How the Equifax hack happened, and what still needs to be done

A year after the revelation of the massive breach, there's unfinished business.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
Google wifi and iCloud illustration

It's been a full year since Equifax announced that it suffered a hack affecting 147 million Americans.

Jaap Arriens/NurPhoto via Getty Images

Talk about your unhappy anniversary: A year ago today, Equifax disclosed that hackers stole the personal information of  147.7 million Americans from its servers.

It was a Thursday afternoon when Equifax explained that hackers infiltrated its network and stole customer names, Social Security numbers, birthdates and addresses, affecting more than half the US population.

While plenty of breaches have been announced since then, few have touched a nerve like the Equifax breach. The sheer scale of affected Americans -- many of whom had never signed up with the credit-monitoring service -- marked a new low at a time when hacks had grown to be an increasingly common occurrence. Even a year later, lawmakers are frustrated that the company hasn't faced any legal repercussions, even as a new team at Equifax tries to win back the nation's trust.   

Shortly after the disclosure, then-CEO Rick Smith apologized in a video. Consumers raged over social media, specifically about how broken Equifax's website was as millions of people tried to find out if they were affected by the breach.

"Together we will serve our customers, support consumers and strengthen our data security capabilities," Smith said in the video. "In the process, we will build a stronger company, with many great days ahead."

It's been 365 days, and it remains unclear when those great days will arrive.

Inside the company, there have been major changes. Three weeks after the breach became public, Smith stepped down. The Securities and Exchange Commission charged a former Equifax executive with insider trading after he made millions selling shares before the public knew about the attack. Equifax also hired a new chief security officer.

But outside, the difference is hard to notice. It's still unclear who was behind the hack. Security experts also aren't aware how the stolen data has been used.

Equifax as a company hasn't faced many consequences. In January, Democratic senators proposed a law that would require credit-reporting agencies to protect the data they've amassed and pay a fine if they're hacked. The bill never went anywhere.

"One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information -- and the Trump Administration and the Republican-controlled Congress have done nothing," Sen. Elizabeth Warren, a Democrat from Massachusetts, said in a statement.

Watch this: Equifax's massive data breach just got worse

Warren isn't alone. At a House Energy and Commerce Committee hearing on Wednesday, where the focus was on Twitter and its CEO, Jack Dorsey, Rep. Ben Lujan pivoted his attention to Equifax.

"We've not done anything as well for the 148 million people that were impacted by Equifax," said Lujan, a Democrat from New Mexico. "I think we should use this committee's time to make a difference in the lives of the American people and live up to the commitments that this committee has made: provide protections for our consumers."  

It doesn't help that much of that early rage has subsided.

"If the breach happened 10 years ago, consumers would have been shocked and demanded change – now they are more likely to be jaded and under the assumption that someone already has their personal data or has access to it," Brian Vecci, a technical evangelist at Varonis, said in an email.

A breach postmortem

On the anniversary of Equifax's breach, lawmakers released a report (PDF) detailing exactly how the credit-monitoring company was hacked.

The report comes from the Government Accountability Office, the agency that provides auditing and investigative services for Congess. The GAO reviewed documents from Equifax as well as files from the company's cybersecurity consultant to figure out how the company was hacked and what credit-monitoring services should do to protect themselves.

The watchdog group also discovered that Equifax turned down assistance from the Department of Homeland Security, opting instead for a private, third-party cybersecurity company to help manage its breach response.


A chart describing how Equifax was breached.

Government Accountability Office

The attack process started on March 10, 2017, when hackers searched the web for any servers with vulnerabilities that the US-CERT warned about just two days earlier. Two months later, on May 13, they hit the jackpot with Equifax's dispute portal, where people could go to argue about claims.

There, hackers used an Apache Struts vulnerability, a months-old issue that Equifax knew about but failed to fix, and gained access to login credentials for three servers. They found that those credentials allowed them to access another 48 servers containing personal information.

The thieves spent 76 days within Equifax's network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn't raise any alarms.

Equifax didn't know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30.

Since then, Equifax said that it's implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.

"Today's report highlights the breakdowns and failures at Equifax that led to one of the largest and most consequential data breaches in United States history," Rep. Elijah Cummings, a Democrat from Maryland, said in a statement. "Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people."

Cummings and Warren, along with Sen. Ron Wyden, a Democrat from Oregon, and Rep. Trey Gowdy, a Republican from South Carolina, were the four lawmakers who requested the report.

Same difference

Lawmakers are still waiting for some action to be taken against Equifax.

While the Bureau of Consumer Financial Protection and the Federal Trade Commission have opened investigations into Equifax's breach, neither of them have taken any actions.

Warren and Cummings said they've sent a letter to both agencies asking if they "intend to hold Equifax accountable."

Under the bill that Warren and Sen. Mark Warner, a Democrat from Virginia, are looking to pass, Equifax would have paid at least $1.5 billion in penalties for the breach. So far, the company has paid nothing in fines to the government.

Equifax argues that it's going through a complete shift to make sure a breach like 2017's never happens again. An Equifax spokesperson said the company has spent $200 million on cybersecurity over the last year. Its new CISO, Jamil Farshchi, has had experience cleaning up messes: He was called in after Home Depot suffered its own major breach in 2014.  

"In the past year, we have undertaken a host of security, operational and technological improvements," an Equifax spokesperson said.

For affected consumers and many in Congress, those improvements haven't yet hit the mark. 

Originally published Sept. 6 at 9:00 p.m. PT.
Updated Sept. 7 at 4:54 a.m. PT: Added details about the Equifax breach.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.