Five Things to Know about the US’s Worst Consumer Data Breach
On September 7, 2017, the Big 3 credit agency Equifax disclosed that they had suffered a catastrophic data breach, with initial estimates saying data was stolen from north of 140 million American consumers. Immediately, the news sent chills throughout the US economy. After all, Equifax and competitors such as Experian and TransUnion are custodians of a tremendous amount of the exact data that keeps online fraudsters in business.
Forecasts of the damage alongside the discomfort of knowing all of one’s data quickly led to changes at Equifax, garnered investigations by the Federal Bureau of Investigation and other authorities, and made headlines as never before. All of it was warranted: the Equifax event came too close to home, with virtually every American adult with an account at a consumer bank affected. Even today people doubt that a breach could measure the same in scope and severity.
Here are five things you need to know about the Equifax data breach, the US’s worst consumer data breach.
1. Equifax suffered an initial breach followed by a significant intrusion.
In all, hackers were active for 76 days inside Equifax’s systems. However, forensic analysis revealed that the attack was two-stage, and likely carried out by two separate teams of intruders. On March 6, 2017, Chinese security reacher Nike Zheng discovered an exploit in backend software many companies use for open web applications, Apache Struts. Once Zheng posted his discovery, called CVE-2017-5638, for the benefit of Apache and enterprise users, the “patch now” exploit news made its way around message boards where hackers saw it. As they scanned for Apache Struts users, they found Equifax and perhaps not understanding its value, entered their systems on May 12th. Equifax, having not updated Struts even by the intrusion date, discovered the 76-day breach on July 29, 2017. Once inside, the initial team installed one or more web shells but struggled to navigate the system and surmount firewalls and other elements of the security framework. Forensic data shows that another group of illegitimate users entered the system and, using 30 web shells under different addresses, sought data on consumers by, among other methods, abusing credentials of legitimate Equifax users (see corporate account takeover, or CATO).
2. Equifax’s breached data is among the most valuable to criminals.
Equifax’s bread and butter is consumer financial information it collects free from banks as people at all income levels check their credit worthiness, data which it analyzes and repackages for lenders and others throughout the market for loanable funds. At a minimum, this data contains personally-identifiable information (PII) — information that people are loathe to disclose to strangers even in conversation. A breathtaking amount of, by-definition, sensitive financial information and PII on people was exfiltrated: data 147.9 million Americans, on 15.2 million UK citizens, and on 19,000 Canadian citizens . A subset of the American data included credit card numbers on 209,000 US consumers and other documents displaying PII. For its holder, the information allows them to carry out account takeover (ATO) and other kinds of fraud since it comprises an identity profile. According to Equifax’s initial analysis, the data typically included first and last names, Social Security numbers, birth dates, addresses as well as driver's license numbers for some, as well as the aforementioned bankcard numbers for some.
3. Equifax learned of the breach through poor encryption management.
Equifax is blamed for its poor security posture, especially in the context of their size and the kind of data it handles. However, one shortcoming of theirs is glaring: Equifax neglected to renew a public-key certificate from a certificate authority for at least 10 months prior to discovering the breach. This is a routine security task that anyone operating web services needs to perform and is a rather mundane duty for security practitioners. PKI certificates enable data in transit to be encrypted and decrypted between trusted parties, but they require annual renewal. Once Equifax made its tardy renewal, it gave them visibility into the illicit movements of their data, as certificates provide their owner with inspection capability.
4. Equifax had a poor security posture, and there are several examples.
In addition to allowing a PKI certificate to lapse, postmortem investigation and analysis confirmed that pre-breach Equifax had other security challenges that may have facilitated or worsened the breach. These run the gamut of failures to properly segment data, to prevent its wholesale loss. They were also said to have a practice of giving users broad permissions as opposed to limiting users from viewing or managing data above their “pay grade”. (See the principle of least privilege.) In addition, as part of a change in corporate leadership that predated the breach, the firm hired a well-known firm to evaluate their security posture and records show their relationship with the firm soured as the external party raised issues of widespread security challenges. Others point to specific weaknesses in intrusion detection but ltogether, deficiencies around privacy abounded, with visible display and audible discussion of consumer PII being the norm. As expected, post-breach Equifax invested considerable resources — $1.4 billion — in fortifying their defense of what should be closely-held data.
5. Equifax was attacked by China in a state-sponsored attack on the US.
In February 2020, the US Government indicted members of the Chinese People’s Liberation Army for the attack on Equifax (though their involvement was denied by the Chinese Communist Party). Data breach forensic evidence supports the conclusion that China was involved but so does circumstantial evidence. For one, the data never appeared en masse on the dark web where it could be leveraged for millions or even billions of dollars in financial fraud in the breach aftermath. This points to an advanced persistent threat such as a nation-statey, as a well-heeled adversary has no need for financial gain such as through credit card, mortgage, or property theft. Investigators note that the Equifax tactics have the hallmarks of other CCP attacks such as the 2015 ones on the US Office of Personnel Management (OPM) and health insurer Anthem, Inc. Barring financial gain, what then would be the motive? Experts postulate that the information on so many American and western targets could analyze the data for strategic decision-making, that they were targeting a high net worth subset of all the Equifax victims, or that they were looking financially-vulnerable persons in authority so they could lean on them to have them betray US interests.
On July 22, 2019, Equifax settled with the US Federal Trade Commission (FTC) and various states, territories and authorities on penalties, victims compensation and how to avoid future breaches The total cost of the settlement was around $575 million. The damage to its reputation was incalculable, with a breach of trust in line with the breach in records. Additionally, in the immediate aftermath of the breach, Equifax was mocked and villainized for its incident response, which saw them stumbling out of the gate and even allegations of insider trading by those looking to skirt their financial losses. It will take many years for people to equate the name Equifax with something other than “massive data breach”.