We’ve Been Breached’: Inside the Equifax Hack


September 17, 2017

On March 8, researchers at Cisco Systems Inc. reported an online security flaw that allowed hackers to break into servers around the internet. Cisco urged users to upgrade their systems immediately with a newly issued fix.

September 17, 2017

On March 8, researchers at Cisco Systems Inc. reported an online security flaw that allowed hackers to break into servers around the internet. Cisco urged users to upgrade their systems immediately with a newly issued fix.

Equifax Inc. was among the companies using the flawed software. On Friday, it said its technology experts at the time worked to identify and patch vulnerable systems.

In late July, though, Atlanta-based Equifax discovered suspicious traffic on its system—and found the same security flaw still existed in some areas. The company’s security staff again addressed the problem, according to Equifax, but by then it was too late.

From about mid-May to July 30, hackers ransacked vast troves of information at the credit-reporting company. The breach potentially exposed about 143 million Americans’ personal information, including names, addresses, dates of birth and Social Security numbers. The revelations have shaken the company, as well as confidence in a linchpin of the financial system, and triggered a federal criminal investigation.

Much remains unknown about the hack attack and how it burrowed so deeply inside the company. Investigators, security experts and Equifax itself are focusing on what the company did or didn’t do right in the run-up to the massive intrusion, including the company’s response to the flaw found by Cisco.

Alex Holden, chief information security officer of identity-theft monitoring company Hold Security LLC, says Equifax has long been considered a target for identity thieves. Last week, Hold said it discovered it was possible to access an Equifax-operated employee portal in Argentina by using the easily guessed username and password combination “admin/admin.”

The Equifax hack has stunned many consumers, who are suddenly aware of their own vulnerability to what was long considered a necessary but largely opaque part of the country’s financial plumbing.

More than 11.5 million people have signed up for credit-monitoring offered by Equifax in response to the cyberattack. Other people have frozen their credit reports with Equifax and rivals TransUnion and Experian PLC.

Equifax Chairman and Chief Executive Richard Smith has called the crisis the “most humbling moment in our 118-year history.” Some lawmakers have called for his ouster, and investors have shrunk Equifax’s stock-market value by about $6 billion, or more than a third, in the past 10 days.

Although investigators are still grappling with who might be behind the Equifax break-in, the scale of the breach, sophistication of the hack and nature of the stolen data all point toward a state-sponsored actor, says a person familiar with the investigation.

The breach bears similarities to the attack disclosed last year by Yahoo Inc.

In March, the Justice Department charged two officers with Russia’s Federal Security Service, alleging the hack was part of an information-collection operation. A Russian official said the charges were part of an attempt to raise “the theme of ‘Russian hackers’ in the domestic political squabbles in the U.S.”

“Credit bureaus are the tracks that the [credit] trains run on, and we should make sure those roads and tracks are sound if we’re going to run a whole economy over them,” said Louis Hyman, a consumer-credit historian at Cornell University.

On Sept. 7, Equifax said it had discovered the data breach July 29. There are signs that the problem took root long before then.

Cisco security researchers reported March 8 that hackers had found a flaw in Apache Struts, a widely used piece of open-source software used to build interactive websites. The software is ideal for powering websites where customers need to complete online forms. At Equifax, Apache Struts powers part of the website where consumers can dispute errors in credit reports.

The vulnerability reported by Cisco would allow hackers to break into a company by sending data to a server that was specially crafted to take advantage of the flaw. It was the digital equivalent of popping open a side window to sneak into a building.

Apache, a project administered by a nonprofit foundation, issued a patch for the problem the same day. Two days later, the U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, sent out a notice about the vulnerability.

Cisco said its investigation found “a high number” of examples where the hack had been used. In an update Friday, Equifax said its security organization was “aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

Apache Struts is used by many financial firms. One of those firms asked companies it sends data to, and receives data from, if they had shored up their vulnerability with the new security patch, people familiar with the matter say. Equifax was one of the companies asked about the patch—and at the time, said it didn’t have an issue, these people say.

Soon, though, other companies started to see suspicious activity. One large firm that links credit-card networks, merchants and lenders saw a spike in fraudulent activity from late May to early June, according to people familiar with the matter.

The firm was getting phone calls from people who said they had an account there and provided all four pieces of personal information typically needed for identity verification: name, address, date of birth and Social Security number. Equifax has said the same type of information was exposed.

Callers then asked the large firm to change the bank-deposit number for what they claimed was their business, people familiar with the matter say. The callers said the change was needed because they had changed banks.

The firm usually gets about a dozen such calls per year, but it was suddenly getting a dozen per week, these people say. The firm determined that the people weren’t who they claimed to be but had no idea what was behind the leap in fraudulent calls.

After Equifax disclosed its data breach, the other firm realized that the two sets of events were likely linked, say people familiar with the firm. Call volume at the firm has declined to normal levels.

