Equifax Data Breach Explained: A Case Study

Learn the most important lessons from one of the most catastrophic security attacks in history.

In 2017, Equifax suffered a massive data breach, often considered one of the most significant and devastating cybersecurity incidents in history.

As one of the major credit reporting agencies in the United States, Equifax held sensitive information on more than 800 million individuals and 88 million businesses worldwide.

The breach exposed the personal data of more than 40% of the US population - approximately 147.9 million people. The leaked data included names, birth dates, physical addresses, and Social Security Numbers. Around 200,000 people also had their credit card numbers exposed.

In this case study, we’ll explore how the Equifax data breach happened, the company’s response, what the breach actually cost, and lessons learned.

How Did the Equifax Data Breach Happen?

Before we dive into the technical mess, let’s be clear about what we’re talking about here.

Based on a report from the U.S. General Accounting Office, the Equifax data breach was caused by a combination of issues. On March 10, 2017, the attackers gained initial access to their network by exploiting the CVE-2017-5638 vulnerability on their online dispute portal.

This flaw let attackers send malicious code within a specially crafted HTTP content-type header, which was then executed on the Apache Struts server. Although a patch existed for this vulnerability, the security team didn’t apply it in time.

On May 13, 2017, the attackers pivoted to other servers within the network due to a lack of proper network segmentation. Once on the other machines, the attackers found plaintext credentials, which gave them access to even more servers.

From May - July 2017, the hackers accessed multiple databases containing sensitive information on hundreds of millions of people. When exfiltrating data, a widespread technique among cybercriminals is to encrypt data in transit to make it more difficult for their victim to discover the attack.

While Equifax had network monitoring tools that were supposed to decrypt, analyze, and re-encrypt the data, the monitoring tools didn’t work because of an expired TLS certificate. In other words, because Equifax didn’t renew their cert, encrypted traffic wasn’t being inspected. They had zero visibility into what data was leaving their network.

On July 29, 2017, the administrators renewed the expired certificate, at which point they immediately noticed the suspicious activity. At this point, the breach was discovered and an internal investigation was launched. On September 8, 2017, more than a month into the investigation, Equifax publicized the breach.

During the interim month of August, several Equifax executives sold company stock. The stock sell-off led to suspicions that they sold ahead of an impending price decline due to the breach. In the end, only the (former) chief information officer was charged with insider trading.

What were the key impacts of the Equifax breach?

The Equifax breach had far-reaching impacts, from financial losses and reputational damage for the company to increased identity theft risks for consumers. Here are the main impacts from the breach:

• Affected Individuals: The breach exposed sensitive personal information of approximately 147.9 million Americans, along with some residents of Canada and the UK.
• Types of Data Exposed: The stolen data included names, Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers and credit card numbers.
• Cost of the Breach: Equifax faced significant financial repercussions, including a settlement of up to $700 million with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. This settlement included compensation for affected consumers, regulatory fines, and legal fees.
• Stock Market Reaction: Equifax’s stock price dropped significantly following the breach announcement, reflecting a loss of investor confidence.
• Lawsuits and Settlements: Equifax faced numerous lawsuits from consumers, shareholders, and financial institutions, resulting in substantial legal settlements.
• Regulatory Scrutiny: The breach led to increased scrutiny from regulatory bodies, prompting investigations into Equifax’s security practices and data protection measures.
• Loss of Trust: The breach severely damaged Equifax’s reputation and eroded public trust in the company’s ability to protect sensitive data.
• Impact on Business Relationships: Equifax’s relationships with clients and partners were affected as businesses reevaluated their dealings with the credit reporting agency.
• Awareness of Security Risks: The breach highlighted the potential risks of data breaches for both consumers and businesses. It also highlighted the importance of data breach monitoring to ensure that leaked credentials are reset before attackers exploit them.
• Policy Changes: It prompted companies to review and enhance their data security practices, leading to increased investment in cybersecurity tools and strategies.
• Identity Theft Risks: The exposure of sensitive personal information increased the risk of identity theft and fraud for affected individuals.
• Credit Monitoring and Freezing: Many consumers took steps to protect themselves by enrolling in credit monitoring services, placing fraud alerts, and freezing their credit files.
• Data Protection Laws: The breach influenced discussions around data protection laws, contributing to the push for stricter regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Union.
• Improved Security Standards: It accelerated the development and implementation of improved security standards and best practices across industries.

