Equifax data breach FAQ: What happened, who was afflicted, what was the touch?

In 2017, attackers exfiltrated hundreds of millions of customer records from the credit reporting agency. Here'southward a timeline of the security lapses that allowed the breach to happen and the company'southward response.

Contributing author, CSO |

Equifax breach > Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images
Table of Contents
  • How did the Equifax breach happen?
  • When did the Equifax breach happen?
  • What data was compromised and how many people were afflicted?
  • Who was responsible for the Equifax information breach?
  • How did Equifax handle the alienation?
  • What happened to Equifax after the data breach?
  • Was I affected by the Equifax breach?
  • How does the Equifax settlement piece of work?
  • What are the lessons learned from the Equifax breach?

Show More

In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the The states.

As we'll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the alienation, and top executives were accused of corruption in the aftermath. And the question of who was backside the breach has serious implications for the global political mural.

How did the Equifax breach happen?

Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.

Most of the discussion in this section and the subsequent one comes from ii documents: A detailed report from the U.South. General Accounting Office, and an in-depth assay from Bloomberg Businessweek based on sources inside the investigation. A top-level picture of how the Equifax information alienation happened looks like this:

  • The company was initially hacked via a consumer complaint web portal, with the attackers using a widely known vulnerability that should have been patched but, due to failures in Equifax's internal processes, wasn't.
  • The attackers were able to motion from the web portal to other servers because the systems weren't adequately segmented from ane another, and they were able to discover usernames and passwords stored in apparently text that and so allowed them to access notwithstanding further systems.
  • The attackers pulled information out of the network in encrypted form undetected for months because Equifax had crucially failed to renew an encryption certificate on one of their internal security tools.
  • Equifax did not publicize the breach until more a month later they discovered it had happened; stock sales by top executives effectually this time gave rise to accusations of insider trading.

To understand how exactly all these crises intersected, let's accept a await at how the events unfolded.

When did the Equifax breach happen?

The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, forth with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening up the arrangement Struts was running on to further intrusion. On March seven, the Apache Software Foundation released a patch for the vulnerabilities; on March nine, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have washed so didn't. Equifax'south It department ran a series of scans that were supposed to identify unpatched systems on March 15; in that location were in fact multiple vulnerable systems, including the aforementioned web portal, merely the scans seemed to accept not worked, and none of the vulnerable systems were flagged or patched.

While it isn't clear why the patching process broke down at this point, it'southward worth noting what was happening at Equifax that same calendar month, co-ordinate to Bloomberg Businessweek: Unnerved past a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to appraise their systems. Mandiant warned Equifax well-nigh multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony inside a few weeks.

Forensics analyzed after the fact revealed that the initial Equifax information breach engagement was March x, 2017: that was when the web portal was showtime breached via the Struts vulnerability. Yet, the attackers don't seem to take washed much of anything immediately. It wasn't until May thirteen, 2017 — in what Equifax referred to in the GAO report as a "split up incident" — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in earnest. (We'll revisit this time gap subsequently, equally it's important to the question of who the attackers were.)

From May through July of 2017, the attackers were able to proceeds access to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor information governance practices made their romp through Equifax'due south systems possible. But how were they able to remove all that data without being noticed? We've now arrived at some other egregious Equifax screwup. Like many cyberthieves, Equifax's attackers encrypted the data they were moving in order to brand information technology harder for admins to spot; like many big enterprises, Equifax had tools that decrypted, analyzed, so re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-central certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew 1 of their certificates nearly 10 months previously — which meant that encrypted traffic wasn't being inspected.

The expired document wasn't discovered and renewed until July 29, 2019, at which indicate Equifax administrators most immediately began noticing all that previously obfuscated suspicious activeness; this was when Equifax first knew about the breach.

It took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many summit Equifax executives sold visitor stock in early August, raising suspicions that they had gotten alee of the inevitable decline in stock toll that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.

What data was compromised and how many people were affected?

Equifax specifically traffics in personal data, and and then the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially affected 143 million people — more xl per centum of the population of the U.s.a. — whose names, addresses, dates of birth, Social Security numbers, and drivers' licenses numbers were exposed. A small subset of the records — on the gild of almost 200,000 — also included credit carte numbers; this group probably consisted of people who had paid Equifax directly in gild to order to see their own credit report.

This last factor is somewhat ironic, as the people concerned plenty about their credit score to pay Equifax to look at information technology also had the virtually personal data stolen, which could atomic number 82 to fraud that would and so damage their credit score. But a funny thing happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable later on this breach: it never happened. And that has everything to do with the identity of the attackers.

Who was responsible for the Equifax data alienation?

Equally soon every bit the Equifax alienation was appear, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of data that might be connected to information technology. They waited, and waited, only the data never appeared. This gave rise to what's become a widely accepted theory: that Equifax was breached past Chinese land-sponsored hackers whose purpose was espionage, non theft.

