EQUIFAX DATA

BREACH 2007
By: Prof Joel Angeles
EQUIFAX DATA BREACH 2007
⦿ What happened, who was affected, what
was the impact?
In 2017, attackers ex-filtrated
hundreds of millions of customer
records from the credit reporting
agency. Here's a timeline of the
security lapses that allowed the
breach to happen and the company's
response.
EQUIFAX DATA BREACH 2007
⦿ What happened, who was affected, what
was the impact?
In March 2017, personally identifying
data of hundreds of millions of people was
stolen from Equifax, one of the credit
reporting agencies that assess the financial
health of nearly everyone in the United
States.
EQUIFAX DATA BREACH 2007
⦿ What happened, who was affected, what
was the impact?
As we'll see, the breach spawned a
number of scandals and controversies:
Equifax was criticized for everything
ranging from their lax security posture to
their bumbling response to the breach, and
top executives were accused of corruption
in the aftermath.
EQUIFAX DATA BREACH 2007
⦿ What happened, who was affected, what was
the impact?
And the question of who was behind the
breach has serious implications for the
global political landscape.
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?
Like plane crashes, major infosec
disasters are typically the result of
multiple failures. The Equifax
breach investigation highlighted a
number of security lapses that
allowed attackers to enter
supposedly secure systems and
exfiltrate terabytes of data.
EQUIFAX DATA BREACH 2007
Most of the discussion in this section
and the subsequent one comes from
two documents: A detailed report
from the U.S. General Accounting
Office, and an in-depth analysis
from Bloomberg Businessweek based
on sources inside the investigation. A
top-level picture of how the Equifax
data breach happened looks like this:
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?

• The company was initially hacked via a

consumer complaint web portal, with the
attackers using a widely known vulnerability
that should have been patched but, due to
failures in Equifax's internal processes,
wasn't.
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?

• The attackers were able to move from the

web portal to other servers because the
systems weren't adequately segmented from
one another, and they were able to find
usernames and passwords stored in plain text
that then allowed them to access still further
systems.
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?

⦿ The attackers pulled data out of the network

in encrypted form undetected for months
because Equifax had crucially failed to renew
an encryption certificate on one of their
internal security tools.
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?

⦿ Equifax did not publicize the breach until

more than a month after they discovered it
had happened; stock sales by top executives
around this time gave rise to accusations of
insider trading.
EQUIFAX DATA BREACH 2007
⦿ How did the Equifax breach happen?

To understand how exactly all these crises

intersected, let's take a look at how the events
unfolded.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ The crisis began in March of 2017. In that month, a

vulnerability, dubbed CVE-2017-5638, was discovered in
Apache Struts, an open source development framework for
creating enterprise Java applications that Equifax, along
with thousands of other websites, uses. If attackers sent
HTTP requests with malicious code tucked into the
content-type header, Struts could be tricked into
executing that code, and potentially opening up the
system Struts was running on to further intrusion.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ On March 7, the Apache Software Foundation

released a patch for the vulnerabilities; on
March 9, Equifax administrators were told to
apply the patch to any affected systems,
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ but the employee who should have done so

didn't. Equifax's IT department ran a series of
scans that were supposed to identify
unpatched systems on March 15;
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ there were in fact multiple vulnerable

systems, including the aforementioned web
portal, but the scans seemed to have not
worked, and none of the vulnerable systems
were flagged or patched.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ While it isn't clear why the patching process

broke down at this point, it's worth noting
what was happening at Equifax that same
month, according to Bloomberg
Businessweek: Unnerved by a series of
incidents in which criminals had used
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ Social Security numbers stolen from

elsewhere to log into Equifax sites, the
credit agency had hired the security
consulting firm Mandiant to assess their
systems.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

⦿ Mandiant warned Equifax about multiple

unpatched and misconfigured systems, and
the relationship devolved into in acrimony
within a few weeks.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

Forensics analyzed after the fact revealed

that the initial Equifax data breach date
was March 10, 2017: that was when the web
portal was first breached via the Struts
vulnerability. However, the attackers don't
seem to have done much of anything
immediately.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

It wasn't until May 13, 2017 — in what

Equifax referred to in the GAO report as a
"separate incident" — that attackers began
moving from the compromised server into
other parts of the network and exfiltration
data in earnest.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

From May through July of 2017, the

attackers were able to gain access to
multiple Equifax databases containing
information on hundreds of millions of
people; as noted, a number of poor data
governance practices made their romp
through Equifax's systems possible.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

But how were they able to remove all

that data without being noticed? We've now
arrived at another egregious Equifax screw
up. Like many cyberthieves, Equifax's
attackers encrypted the data they were
moving in order to make it harder for
admins to spot; like many large
enterprises, 
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

Equifax had tools that decrypted, analyzed,

and then re-encrypted internal network traffic,
specifically to sniff out data exfiltration events
like this. But in order to re-encrypt that
traffic, these tools need a public-key
certificate, which is purchased from third
parties and must be annually renewed.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

Equifax had failed to renew one of their

certificates nearly 10 months previously —
which meant that encrypted traffic wasn't
being inspected.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

The expired certificate wasn't discovered and

renewed until July 29, 2019, at which point
Equifax administrators almost immediately
began noticing all that previously obfuscated
suspicious activity; this was when Equifax first
knew about the breach.
EQUIFAX DATA BREACH 2007
When did the Equifax breach happen?

It took another full month of internal investigation

before Equifax publicized the breach, on September 8,
2017. Many top Equifax executives sold company stock
in early August, raising suspicions that they had gotten
ahead of the inevitable decline in stock price that
would ensue when all the information came out. They
were cleared, though one lower-level exec was charged
with insider trading.
EQUIFAX DATA BREACH 2007
What data was compromised and how
many people were affected?

It took another full month of internal investigation

before Equifax publicized the breach, on September 8,
2017. Many top Equifax executives sold company stock
in early August, raising suspicions that they had gotten
ahead of the inevitable decline in stock price that
would ensue when all the information came out. They
were cleared, though one lower-level exec was charged
with insider trading.
EQUIFAX DATA BREACH 2007
What data was compromised and
how many people were affected?

This last factor is somewhat ironic, as the

people concerned enough about their credit
score to pay Equifax to look at it also had the
most personal data stolen, which could lead to
fraud that would then damage their credit
score.
EQUIFAX DATA BREACH 2007
What data was compromised and
how many people were affected?

But a funny thing happened as the nation

braced itself for the wave of identity theft and
fraud that seemed inevitable after this breach:
it never happened. And that has everything to
do with the identity of the attackers. 
 EQUIFAX DATA BREACH 2007
⦿ Equifax breach by the numbers
⦿ 76 days: Amount of time during which the attackers were
active within Equifax's networks without being discovered

⦿ 143 million: Number of consumers whose data was

potentially affected by the breach

⦿ $125: The most you can expect to get in compensation if

your data was exfiltrated from Equifax's systems

⦿ $1.4 billion: Amount Equifax has spent on upgrading its

security in the wake of the incident

⦿ 0: Number of fraud or identity theft cases that can be

traced back to this incident
Thank You !