Read the original article here.

---

The Equifax Data Breach of 2017: A Case Study in Corporate Cybersecurity Failure

The 2017 data breach at Equifax, one of the United States' largest credit reporting agencies, stands as a stark reminder of the potential consequences of inadequate cybersecurity practices. This incident, compromising the sensitive personal data of nearly 150 million people, is widely regarded as one of the most significant cybersecurity failures in history due to the volume and sensitivity of the data lost, the nature of the organization holding it, and the subsequent handling of the crisis.

Understanding the Players: What is a Credit Bureau?

Credit Bureau (or Credit Reporting Agency): A company that collects and maintains consumer credit information, such as borrowing and repayment history, and sells this information to lenders, employers, insurers, and other businesses in the form of a credit report. This data is used to assess an individual's creditworthiness. Equifax is one of the three major credit bureaus in the United States, alongside Experian and TransUnion.

Equifax's role as a repository of highly sensitive personal and financial data makes it a prime target for cybercriminals and potentially, state-sponsored actors. A breach at such an entity has far-reaching and long-lasting implications for the affected individuals.

Background: The Stage is Set for Failure

The seeds of the Equifax breach were sown long before the actual intrusion. An internal audit conducted by Equifax in 2015 revealed significant systemic weaknesses in the company's IT security posture. These included:

• A large backlog of unaddressed security vulnerabilities: Known flaws in software or systems were not being fixed promptly.
• Lack of adherence to patching schedules: The company had policies for applying security updates (patches), but they were not consistently followed.
• No comprehensive asset inventory: Equifax IT staff lacked a complete and accurate list of all their IT assets (servers, applications, databases, etc.), making it impossible to know where vulnerabilities existed or what needed patching.
• No criticality-based patching: Security patches were not prioritized based on the severity of the vulnerability or the importance of the IT asset they affected.
• An "honor system" for patching: The process relied on IT staff manually applying patches without strict enforcement or automated verification, leading to inconsistencies and missed updates.

Despite the audit outlining necessary actions to improve security, many of these fundamental issues remained unresolved by the time of the breach two years later. This demonstrated a significant organizational failure in prioritizing and implementing essential security controls.

Adding to this precarious state, a critical security vulnerability was discovered in a widely used web application framework called Apache Struts.

Apache Struts: An open-source framework used by developers to build enterprise-level Java web applications. Frameworks like Struts provide standardized structures and tools, speeding up development. However, a vulnerability in a framework used across many applications can provide a single point of attack for numerous potential targets.

A critical patch to fix this specific vulnerability in Apache Struts was released on March 7, 2017. Users were strongly urged to update immediately. Security experts observed malicious actors scanning the internet for systems that had not applied this crucial patch as early as March 10, 2017, indicating that the vulnerability was actively being sought and exploited in the wild.

The Critical Failure Point: Exploiting a Vulnerability

The actual intrusion began on May 12, 2017. The attackers exploited the known Apache Struts vulnerability on an Equifax website used for handling consumer credit disputes. This website, despite the critical patch being available since March 7, had not been updated.

This technical lapse, failing to apply a readily available and critical security patch, served as the initial entry point. The vulnerability allowed the attackers to execute malicious code on the server hosting the vulnerable application.

Once inside, the attackers didn't stop there. They demonstrated sophisticated capabilities by moving laterally within the network:

1. They obtained internal credentials belonging to Equifax employees. Worryingly, analysis later indicated that some high-access accounts may have used default usernames and passwords ("admin") and lacked two-factor authentication, allowing attackers to gain seemingly legitimate access.

   Internal Credentials: Usernames and passwords used to access internal company systems and resources. Compromising these allows attackers to impersonate authorized users.

   Two-Factor Authentication (2FA): A security process in which a user provides two different authentication factors to verify themselves. This typically involves something the user knows (like a password) and something the user has (like a mobile phone to receive a code) or something the user is (like a fingerprint). Lack of 2FA on critical accounts leaves them vulnerable even if a password is stolen or guessed.

2. Using these compromised credentials, they accessed and queried credit monitoring databases, appearing as authorized users, which helped them evade immediate detection.

3. They used encryption to further mask their database searches, making it harder for security tools to spot their malicious activity within the network traffic.

4. They performed over 9,000 scans of the databases to identify valuable information.

5. To extract the data without triggering large data transfer alerts, they extracted information into small temporary archives, exfiltrated these archives from Equifax servers, and then deleted the archives to cover their tracks.

   Exfiltration: The unauthorized transfer of data from a computer or network. Attackers often use stealthy techniques to move stolen data out of the target environment without detection.

This intrusion went undetected for 76 days, a period spanning from May 12 to July 29, 2017, highlighting severe deficiencies in Equifax's intrusion detection capabilities.