The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues beyond the fact that the stolen data never seems to accept leaked. For instance, recall that the initial alienation on March 10 was followed by more than two months of inactivity before attackers began abruptly moving onto high-value targets within Equifax's network. Investigators believe that the outset incursion was achieved by relatively inexperienced hackers who were using a readily available hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that point and easy to exploit. They may have establish the unpatched Equifax server using a scanning tool and non realized how potentially valuable the visitor they had breached was. Somewhen, unable to get much farther beyond their initial success, they sold their foothold to more skilled attackers, who used a multifariousness of techniques associated with Chinese country-backed hackers to become access to the confidential data.

And why would the Chinese authorities be interested in Equifax's data records? Investigators necktie the set on into two other big breaches that similarly didn't issue in a dump of personally identifying information on the dark web: the 2022 hack of the U.S. Office of Personnel Direction, and the 2022 hack of Marriott'due south Starwood hotel brands. All are causeless to be part of an operation to build a huge "data lake" on millions of Americans, with the intention of using large information techniques to acquire about U.S. authorities officials and intelligence operatives. In item, prove of American officials or spies who are in financial trouble could help Chinese intelligence identify potential targets of bribery or blackmail attempts.

In February of 2020, the The states Department of Justice formally charged four members of the Chinese military machine with the attack. This was an extremely rare move — the U.S. rarely files criminal charges against foreign intelligence officers in social club to avoid retaliation against American operatives — that underscored how seriously the U.South. government took the set on.

How did Equifax handle the breach?

At any rate, once the breach was publicized, Equifax'south immediate response did not win many plaudits. Among their stumbles was setting up a separate defended domain, equifaxsecurity2017.com, to host the site with information and resources for those potentially affected. These sorts of lookalike domains are frequently used past phishing scams, so request customers to trust this ane was a awe-inspiring failure in infosec procedure. Worse, on multiple occasions official Equifax social media accounts erroneously directed people to securityequifax2017.com instead; fortunately, the person who had snapped upwards that URL used it for good, directing the 200,000 (!) visitors it received to the right site.

Meanwhile, the existent equifaxsecurity2017.com breach site was judged insecure by numerous observers, and may have merely been telling everyone that they were affected by the breach whether they really were or non. Language on the site (afterward retracted past Equifax) implied that just by checking to run into if you were affected meant that you were giving up your correct to sue over it. And in the end, if yous were affected, yous were directed to enroll in an Equifax ID protection service — for complimentary, but how much do y'all trust the company at this point?

What happened to Equifax after the information breach?

What, ultimately, was the Equifax breach's touch on? Well, the upper ranks of Equifax'due south C-suite rapidly turned over. Legislation sponsored by Elizabeth Warren and others that would've imposed fines on credit-reporting agencies that get hacked went nowhere in the Senate.

That doesn't mean the Equifax breach cost the company nothing, though. Ii years after the breach, the company said it had spent $i.4 billion on cleanup costs, including "incremental costs to transform our engineering infrastructure and improve application, network, [and] information security." In June 2019, Moody'due south downgraded the company's fiscal rating in function because of the massive amounts it would need to spend on infosec in the years to come. In July 2022 the company reached a tape-breaking settlement with the FTC, which wrapped up an ongoing form action lawsuit and will crave Equifax to spend at least $i.38 billion to resolve consumer claims.

Was I affected by the Equifax breach?

This was a lot of anguish just to find out if you were one of the unlucky 40 percent of Americans whose information was stolen in the hack. Things have settled downwardly in the subsequent years, and now at that place's a new site where you tin can check to see if you're afflicted, with yet another somewhat confusing name: eligibility.equifaxbreachsettlement.com/en/Eligibility.

That settlement eligibility website really isn't hosted by Equifax at all; instead, it's from the FTC.

How does the Equifax settlement work?

The Equifax settlement dangles the prospect that you might go a bank check for your troubles, simply there are some catches. The settlement mandates that Equifax compensate anyone affected by the breach with credit monitoring services; Equifax wants you lot to sign up for their own service, of course, and while they will as well give you a $125 check to go buy those services from somewhere else, y'all take to show that you do take alternate coverage to get the coin (though you could sign up for a free service).

More cash is available if yous've really lost money from identity theft or spent meaning amounts of time dealing with the fallout, but here, also, documentation is required. And that $125 is just a maximum; information technology almost certainly will go down if likewise many people request checks.

What are the lessons learned from the Equifax breach?

If nosotros wanted to make a case study of the Equifax alienation, what lessons would we pull from information technology? These seem to exist the large ones:

  • Get the basics right. No network is invulnerable. Just Equifax was breached considering it failed to patch a basic vulnerability, despite having procedures in place to brand certain such patches were practical promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.
  • Silos are defensible. Once the attackers were within the perimeter, they were able to move from machine to machine and database to database. If they had been restricted to a unmarried machine, the damage would've been much less.
  • Data governance is key — especially if data is your business. Equifax'south databases could've been stingier in giving up their contents. For instance, users should only be given access to database content on a "need to know basis"; giving general access to whatsoever "trusted" users means that an attacker can seize control of those user accounts and run wild. And systems need to keep an eye out for weird beliefs; the attackers executed upwardly to 9,000 database queries very apace, which should've been a blood-red flag.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2022 IDG Communications, Inc.