Data breaches, in the traditional sense, have existed for centuries. Although we think of data breaches as a relatively new phenomenon due to the sheer prevalence of attacks we see today, data breaches have been causing headaches to businesses and consumers for a long, long time. Of course, before computers, a data breach meant the exposing of physical papers with confidential information on them. Before the Internet, the amount of damage that could be done was limited by the physical amount of data you could steal. After all, there’s only a finite amount of confidential papers a criminal can sneakily fit in a briefcase. Because of this, the amount of damage done by data breaches was limited.
However, once Internet usage became widespread, the potential damage of a data breach skyrocketed. Millions of consumer records could be stored digitally, ripe for the picking for any cybercriminal with enough knowledge and skill. Ultimately, the Internet ushered in the great data breach boom. And no case is more symbolic of this new trend than the Equifax data breach of 2017.
In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.
Equifax’s Lax Security
Equifax, one of the three major credit bureaus in the United States, has held mountains of information on millions of Americans for decades. Of course, recording and analyzing this personal information is what a credit bureau does, and their existence is necessary in today’s world. However, because of the sheer amount of information that credit bureaus have, they also hold more responsibilities than most other businesses. Specifically, these businesses have increased responsibility for protecting data and preventing cybercrime. Unfortunately, Equifax reneged on this responsibility in 2017.
On March 7, 2017, Apache Struts, a software program that Equifax and thousands of other companies used, announced a security vulnerability in the software, and immediately sent an update to Equifax to patch the security hole [1]. For reasons unknown, the software was never updated by Equifax, creating a massive security vulnerability. Just a week later, Equifax ran a scan for unpatched systems, but the Apache Struts security hole was not flagged [1]. Ultimately, these two errors put Equifax’s data at massive risk, as the software’s security flaw was publicly known. Just a few days after Equifax’s initial error, the risk became realized.
The Breach
On March 10, 2017, the perpetrators first gained access to Equifax’s servers. However, the cybercriminals did not do much for the next few months, likely to evade detection by Equifax IT. However, by May, the hackers began their attack [2]. For the next two months, the hackers gained access to multiple Equifax databases, They then encrypted this data, and extracted it right under Equifax’s nose. Not long after, the perpetrators were in control of millions of Social Security numbers, birth dates, names, driver’s license numbers, and credit card numbers. After months of investigations, it was determined that the cybercriminals made away with the vital personal information of over 140 million people [3].
To make matters worse, Equifax could’ve had one last line of defense when the hackers were extracting the encrypted data. Most companies receive notifications when a large amount of encrypted data is exfiltrated. However, in another cybersecurity blunder by Equifax, the company failed to renew a vital security service that inspects encrypted data traffic [1]. Because of this, the hackers made away with the data with no detection.
The Response
In August 2017, Equifax became aware of the cybersecurity incident, but did not reveal the attack to the public until September [1]. While Equifax attempted to provide resources to those affected, even the company’s response to the attack was widely panned. For example, Equifax’s social media team directed affected consumers to incorrect web pages on multiple occasions [1]. Even worse, it was revealed that multiple Equifax executives sold USD $1.8 million in Equifax stock following the company’s discovery of the attack, but before it was publicly announced [4]. One executive, Equifax’s Chief Information Officer, was eventually convicted of insider trading related to the attack [5]. Simply put, Equifax’s response to the crisis was woefully inept, and the affected consumers were furious. Eventually, this frustration resulted in litigation.
In the following years, a class-action lawsuit was filed on behalf of the affected consumers, and Equifax’s penalty was steep. In July 2019, Equifax agreed to settle the case, paying USD $1.38 billion to resolve consumer complaints, and USD $380.5 million to those who were harmed by the breach [6]. While those numbers are large, the large number of victims meant that the maximum payout was only USD $125 [1]. Additionally, Equifax was required to provide free credit monitoring to all those affected by the breach.
For months, investigators waited for the stolen data to appear on the dark web to be sold to spammers and scammers. However, the stolen personal information never appeared. Ultimately, this led to the belief that state-sponsored actors were behind the attack. This meant the purpose of the attack was not to make money, but for espionage. For years, it was unknown who was behind the breach. However, in 2020, the United States Department of Justice abruptly charged four Chinese military members with the attack [1]. While the four potential perpetrators are unlikely to ever be extradited to stand trial, these charges at least provide a theory of who was behind this massive data breach.
Protect Your Data with AXEL Go
AXEL is committed to protecting your data from scammers, spammers, and cybercriminals. And the best way to fight against cyberattacks is to be prepared. That’s why AXEL Go, AXEL’s secure file-storage application, uses military-grade encryption and blockchain technology to safeguard your data. To try out AXEL Go’s unparalleled data security, sign up for a two-week free trial here.
[1] Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.
[2] Riley, Michael, Jordan Robertson, and Anita Sharpe. “The Equifax Hack Has the Hallmarks of State-Sponsored Pros.” Bloomberg.com. September 29, 2017. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.
[3] Leonhardt, Megan. “Equifax to Pay $700 Million for Massive Data Breach. Here’s What You Need to Know about Getting a Cut.” CNBC. July 23, 2019. https://www.cnbc.com/2019/07/22/what-you-need-to-know-equifax-data-breach-700-million-settlement.html.
[4] Hudson, Phil. “Equifax Gets Blasted for Cybersecurity Hack on Social Media.” Bizjournals.com. September 8, 2017. https://www.bizjournals.com/atlanta/news/2017/09/08/equifax-gets-blasted-for-cybersecurity-hack-on.html.
[5] Liptak, Andrew. “Former Equifax Executive Sentenced to Prison for Insider Trading Prior to Data Breach.” The Verge. June 29, 2019. https://www.theverge.com/2019/6/29/20056655/jun-ying-equifax-breach-jail-time-insider-trading-department-of-justice.
[6] Brumfield, Cynthia. “Equifax’s Data Breach Disaster: Will It Change Executive Attitudes toward Security?” CSO Online. July 24, 2019. https://www.csoonline.com/article/3411139/equifax-s-billion-dollar-data-breach-disaster-will-it-change-executive-attitudes-toward-security.html.