The Data Compromised: The Scale of the Damage

The sheer volume and sensitivity of the data stolen made this breach particularly damaging. The compromised information primarily targeted identity theft, including:

• Names
• Social Security Numbers (SSNs): A unique identifier critical for financial, medical, and legal purposes in the U.S. Their exposure is extremely serious.
• Birth Dates
• Addresses
• Driver's License Numbers (in some cases)
• Credit Card Numbers (for approximately 209,000 U.S. consumers)
• Certain dispute documents containing Personally Identifiable Information (PII) (for approximately 182,000 U.S. consumers)

Personally Identifiable Information (PII): Any data that can be used to identify a specific individual. This can include names, addresses, dates of birth, Social Security numbers, and other unique identifiers. PII is highly valuable to criminals for identity theft and fraud.

Initially, Equifax estimated 143 million Americans were affected. This number was later revised upwards to 147.9 million. Millions of British and Canadian residents were also affected, totaling approximately 15.2 million and 19,670, respectively.

The Discovery: An Accidental Revelation

The breach was finally discovered on July 29, 2017, not by sophisticated security monitoring designed to detect intrusions, but almost accidentally. An Equifax IT team updated a Secure Sockets Layer (SSL) certificate for an application that monitored network traffic.

Secure Sockets Layer (SSL) / Transport Layer Security (TLS): Cryptographic protocols that provide secure communication over a computer network, like the internet. They are used to encrypt data transmitted between a user's browser and a website, ensuring privacy and data integrity. Websites using SSL/TLS have addresses starting with "https" and often show a padlock icon. Expired certificates can prevent security tools from functioning correctly.

The expired SSL certificate (which had been expired for nine months) had prevented the network monitoring application from decrypting and analyzing outgoing encrypted traffic. Once the certificate was updated, the application could properly inspect the traffic and immediately alerted Equifax employees to suspicious activity – the ongoing exfiltration of vast amounts of data.

By July 30, Equifax managed to shut down the specific exploit being used. Subsequent analysis of the breach revealed that in addition to the unpatched Struts vulnerability, other fundamental security weaknesses contributed significantly:

• Insecure network design: Lack of sufficient network segmentation.

  Network Segmentation: Dividing a computer network into smaller, isolated sub-networks. This limits the ability of attackers to move freely across the entire network if they breach one segment. A flat, unsegmented network allows attackers to easily pivot from one compromised server to critical databases.

• Potentially inadequate encryption of PII: While some data may have been encrypted, the attackers were able to access and exfiltrate sensitive PII, suggesting encryption was either missing in key areas or the attackers gained access to encryption keys.

• Ineffective breach detection mechanisms: The intrusion went undetected for 76 days, proving their existing monitoring tools were insufficient or improperly configured.

Disclosure and Initial Response: Handling the Fallout

Equifax discovered the breach on July 29, 2017, but did not disclose it to the public until September 7, 2017 – a delay of over a month. This delay drew immediate and heavy criticism. Equifax stated the delay was necessary to determine the full scope of the intrusion, but critics argued that the public deserved to be notified much sooner given the severity and potential impact on individuals.

The market reacted swiftly, with Equifax shares dropping significantly after the announcement. Media outlets advised affected consumers to consider a credit freeze to mitigate potential identity theft.

Credit Freeze (or Security Freeze): A security measure that restricts access to your credit report, making it much harder for identity thieves to open new accounts in your name. Lenders cannot access your report if it is frozen without you temporarily lifting the freeze.

The response was further complicated by several missteps and controversies:

• Allegations of Insider Trading: Three Equifax executives, including the chief financial officer, sold company shares worth almost $1.8 million days after the breach was discovered internally but before it was publicly disclosed. Equifax claimed the executives had no knowledge of the intrusion at the time of the sale, but the timing sparked a U.S. Department of Justice investigation into potential insider trading violations.

• Problematic Consumer Websites: Equifax set up a dedicated website (equifaxsecurity2017.com) for consumers to check if their data was affected and enroll in free credit monitoring. However, the site faced severe criticism:

  • It was hosted on a new domain name, not a subdomain of the official equifax.com, making it look less legitimate and easily confusable with phishing sites.
  • It reportedly had technical flaws, including flawed TLS implementation and running on WordPress, which security experts deemed unsuitable for handling sensitive interactions.
  • Some security tools flagged it as potentially malicious.
  • To check if they were affected, users had to provide their last name and six digits of their Social Security number, a highly criticized requirement given the context of a data breach.
  • Initially, the terms of service for the credit monitoring service included an arbitration clause and a class action waiver, leading to fears that simply using the site might waive consumers' rights to sue Equifax. Following intense backlash, Equifax issued statements clarifying the clause would not apply to claims related to the breach and later removed it from the relevant site terms.

  Arbitration Clause: A clause in a contract that requires parties to resolve their disputes through binding arbitration rather than through a court of law.

  Class Action Waiver: A clause stating that parties cannot participate in a class action lawsuit (where many individuals with similar claims sue as a group).

• Linking to a Fake Site: In a baffling error, Equifax mistakenly tweeted links to an unofficial, look-alike website created by a software engineer to demonstrate how easily consumers could be phished. This directed hundreds of thousands of users to the imitation site before being corrected.

