Equifax: A Massive Data Breach at a Consumer Reporting Agency
Equifax is one of the three major consumer reporting agencies that assemble information about consumers’ financial accounts and creditworthiness. The company sells this information in the form of credit reports to various businesses such as banks that the consumer has approached to obtain a credit card or mortgage. The bank then uses this information to decide whether or not to approve the application, and what interest rate should be assigned. People with excellent credit can usually obtain loans at favorable interest rates, while those whose credit report includes damaging information, such as late payments or bankruptcies, may be denied or charged higher rates. The information these agencies maintain on each individual is extensive, to say the least, coming from financial institutions, utility companies, cell phone service providers, public records, and various government sources.
On July 29, 2017, Equifax employees discovered that their dispute resolution system, the system that consumers use to report any inaccurate information on their credit reports, had been hacked. The vulnerability that the attackers exploited was in open source software called Apache Struts Web Framework. The hackers first scanned the web for vulnerable servers, then honed in on any that had not yet been patched to fix the security flaw. Once they gained entrance, they used various techniques to disguise and hide their activities on the company’s servers, such as encrypting their own traffic so Equifax’s scanning software could not detect the intrusion, and extracting the data in small increments to avoid attracting attention. Over a period of several months, massive amounts of data were taken on over 145 million people in the United States and millions more in the United Kingdom (Figure 10.26).
Figure 10.26 Analysis of how attackers exploited vulnerabilities at Equifax. From Government Accounting Office Report 18-559 (www.gao.gov/assets/700/694158.pdf).
A sequential flow from the attackers through the web and Equifax dispute portal servers to the database is shown in the illustration.
At each of these levels the various techniques used by attackers in the data breach process is described in the order given below:
Attackers scan the web for vulnerable folders.
Attackers find a vulnerability within the Equifax portal servers
Dispute resolution documents containing personally identifiable information.
Login credentials.
Data extraction extends over 76 days.
Attackers slowly extract data from 51 databases in small increments to help avoid detection.
Equifax took the compromised server offline, but by then the damage had been done. The Chief Security Officer informed the Equifax CEO about the attack, and the company took a number of measures to better protect the information systems. But Equifax did not publicly disclose the breach for several months, when it issued a press release informing the public and explaining the types of information involved, including Social Security numbers, drivers’ license numbers, financial information, birthdates, and more.
The uproar that followed brought on numerous investigations and lawsuits. How could a company that was charged with protecting so much private information have allowed such an immense security breach, one that affected nearly half the country? Several reasons were identified:
Equifax failed to apply a critical patch to vulnerable software, a patch that should have been applied in March 2017. The company had no formal policy and no reliable tracking mechanism to ensure that patches were properly applied.
Equifax failed to update SSL security certificates, which ensure that the server’s encryption technology is up to date.
Passwords maintained in the databases were not encrypted.
Equifax’s response to the breach has been criticized, especially for the delay in reporting. The company has taken major steps to prioritize information security and develop a culture and policies that will help prevent breaches in the future. Equifax also offered free credit monitoring and created an easy means for consumers to lock and unlock their credit reports. But the overwhelming scale of this breach is a reminder that companies should never put cybersecurity on the back burner.
Sources: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies. (2019). GAO Reports, 1–42, http://search.ebscohost.com/login.aspx?direct=true&db=bsu&AN=135580669&site=ehost-live&scope=site, accessed June 7, 2019.
do Rego Barros, P. (September 27, 2017). On behalf of Equifax, I’m sorry. Wall Street Journal, www.wsj.com/articles/on-behalf-of-equifax-im-sorry-1506547253, accessed June 7, 2019.
Equifax Website: Frequently Asked Questions – Cybersecurity Incident & Important Consumer Information (n.d.), May 22, 2019, from 2017 Cybersecurity Incident & Important Consumer Information website: www.equifaxsecurity2017.com/frequently-asked-questions/, accessed June 7, 2019.
Ferguson, S. (2019). Congressional report rips Equifax for weak security. Bank Info Security, www.bankinfosecurity.com/congressional-report-rips-equifax-for-weak-security-a-12355, accessed June 7, 2019.
Heller, M. (2019). Equifax hack “entirely preventable.” CFO, 35(1), 25–25, http://search.ebscohost.com/login.aspx?direct=true&db=bsu&AN=135134447&site=ehost-live&scope=site, accessed June 7, 2019.
Shi, F. (2018). A year after the Equifax breach, what security lessons have been learned? Information-Management.Com, 1–1, http://search.ebscohost.com/login.aspx?direct=true&db=bsu&AN=130361159&site=ehost-live&scope=site, accessed June 7, 2019.
