We have all been warned of the dangers posed when we don’t keep our personal data secure online. Don’t post your personal details publicly, have a long and complex password, and keep your software updated so that you have the most secure version.
This is true for businesses too, and a data breach can be extremely costly. The large consumer credit reporting agency Equifax learn these lessons too late, and in 2017 was the victim of one of the most expensive data breaches in history. But what actually happened?
The Data Breach
At the start of 2017, Equifax was one of the big three consumer credit reporting agencies (alongside Experian and TransUnion). As such, they offered many credit monitoring and reporting services to both individual consumers and businesses.
One of their services was a website that handled credit disputes from consumers. Like a majority of websites, Equifax’s credit dispute website was built on top of third-party software. For Equifax, one key piece of software was a popular web framework known as Apache Struts. On March 7th, 2017, a security patch was released for Apache Struts after a security exploit was found. All users of the framework were urged to update their software immediately. Equifax, however, ignored this warning.
Two months later, on May 12th, an unknown group of hackers found the exploit was still usable on Equifax’s website – as they still had not updated their software. This exploit enabled the hackers to gain access to Equifax’s internal network, and to the credentials of many Equifax employees. The hackers then used the credentials of some Equifax employees to search through the credit databases as though they were authorised users. This gave them access to the personal data of tens of millions of Equifax customers.
The hackers used several more tricks to stay unnoticed such as encryption, scanning the databases in smaller chunks, and deleting temporary directories that they had created to move the data off Equifax’s servers. These tricks helped the hackers stay unnoticed for 76 days, and it wasn’t until July 29th that Equifax discovered that they had been hacked. Within a day, they had managed to update their software and close the exploit.
One of the largest data breaches in history had just been pulled off.
The Aftermath
On September 7th, 2017, Equifax finally disclosed that the breach had occurred. This was six months after the security update was first released by Apache Struts, four months after the hackers gained access the Equifax’s network and databases, and just over a month after Equifax had patched the exploit.
The amount of data stolen by the hackers was still being calculated at the time, but it was later revealed that the private data of 147.9 million Americans (over 45% of all Americans) and 15.2 million Brits. The data of approximately 19,000 Canadians was also accessed in the breach. For American victims, data stolen included names, addresses, birth dates, Social Security numbers, and, in some cases, driver’s licenses. Similar data was stolen from British and Canadian victims.
This was very costly for Equifax in multiple areas. In the first half of September, the business had seen its shares on the New York Stock Exchange lose around 35% of its value, wiping out all gains made over the past year. Financially, Equifax was ordered to pay up to $700 million as a result of the breach in America, including a $425 million restitution fund for consumers and a $100 million fine to the Consumer Financial Protection Bureau.
If the General Data Protection Regulations (GDPR) had been approved in Europe before this breach, then British regulators would have been able to fine Equifax a further 4% of their global annual revenue. At the time Equifax had a yearly revenue of $3.3 billion, and so it could have resulted in a further $132 million fine. Fortunately for Equifax, this regulation was implemented eight months after the breach was publicised.
One week after the breach was publicised by the company, the Chief Information Officer and the Chief Security Officer had also been replaced. Equifax also announced that they were cooperating with the FBI and other authorities to investigate the breach. After three years of investigations, the U.S. Justice Department announced that they had indicted four members of the Chinese military on nine charges related to the hack.
Finally, the breach had a long-lasting impact on Equifax’s reputation, and they are still known as a company involved in one of the largest data breaches in history. Equifax also received a great amount of criticism for the way they dealt with the aftermath, including setting up a website for consumers to learn whether they were a part of the breach – however, that website also contained several security flaws.
How It Could Have Gone Differently
This data breach could have gone very differently for Equifax if they had followed the best practices for data security. If they had updated their third-party software, Apache Struts, when all users were instructed to do so, then this attack could never have occurred. It is ironic how such a simple fix could have prevented such a huge attack.
Investigations into the breach after it had occurred showed several more areas of improvement which could have lessened the impact of the attack. When the hackers first got into the network through the exploit, they found that they were able to move around the network with ease. Investigators later found that a poor design of the network meant that there was insufficient segmentation of key areas of the network, allowing the hackers to bounce between them.
The hackers were also able to gain access to unencrypted transactional data involving over 200,000 credit cards used with Equifax. Encryption is one of the key pillars to good data security, and Equifax had failed in this area. Visa and MasterCard both had to publish alerts to banks due to this flaw, and both laid the blame explicitly on Equifax.
Finally, Equifax had been criticised for inadequate breach detection mechanisms. Some experts still question how the hackers were able to steal large amounts of data for over two months, and then it took Equifax more than a month to publicly reveal the attack. This point, again, would have fallen foul of GDPR if it had come into force at the time.
Overall, there were many chances for Equifax to either stop this attack completely or to lessen the impact of it. Unfortunately, they didn’t, and it had a huge cost on the business. It is hoped, however, that other businesses learn from Equifax’s mistakes, and a similar situation does not happen again.
Comments