In response to mounting pressure, Equifax announced the departures of its Chief Information Officer and Chief Security Officer in September 2017 and the retirement of its CEO, Richard Smith. His successor later promised free, lifetime credit control options for consumers.

The Aftermath: Consequences and Accountability

The fallout from the Equifax breach was extensive and prolonged:

• Refined Scope: Over time, Equifax provided slightly adjusted numbers, confirming the impact on 147.9 million Americans, 15.2 million British citizens, and nearly 20,000 Canadians, as well as millions of driver's licenses and specific financial data.
• Data Usage Theories: While the compromised data (primarily PII) was expected to appear on dark web marketplaces for identity theft, its relative absence years later led security experts to theorize either a long "cooling off" period by criminals or, more ominously, that a nation-state actor was behind the breach, planning to use the data for espionage or other non-financial purposes.
• Extensive Litigation and Fines: Equifax faced numerous lawsuits, including large class action suits seeking billions in damages. Many individuals also won smaller amounts in small claims courts. Regulatory bodies in both the U.S. and UK launched investigations and imposed significant penalties.
• Regulatory Scrutiny: In the U.S., the Consumer Financial Protection Bureau (CFPB) initiated a probe, though its intensity fluctuated under different leadership, drawing criticism from consumer advocates.
• Major Settlement: In July 2019, Equifax reached a comprehensive settlement with the FTC, CFPB, 48 U.S. states, Washington, D.C., and Puerto Rico. This required Equifax to pay a total of $425 million into a fund for victim compensation ($300 million initially, plus up to $125 million more), $175 million to the states and territories, and a $100 million fine to the CFPB. The total potential cost of the settlement was estimated at up to $700 million.
• UK Fine: The Financial Conduct Authority (FCA) in the UK fined Equifax £11,164,400 for its failure to protect UK consumers' data.
• Perpetrator Indictment: In February 2020, the U.S. Department of Justice indicted four members of China's People's Liberation Army, alleging they were responsible for the hack as part of a state-sponsored operation to steal sensitive data and trade secrets. The Chinese government denied these claims.

Key Failures Highlighted by the Equifax Breach

The Equifax breach serves as a case study demonstrating multiple layers of failure:

1. Technical Failure: Failing to apply a critical, well-known security patch for the Apache Struts vulnerability despite ample time and warnings.
2. Procedural/Operational Failure: Ignoring findings from internal audits, lack of consistent patching processes, absence of a comprehensive asset inventory, and ineffective vulnerability prioritization. Using weak or default credentials and lacking 2FA on critical systems.
3. Architectural Failure: Poor network segmentation allowed attackers to move freely within the network after gaining initial access. Ineffective detection systems failed to identify the intrusion for 76 days.
4. Managerial/Governance Failure: Lack of executive oversight and prioritization of cybersecurity, as evidenced by ignoring audit recommendations and potential delays in patching critical systems.
5. Communication/PR Failure: Significant delay in public disclosure, confusing and potentially misleading consumer websites (including terms of service), and communication errors (like linking to a fake site).
6. Response Failure: The initial tools and information provided to affected consumers were inadequate and poorly implemented, causing additional frustration and confusion.

Lessons Learned

The Equifax breach offers crucial lessons for organizations and individuals:

• Patching is Paramount: Proactively identifying and applying security patches, especially for known critical vulnerabilities, is a non-negotiable fundamental of cybersecurity. An effective patch management program requires asset inventory, prioritization, and enforcement.
• Basic Security Hygiene Matters: Implementing essential security controls like strong passwords, multi-factor authentication, and principle of least privilege access can prevent attackers from easily moving through a network even if they breach an initial layer.
• Network Segmentation is Vital: Designing networks with segmentation limits the blast radius of a breach, preventing attackers from accessing the most sensitive data once they compromise a less critical system.
• Robust Monitoring and Detection are Essential: Organizations must invest in and properly configure systems to detect suspicious activity within the network, not just at the perimeter. Ignoring expired security certificates on monitoring tools is a critical oversight.
• Transparency and Timeliness in Disclosure: While determining the full scope takes time, delaying disclosure of a major breach erodes trust and prevents affected individuals from taking protective measures sooner (like credit freezes).
• Customer Impact Must Be Prioritized: The initial response mechanisms provided to affected individuals must be clear, trustworthy, and genuinely helpful, not confusing or potentially detrimental (like problematic website terms).
• Cybersecurity is a Board-Level Responsibility: The breach highlighted that cybersecurity is not just an IT issue but a critical business risk requiring attention and investment from the highest levels of management and the board of directors.
• Personal Vigilance is Necessary: Consumers cannot rely solely on organizations to protect their data. Regularly monitoring credit reports, placing security freezes, and being wary of phishing attempts are important personal defenses.

The Equifax breach serves as a cautionary tale, demonstrating how a combination of technical negligence, procedural failures, and poor crisis management can turn a security incident into a catastrophic, high-profile tech failure with long-lasting repercussions for millions of people and the organization itself.