Not all anniversaries are happy, and this is the case with the Equifax hack. More than a year ago, Equifax revealed that hackers got their hands on the personal data of around 147.7 million Americans from their servers. On a Thursday afternoon, Equifax revealed that hackers were able to infiltrate their network, stealing the names, birthdates, addresses, and Social Security numbers of customers that affected over half of the population of the US.
Although there have been numerous breaches that happened since then, only a few caused panic like the Equifax breach. The large scale of affected Americans, most of whom didn’t even sign up with the credit monitoring company, marked a new low at a time when hacks became more common. Even after a year, lawmakers are upset that Equifax didn’t face legal repercussions, even when the company had a new team trying to win back the trust of the nation.
Shortly following the disclosure, Rick Smith, the CEO of Equifax back then, apologized through a video. Consumers took to social media, particularly about the broken website of Equifax as millions of users tried to determine if the breach affected them in any way.
During the anniversary of the Equifax hack, lawmakers released a PDF report that detailed exactly how the breach happened.
Government Accountability Office was the one that made the report. They were an agency that offers investigative and auditing services for Congess. They reviewed Equifax’s documents and files from the cybersecurity consultant of the company to determine how the hack happened and what other services can do to keep themselves protected from such breaches.
The group also found out that Equifax declined the assistance offered by Department of Homeland Security and opted instead for a third party private security company to help them in managing the breach response.
The attack process began on the 10th of March 2017 when hackers searched online for servers with some vulnerabilities as warned by the US-CERT about a couple of days earlier. After two months, on the 13th of May, the hackers hit the jackpot with the dispute portal of Equifax where people go to argue on claims.
This is where hackers used the Apache Struts vulnerability, an issue running on for months that Equifax was aware of but wasn’t able to fix. The hackers gained access to the login credentials for a total of three servers. They discovered that the credentials let them access 48 servers more that contain personal data.
The hackers spent 76 days in the network of Equifax before they got detected. Based on the report, the hackers stole data one piece at a time from 51 databases to avoid raising any alarms.
Equifax had no idea of the attack until the 29th of July, over two months later, and was able to cut off access to hackers the next day, 30th of July.
Since then, the company stated that they have implemented a brand new management system for handling vulnerability updates and for verifying the issuance of the patch.