Who attacked Equifax

This is where the story gets interesting. Attribution in cyberattacks isn’t always straightforward.

Despite the large amount of data stolen, it never leaked onto the dark web. Another clue is that despite the initial access gained on March 10, 2017, it wasn’t until May 13, 2017, over two months later, that the attackers pivoted and started exfiltrating data.

Investigators believe the first attack was carried out by initial access brokers exploiting the recent Struts vulnerability. Eventually, they sold their access to more experienced attackers. In what the GAO report referred to as a “separate incident,” a different threat actor gained access to the online dispute portal on May 13, 2017, and used several techniques to retrieve the PII residing on other systems and exfiltrated that data.

On February 10, 2020, the United States Department of Justice charged four members of the Chinese military with the attack. Why would the Chinese government be interested in the data? In 2015, the U.S. Office of Personnel Management was hacked, leaking over 22.1 million records. In 2018, Marriott’s Starwood hotel chain was breached, leaking approximately 500 million records as well. In both incidents, the highly sensitive data was never sold or traded on the dark web. This led investigators to connect the three breaches.

The attacks are assumed to be an attempt by the Chinese government to build a dossier on millions of Americans with the intent to learn about U.S. government officials and intelligence officers. Specifically, the data leaked would shed light on individuals who could be manipulated due to financial trouble or blackmail attempts.

Equifax’s response to the data breach

Equifax’s response to the breach was widely criticized for several reasons. Initially, they created a stand-alone domain titled equifaxsecurity2017.com to host information for those affected by the breach. The domain name looked suspicious as it’s the same style often used in phishing attacks. To make matters worse, Equifax’s official social media accounts mistakenly pointed users to a domain titled securityequifax2017.com.

What perhaps outraged people the most was that the original language used on the site required victims to waive their lawsuit rights to check whether they were affected. This was eventually updated. However, it’s certainly a good lesson in how not to respond to an incident.

Eventually, a new domain, with yet another confusing name, was created where you can check if you were affected:

https://eligibility.equifaxbreachsettlement.com/en/Eligibility.

It’s important to note that the FTC, not Equifax runs this website.

Equifax data breach costs

Equifax had a cybersecurity insurance policy with a coverage limit of $125 million and a deductible of $7.5 million at the time of the breach. The company stated, “We have received the maximum reimbursement under the insurance policy of $125 million, all of which was received before 2019.”

In 2019, Equifax settled with the FTC. While the breach was entirely preventable, in total the incident cost them $1.38 billion. The agreement required Equifax to set aside a minimum of $380.5 million for breach compensation and spend another $1 billion on improving its information security practices. As a direct result of the breach, the CEO, CSO, and CIO all parted ways with the company. Then, in June 2019, Moody’s downgraded Equifax’s financial rating due to the escalating litigation and regulatory costs associated with the breach.

The Equifax data breach settlement

The settlement offered free credit monitoring or up to $125 cash payment. Claimants who submitted a valid claim for credit monitoring services received an email with information on how to activate credit monitoring services with Experian. Victims were also eligible for at least seven years of free identity restoration services to help them with the effects of identity theft and fraud.

Victims could claim out-of-pocket losses (excluding losses of money and time spent freezing or unfreezing credit reports or purchasing credit monitoring or identity theft protection) by providing documentation, but depending on the number of claims filed, the amount paid out is usually reduced.

After the breach, U.S. lawmakers passed a law allowing consumers to freeze their credit reports at no cost. Until then, in some states, consumers had to pay for a credit freeze, restricting access to a person’s credit file. A credit freeze makes it harder for identity thieves to open accounts in someone else’s name, which can damage their credit score.

Lessons learned

Hopefully, our Equifax case study was informative. Here are our top takeaways from the data breach:

• Focus on the basics: The breach was successful due to an unpatched vulnerability and an expired security certificate. Despite having a patching process and security tools to detect the data exfiltration, neither was implemented and managed correctly.
• Segment your network: The attackers were able to pivot and access additional services due to a lack of network segmentation. By isolating systems, you reduce the attack surface, making containing a breach significantly easier.
• Implement Zero Trust: Access to sensitive data should only be given to those who need it. By its very nature, Zero Trust architecture requires aggressive monitoring, which prevents privilege escalation issues and enables security teams to quickly identify unusual data access or exfiltration attempts.