U.S. Markets closed

How hackers pulled off the biggest consumer breach of 2017

Ethan Wolff-Mann
Senior Writer

A year ago, credit rating agency Equifax (EFX) announced 146.6 million consumers’ private information was breached. The information contained Social Security numbers for 145.5 million of these people, leaving most of these victims looking over their shoulders in constant fear of identity theft.

Credit card information of 209,000 people, phone numbers of 20.3 million, and even passport photos of 3,200 people were accessed, according to SEC filings. Soon after the theft was announced, the company took more heat for funneling people whose data had been compromised into a product that would potentially strip them of their right to sue the company.

The breach came via a cybersecurity gap stemming from a web application, which according to Verizon research is the most common situation when data is breached. But little was known about the details and next to nothing about what happened to all the data that was exposed.

But on Sept. 7, the first anniversary of the Equifax hack, the Government Accountability Office released more information that sheds some light on what Sen. Elizabeth Warren (D-Mass.) called “a business model that rewards their failure to protect personal information.” (Equifax sells credit monitoring and locking services.)

FILE- This July 21, 2012, file photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. On Wednesday, March 28, 2018, Equifax announced that Mark Begor will become its CEO as the credit reporting company continues to try to recover from fallout surrounding a massive data breach. (AP Photo/Mike Stewart, File)

One key piece of information: Equifax turned down help from the Department of Homeland Security in favor of a private alternative to deal with damage control. The report also noted the company does business with the federal government’s IRS, Social Security Administration, and USPS, but only one contract, with the IRS, had been terminated since the breach last year.

How the breach happened

The report also explained how the breach occurred. On March 8, 2017, the United States Computer Emergency Readiness Team had publicly identified a vulnerability in a certain type of common server software. Two days later, the attackers, still unidentified, had scanned Equifax’s servers, trawling them for software containing this vulnerability.

They found it on a server that was part of Equifax’s “online dispute portal” and the attackers figured out it could be used to gain access to the system. Two months later, in May, the attackers began extracting the data. “Equifax officials stated that the attackers were able to disguise their presence by blending in with regular activity on the network,” the report said.

Equifax reveals how many SSNs, credit cards, and passports were hacked

The company discovered the breach on July 29 and took action to plug the holes 76 days after the breach began. Equifax had been unable to detect the breach sooner, because it had been using an expired security certificate, “meaning that encrypted traffic was not being inspected throughout that period.”

Equifax ran similar commands that the hackers did to analyze how many people had been affected.

Self-regulation from a company that lost your data

There’s been no legislation following the Equifax debacle, though Sen. Mark Warner (D-Vir.) joined Warren on a doomed bill to punish companies that don’t protect consumers’ security.

The company, however, has done some self-regulation. The GAO reported that Equifax has taken measures to address the breach’s causes: identifying vulnerable servers, new management processes, more security tools, and a new structure to communicate problems and risk to senior management. The company’s progress was not independently assessed by the GAO.

Despite this trove of information, the GAO noted that the Federal Trade Commission (FTC) and the CFPB (Consumer Financial Protection Bureau) have an ongoing investigation of Equifax. The investigation may answer more questions as to where the data is, who took the data, how can this really be prevented in the future.

Many of the larger questions, like how should companies that compromise your information be punished and what should best practices be for data protection and notification are unanswerable by anyone other than Congress.

But to date, the legislative branch has yet to tackle reform of credit agencies like Equifax, Experian, and TransUnion that most people use indirectly by their participation in the American financial system of credit. (It has, however, given consumers free credit freezes and concessions to Equifax .) 

“Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people-who repeatedly suffer the consequences of these devastating cyberattacks-and address the failures of those entrusted with securing their personal information,” Rep. Elijah Cummings (D-Md.), ranking member of the House Committee on Oversight and Government Reform, said in a statement.

Unfortunately, the Republican-controlled Congress does not appear to share Cummings’s concerns enough to act. A year after the Equifax breach, shock value has worn down consumers, leaving them wondering whether a lack of data privacy is just one of the facts of life.

Ethan Wolff-Mann is a writer at Yahoo Finance focusing on consumer issues, retail, personal finance, and more. Follow him on Twitter @ewolffmann.

Read more:

Equifax reveals how many SSNs, credit cards, and passports were hacked

Senate gives consumers free credit freezes — but also gifts for Equifax