. Similar many cyberthieves, Equifax'southward attackers encrypted the data they were moving in order to make information technology harder for admins to spot; like many big enterprises, Equifax had tools that decrypted, analyzed, so re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in club to re-encrypt that traffic, these tools need a public-primal certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn't beingness inspected.

The expired certificate wasn't discovered and renewed until July 29, 2019, at which point Equifax administrators most immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.

Information technology took another total calendar month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many top Equifax executives sold visitor stock in early August, raising suspicions that they had gotten ahead of the inevitable reject in stock price that would ensue when all the data came out. They were cleared, though ane lower-level exec was charged with insider trading.

What data was compromised and how many people were affected?

Equifax specifically traffics in personal data, then the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially affected 143 million people — more than forty percent of the population of the United states — whose names, addresses, dates of nativity, Social Security numbers, and drivers' licenses numbers were exposed. A small subset of the records — on the society of most 200,000 — also included credit card numbers; this group probably consisted of people who had paid Equifax directly in order to order to see their own credit report.

This last factor is somewhat ironic, equally the people concerned plenty nigh their credit score to pay Equifax to look at it besides had the most personal data stolen, which could lead to fraud that would and so damage their credit score. But a funny matter happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable afterward this breach: it never happened. And that has everything to practise with the identity of the attackers.

Who was responsible for the Equifax data breach?

As presently as the Equifax alienation was announced, infosec experts began keeping tabs on dark spider web sites, waiting for huge dumps of data that might exist continued to information technology. They waited, and waited, but the data never appeared. This gave rise to what's become a widely accustomed theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, non theft.

The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues beyond the fact that the stolen data never seems to have leaked. For case, retrieve that the initial breach on March ten was followed past more than 2 months of inactivity before attackers began abruptly moving onto high-value targets within Equifax'due south network. Investigators believe that the kickoff incursion was achieved by relatively inexperienced hackers who were using a readily bachelor hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that indicate and easy to exploit. They may have found the unpatched Equifax server using a scanning tool and non realized how potentially valuable the company they had breached was. Eventually, unable to get much further beyond their initial success, they sold their foothold to more than skilled attackers, who used a diversity of techniques associated with Chinese country-backed hackers to get access to the confidential data.

And why would the Chinese government be interested in Equifax'southward data records? Investigators necktie the assail into two other large breaches that similarly didn't outcome in a dump of personally identifying information on the dark web: the 2015 hack of the U.S. Office of Personnel Direction, and the 2018 hack of Marriott'due south Starwood hotel brands. All are assumed to be part of an functioning to build a huge "information lake" on millions of Americans, with the intention of using large data techniques to acquire nearly U.Southward. government officials and intelligence operatives. In detail, prove of American officials or spies who are in financial trouble could help Chinese intelligence place potential targets of bribery or blackmail attempts.

In Feb of 2020, the Us Section of Justice formally charged iv members of the Chinese military with the set on. This was an extremely rare move — the U.S. rarely files criminal charges confronting foreign intelligence officers in social club to avoid retaliation against American operatives — that underscored how seriously the U.S. government took the assault.

How did Equifax handle the breach?

At any rate, once the breach was publicized, Equifax'southward immediate response did not win many plaudits. Amidst their stumbles was setting up a separate dedicated domain, equifaxsecurity2017.com, to host the site with information and resource for those potentially afflicted. These sorts of lookalike domains are often used past phishing scams, so asking customers to trust this i was a monumental failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped up that URL used it for good, directing the 200,000 (!) visitors it received to the correct site.

Meanwhile, the real equifaxsecurity2017.com alienation site was judged insecure by numerous observers, and may take simply been telling everyone that they were affected by the breach whether they really were or not. Language on the site (afterward retracted by Equifax) implied that just past checking to see if you lot were affected meant that y'all were giving up your right to sue over it. And in the end, if y'all were affected, you were directed to enroll in an Equifax ID protection service — for free, but how much exercise you trust the company at this point?

What happened to Equifax after the data breach?

What, ultimately, was the Equifax breach's impact? Well, the upper ranks of Equifax's C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would've imposed fines on credit-reporting agencies that get hacked went nowhere in the Senate.

That doesn't mean the Equifax alienation price the visitor zero, though. Two years after the breach, the company said information technology had spent $1.4 billion on cleanup costs, including "incremental costs to transform our technology infrastructure and improve awarding, network, [and] information security." In June 2019, Moody's downgraded the company'due south financial rating in part because of the massive amounts it would need to spend on infosec in the years to come. In July 2019 the company reached a record-breaking settlement with the FTC, which wrapped upward an ongoing class action lawsuit and will require Equifax to spend at to the lowest degree $ane.38 billion to resolve consumer claims.

Was I afflicted by the Equifax breach?

This was a lot of anguish just to detect out if you were i of the unlucky 40 percentage of Americans whose data was stolen in the hack. Things have settled down in the subsequent years, and now in that location's a new site where you tin can check to see if y'all're afflicted, with yet another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.

That settlement eligibility website actually isn't hosted by Equifax at all; instead, it's from the FTC.

How does the Equifax settlement work?

The Equifax settlement dangles the prospect that you might go a bank check for your troubles, but there are some catches. The settlement mandates that Equifax compensate anyone affected by the breach with credit monitoring services; Equifax wants you to sign upward for their ain service, of course, and while they volition also give you a $125 check to go buy those services from somewhere else, you have to show that y'all do have alternate coverage to go the money (though you could sign up for a gratis service).

More than cash is available if you've actually lost coin from identity theft or spent significant amounts of time dealing with the fallout, merely here, too, documentation is required. And that $125 is just a maximum; it almost certainly will go down if also many people asking checks.

What are the lessons learned from the Equifax breach?

If we wanted to make a example written report of the Equifax breach, what lessons would we pull from it? These seem to be the large ones:

  • Get the nuts right. No network is invulnerable. But Equifax was breached because it failed to patch a basic vulnerability, despite having procedures in identify to make certain such patches were applied promptly. And huge amounts of data was exfiltrated unnoticed considering someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
  • Silos are defensible. Once the attackers were inside the perimeter, they were able to move from machine to automobile and database to database. If they had been restricted to a single machine, the harm would've been much less.
  • Information governance is cardinal — especially if data is your business organization. Equifax's databases could've been stingier in giving upwards their contents. For example, users should only be given access to database content on a "need to know basis"; giving general admission to any "trusted" users means that an attacker tin seize control of those user accounts and run wild. And systems need to go along an eye out for weird behavior; the attackers executed upward to nine,000 database queries very chop-chop, which should've been a cerise flag.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.