Credit-reporting companies such as Equifax are vast repositories of financial information. They often receive data when someone applies for credit, gets a loan and makes payments. The data builds up credit history and feeds credit scores, compiled by separate companies.

Equifax began as a local firm that gathered and published information about the paying habits of retail store customers. It grew by buying rivals and became a nationwide company. When Mr. Smith, a General Electric Co. veteran, became CEO in 2005, Equifax was a staid company centered on the collection of credit data, according to comments he made last month at a University of Georgia event.

Mr. Smith changed that. Equifax branched out to become a larger data provider, purchasing companies that had information about consumers’ bill-paying habits and salary information for employees at large companies.

Equifax is now a “world-class, state-of-the-art” technology and data-analysis company, he said at the event last month. Every day, Equifax manages 1,200 times as much data as is in the Library of Congress, he added. “It’s been a fun journey, a journey that we’re all very, very proud of,” Mr. Smith said.

But that data makes credit-reporting companies a tempting target for hackers. In 2015, Experian found that an unauthorized party had accessed T-Mobile data on its server, as well as records containing names, addresses, Social Security numbers, dates of birth and identification numbers.

Some people in the credit-reporting and information-security industries say Equifax appeared to be using a centralized system for some data, which might have made its information more vulnerable.

Other companies have moved to systems that spread out consumers’ personal data in different places. If there is a security breach, the chances of hackers getting all the data in one swoop are much lower, the people added.

Equifax said in its latest annual report that it is “regularly” a target of cyber threats and has made “substantial investment” in security measures.

Jeff Dodge, an Equifax investor-relations official, said at a conference last November that “data security, and how we go about ensuring that, is something we spend a lot of time and effort on.”

On July 29, the company’s security team observed “suspicious network traffic associated with its U.S. online dispute portal web application,” according to an Equifax press release. The security team blocked the suspicious traffic, and an internal review continued.

Equifax then discovered the attack involved the Apache Struts vulnerability, according to the company. Equifax hasn’t explained why its earlier efforts to address the vulnerability failed. Equifax said its security team patched the software before bringing the web application back online.

The bug exploited by hackers was “known and could have been fixed and patched,” says Ted Schlein, general partner at venture-capital firm Kleiner Perkins Caufield & Byers, a major technology investor. Mr. Schlein also is a former executive at cybersecurity firm Symantec Corp. “If you are the purveyor and keeper of that much sensitive information, it’s just terrible that you wouldn’t have the highest security standards,” he adds.

In an update Friday, Equifax said that while it “fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing.”

On Aug. 2, Equifax brought in Mandiant, the well-known cyber-investigations division of FireEye Inc., which investigated Yahoo’s data breach. As Mandiant began combing through the digital wreckage, Equifax executives decided to hold off on making an announcement until they had more clarity on the number of people affected and the types of information that were compromised, according to a person familiar with the matter.

Three Equifax officials, including the company’s finance chief, sold a total of about $1.8 million in stock Aug. 1 and 2, according to securities filings. Equifax has said they didn’t know about the breach at the time of the stock sales.

In public, Equifax took a business-as-usual attitude. Investor-relations officials met with shareholders in Newport, R.I., New York, Boston and three other cities. In materials provided to investors, Equifax said it aimed to be “a trusted steward and advocate for our customers and consumers.”

In the weeks after being called in, Mandiant told Equifax that the damage from the attack could be widespread, possibly affecting about 50 million accounts, said a person familiar with the matter.

On Aug. 17, Mr. Smith spoke at the University of Georgia event in Atlanta. After his prepared remarks, someone in the audience asked: What about data fraud?

“It’s my No. 1 worry, obviously,” Mr. Smith said, according to a video of the event. “There’s an old saying that there’s those companies that have been breached and know it, and those companies that have been breached and don’t know it.”

A few weeks after its initial assessment, Mandiant told Equifax the hit was far larger than Mandiant first thought, a person familiar with the matter says.

Behind the scenes, Equifax was preparing for when to go public about the breach. On Aug. 22, Equifax registered a new internet domain name, equifaxsecurity2017.com, which became the company’s website for consumers to learn more about the breach.

Hackers claiming to have credit-card data from Equifax attempted to sell their database in August in online forums, says Andrew Komarov, an independent security researcher. No sale has been made, though, he says.

Equifax said as part of the breach announcement that credit-card numbers for around 209,000 U.S. consumers were stolen, too. Those cards likely belong to people who previously bought credit-monitoring services from Equifax in hope of securing an additional layer of protection from fraud, according to people familiar with the matter.

Equifax decided to make its announcement about the cyberattack after the end of regular stock trading on Sept. 7. Just before the company issued its press release, one top Equifax executive called an industry executive.

“I want you to hear this from me before you hear it from someone else,” the Equifax executive said, according to a person familiar with the conversation. “We’ve been breached.”