Equifax is expected to pay about $700 million for a data breach that put almost half the U.S. population’s personal information at risk.
The credit-reporting firm is working to finalize an agreement that includes a $700 million settlement with the Federal Trade Commission, Consumer Financial Protection Bureau, numerous state attorney general offices, and a class-action lawsuit. The agreement comes two years after Equifax experienced one of the largest data breaches in history that compromised the personal information of 140 million consumers. The stolen information included Social Security numbers, dates of birth, and addresses.
Keep reading to learn more about the timeline of the Equifax data breach.
What is a Data Breach?
A data breach occurs when restricted sensitive information is accessed without proper authorization by hackers or cybercriminals who seek to exploit this information for financial gain. Often, the stolen personal data is then sold on the black market via the dark web.
Data breaches are an increasingly serious problem, especially for companies and credit bureaus like Equifax that store massive amounts of personal data in their internal systems.</p>
What Caused the Equifax Data Breach?
As we rely more on the digital world for everyday tasks such as banking and online shopping, large corporations with stockpiles of sensitive data must constantly work to ensure that their cybersecurity is better than the criminals who seek to exploit it.
The Equifax data breach serves as a disastrous example of what can and will happen when proper security protocols aren’t followed in an age of ever-evolving cyberattacks.
Here’s how the private information of millions of Americans landed in the hands of hackers who were able to access it for months before the breach was even detected, and how even years later that information remains under threat:
Timeline of the Equifax Data Breach: 2015 – Today
April 2015: Equifax Chief Security Officer Institutes a New Security Protocol
Before 2015, Equifax lacked the official protocol to address existing security vulnerabilities within Its systems. The chief security officer at the time, Susan Maudlin, set out to create a patch management policy that would govern security issues by addressing them or “patching” on a schedule as they were found.
This security protocol, called a patch management policy, was implemented in April. After implementation, an internal audit was scheduled to assess whether the patch management policy was effective.
October 2015: The Security Protocol is Declared Ineffective
The audit report assessed the effectiveness of the patch management policy, the security of Equifax’s internal production environment where sensitive information was stored and made recommendations to improve the credit bureau’s overall data security.
The report found that the patch management policy could not address the Equifax system’s many vulnerabilities. Even more glaringly, many of these vulnerabilities had not been patched according to Equifax’s own schedule.
The October audit found that as of August 2015, external-facing Equifax systems had over 1,000 known vulnerabilities that ranged from medium to critical and more than 7,500 high or critical vulnerabilities. Around 75% of the external vulnerabilities, and 93% of the internal vulnerabilities, were at least 90 days old.
The audit report also found that although the credit bureau had planned to use automated tools to perform the patching, the tools had not been implemented as planned.
The audit noted that when vulnerabilities were found and patched, they also weren’t prioritized by importance. This left potential critical assets open to malicious parties far longer than necessary.
The only protocol in place to verify that the patches had been installed successfully was referred to as the “honor system.”
No follow-up audits were conducted following the first audit.
December 2016: A Security Researcher Warns Equifax of Potential Vulnerabilities
In December 2016, a security researcher found that he could easily exploit vulnerabilities within Equifax’s servers and websites in a matter of hours.
The security researcher was able to download sensitive information about hundreds of thousands of Americans and claimed it would have only taken ten minutes to download the data of every Equifax customer.
Though the researcher warned Equifax in December 2016, Equifax did not patch the network until seven months later, after the breach had become a public disaster.
The portal where Equifax later claimed the breach happened wasn’t even the same one the security researcher discovered — an indication that there were multiple points of vulnerability in Equifax’s systems.
March 2017: US-CERT Notifies Equifax of a Separate Critical Security Vulnerability and Offers a Fix
On March 8, 2017, Equifax received an alert from the U.S. Computer Emergency Response Team (US-CERT) that the Apache Software Foundation had released security updates to address a vulnerability that could be exploited by a remote attacker.
A later published report from the U.S. Senate Committee on Homeland Security and Governmental Affairs noted that the tools needed to exploit this vulnerability were free and easy to use – leaving companies who didn’t install the Apache security update open to critical threats. Meetings were held at Equifax to address the security threats, but there was little follow up and many senior-level employees did not attend.</p>
May – July 2017: Cybercriminals Gain Access to the Personal Information of 143 Million Americans
In the months following the notification from US-CERT, cybercriminals were able to access Equifax’s online dispute portal, a section of the site that allowed people to view and report false information on their credit report.
Then, the cybercriminals sent queries and commands to other Equifax systems to obtain more personally identifiable information and access to a deeper database that contained more sensitive information to include unencrypted usernames and passwords, allowing access to social security numbers and more. By the time it was over, nearly half the U.S. population had been compromised.
July 29th, 2017: Equifax Notices the Massive Data Breach
The data breach was not discovered until July 29, more than 60 days after the first data was stolen.
This 60-day window was possible because Equifax’s SSL certificates had expired — the type that grants the “https://” protocol to a website and labels it as secure.
On July 29, upon renewing SSL certificates, Equifax discovered suspicious traffic directed from the vulnerable portal to an IP address based in China. Equifax blocked the IP address and the portal was taken offline.
September 2017: Equifax Announces the Data Breach to the Public
By Sept. 4, the teams investigating the data breach had obtained a list of consumers whose personally identifiable information was believed to have been stolen or compromised.
Only then was the breach was announced to the public three days later on Sept. 7 — six weeks after the initial discovery of the data breach.
Following the announcement, Equifax set up the website www.equifaxsecurity2017.com to allow concerned consumers to find out whether or not they’d been affected by the breach.
This website was criticized for being hosted under a different domain name than Equifax’s main site because it could be easily mirrored by a phishing website.
Equifax also sent out several tweets that directed users to a phishing website by accident.
It had a similar domain name, www.securityequifax2017.com. Users who entered information on the phishing site may have also been compromised.
October 2017 – March 2018: Equifax Revises the Number of People Affected to 147.9 Million
Equifax revealed that the breach may have involved the theft of 2.5 million more individuals than previously thought on Oct. 2, and in March 2018, announced an additional 2.4 million consumers had their names and partial drivers’ license information.
It remains unclear if the data from the 2017 Equifax breach has been used or how many years in the future it will affect consumers.
How to Protect Personal Information in the Age of Data Breaches
Data breaches are a part of life. No individual, team, or company — no matter how large-scale and reputable — is completely safe.
Though you have little control over security breaches, identity theft protection and active credit monitoring can ensure that when a data breach happens, you can get ahead before your life is affected.