In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.
As we’ll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.
Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data.
Most of the discussion in this section and the subsequent one comes from two documents: A detailed report from the U.S. General Accounting Office, and an in-depth analysis from Bloomberg Businessweek based on sources inside the investigation. A top-level picture of how the Equifax data breach happened looks like this:
To understand how exactly all these crises intersected, let’s take a look at how the events unfolded.
The crisis began in March of 2017. In that month, a vulnerability, dubbed CVE-2017-5638, was discovered in Apache Struts, an open source development framework for creating enterprise Java applications that Equifax, along with thousands of other websites, uses. If attackers sent HTTP requests with malicious code tucked into the content-type header, Struts could be tricked into executing that code, and potentially opening up the system Struts was running on to further intrusion. On March 7, the Apache Software Foundation released a patch for the vulnerabilities; on March 9, Equifax administrators were told to apply the patch to any affected systems, but the employee who should have done so didn’t. Equifax’s IT department ran a series of scans that were supposed to identify unpatched systems on March 15; there were in fact multiple vulnerable systems, including the aforementioned web portal, but the scans seemed to have not worked, and none of the vulnerable systems were flagged or patched.
While it isn’t clear why the patching process broke down at this point, it’s worth noting what was happening at Equifax that same month, according to Bloomberg Businessweek: Unnerved by a series of incidents in which criminals had used Social Security numbers stolen from elsewhere to log into Equifax sites, the credit agency had hired the security consulting firm Mandiant to assess their systems. Mandiant warned Equifax about multiple unpatched and misconfigured systems, and the relationship devolved into in acrimony within a few weeks.
Forensics analyzed after the fact revealed that the initial Equifax data breach date was March 10, 2017: that was when the web portal was first breached via the Struts vulnerability. However, the attackers don’t seem to have done much of anything immediately. It wasn’t until May 13, 2017 — in what Equifax referred to in the GAO report as a “separate incident” — that attackers began moving from the compromised server into other parts of the network and exfiltrating data in earnest. (We’ll revisit this time gap later, as it’s important to the question of who the attackers were.)
From May through July of 2017, the attackers were able to gain access to multiple Equifax databases containing information on hundreds of millions of people; as noted, a number of poor data governance practices made their romp through Equifax’s systems possible. But how were they able to remove all that data without being noticed? We’ve now arrived at another egregious Equifax screwup. Like many cyberthieves, Equifax’s attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn’t being inspected.
The expired certificate wasn’t discovered and renewed until July 29, 2019, at which point Equifax administrators almost immediately began noticing all that previously obfuscated suspicious activity; this was when Equifax first knew about the breach.
It took another full month of internal investigation before Equifax publicized the breach, on September 8, 2017. Many top Equifax executives sold company stock in early August, raising suspicions that they had gotten ahead of the inevitable decline in stock price that would ensue when all the information came out. They were cleared, though one lower-level exec was charged with insider trading.
Equifax specifically traffics in personal data, and so the information that was compromised and spirited away by the attackers was quite in-depth and covered a huge number of people. It potentially affected 143 million people — more than 40 percent of the population of the United States — whose names, addresses, dates of birth, Social Security numbers, and drivers’ licenses numbers were exposed. A small subset of the records — on the order of about 200,000 — also included credit card numbers; this group probably consisted of people who had paid Equifax directly in order to order to see their own credit report.
This last factor is somewhat ironic, as the people concerned enough about their credit score to pay Equifax to look at it also had the most personal data stolen, which could lead to fraud that would then damage their credit score. But a funny thing happened as the nation braced itself for the wave of identity theft and fraud that seemed inevitable after this breach: it never happened. And that has everything to do with the identity of the attackers.
As soon as the Equifax breach was announced, infosec experts began keeping tabs on dark web sites, waiting for huge dumps of data that might be connected to it. They waited, and waited, but the data never appeared. This gave rise to what’s become a widely accepted theory: that Equifax was breached by Chinese state-sponsored hackers whose purpose was espionage, not theft.
76 days: Amount of time during which the attackers were active within Equifax’s networks without being discovered
143 million: Number of consumers whose data was potentially affected by the breach
$125: The most you can expect to get in compensation if your data was exfiltrated from Equifax’s systems
$1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the incident
0: Number of fraud or identity theft cases that can be traced back to this incident
The Bloomberg Businessweek analysis follows these lines and points to a number of additional clues beyond the fact that the stolen data never seems to have leaked. For instance, recall that the initial breach on March 10 was followed by more than two months of inactivity before attackers began abruptly moving onto high-value targets within Equifax’s network. Investigators believe that the first incursion was achieved by relatively inexperienced hackers who were using a readily available hacking kit that had been updated to take advantage of the Struts vulnerability, which was only a few days old at that point and easy to exploit. They may have found the unpatched Equifax server using a scanning tool and not realized how potentially valuable the company they had breached was. Eventually, unable to get much further beyond their initial success, they sold their foothold to more skilled attackers, who used a variety of techniques associated with Chinese state-backed hackers to get access to the confidential data.