How the Equifax Hack Occurred
Not all anniversaries are happy, and so is the Equifax hack. More than a year ago, Equifax announced that hackers had got their hands on the personal information of around 147.7 million Americans from their servers. On a Thursday afternoon, Equifax announced that hackers were able to break into its network and steal the names, dates of birth, addresses and social security numbers of customers that affected more than half of the US population.
While there have been numerous violations since then, few caused panic like the Equifax violation. The large number of Americans affected, most of whom hadn’t even signed up with the credit control firm, marked a new low at a time when hacks were becoming more common. Even after a year, lawmakers are upset that Equifax had no legal ramifications, even if the company had a new team trying to win back the nation’s trust.
Shortly after the release, Rick Smith, then CEO of Equifax, apologized through a video. Consumers took advantage of social media, especially Equifax’s broken website, when millions of users tried to determine if the breach affected them in any way.
On the anniversary of the Equifax hack, lawmakers released a PDF report detailing how the violation occurred.
The Government Accountability Office was the one who produced the report. You were an agency providing investigative and auditing services for Congess. They checked Equifax’s documents and files from the company’s cybersecurity advisor to determine how the hack took place and what other services can do to protect themselves from such breaches.
The group also found that Equifax declined the assistance offered by the Department of Homeland Security and instead chose a third-party private security company to help them manage the violation response.
The attack process began on March 10, 2017, when hackers searched online for servers with some vulnerabilities, as US-CERT had warned a few days earlier. After two months, on May 13th, the hackers cracked the jackpot with Equifax’s dispute portal, where people argue over claims.
This was where hackers took advantage of the Apache Struts vulnerability, a problem Equifax had known for months but was unable to fix. The hackers were given access to credentials for a total of three servers. They found that with the credentials they can access 48 other servers that contain personal information.
The hackers spent 76 days on Equifax’s network before they were discovered. Based on the report, the hackers stole data bit by bit from 51 databases to avoid alarms.
Equifax was unaware of the attack by July 29, more than two months later, and was able to block access to hackers the next day, July 30.
Since then, the company has claimed to have implemented a brand new management system to handle vulnerability updates and review the release of the patch.