US government releases post-mortem report on Equifax hack

GAO report takes us inside Equifax from March 2017 onward, showing how a few slip-ups led to one of the biggest breaches in US history.
Written by Catalin Cimpanu, Contributor on

The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident.

The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens.

Some of the details included in the report were already known and previously reported, but there was also some new information. Below is a summary of the most important details surrounding the Equifax hack included in GAO's reconstruction of events.

Also: How US authorities tracked down the North Korean hacker behind WannaCry

On March 8, 2017, the Apache Foundation patches a severe vulnerability (CVE-2017-5638) in the Apache Struts Java framework that at the time was being exploited by hackers to take over applications coded on top of the framework.

US-CERT issues a security advisory on the same day, warning companies across the US about this new security flaw.

Also: How the Equifax hack happened, and what still needs to be done CNET

Equifax IT administrators circulate this advisory on an internal mailing list. Unbeknownst to its IT administrators, the mailing list was out-of-date and did not include all its systems administrators, indirectly leading to an incomplete patch of Equifax's servers.

Equifax told GAO that on March 10, two days after the US-CERT advisory, it detected attackers scanning its servers for that particular vulnerability.

Equifax officials stated that, as a result of this scanning, the unidentified individuals discovered a server housing Equifax's online dispute portal, running a vulnerable Struts version. Attackers gained access to this system, tested the level of access they had, but did not steal anything.

A week after the US-CERT advisory, Equifax staff scans its own systems for the presence of the Struts vulnerability, but the dispute portal does not show up as vulnerable.


Hackers return on May 13, and this time, according to the GAO report, they came back with a plan and the proper tools to execute it.

During this second intrusion, Equifax says attackers issued queries from the online dispute portal systems to other databases in search of personal data.

"This search led to a data repository containing PII, as well as unencrypted usernames and passwords that could provide the attackers access to several other Equifax databases," the report says.

This data helped attackers to expand their initial access from three databases to 48. Logs showed attackers then ran approximately 9,000 queries to gather Equifax customer info.

The GAO report says this happened because Equifax failed to segment its databases into smaller networks. This, in turn, allowed the attacker direct and easy access to all of its customers' data.

"After successfully extracting PII from Equifax databases, the attackers removed the data in small increments, using standard encrypted web protocols to disguise the exchanges as normal network traffic," GAO investigators said.

Hackers exfiltrated data for 76 days until July 29, 2017, when Equifax staff discovered the intrusion during routine checks of the operating status and configuration of IT systems.

Also: British Airways hit with customer data theft

Equifax said that the reason hackers were not detected for 76 days was because a device meant to inspect network traffic had been misconfigured and didn't check encrypted traffic for signs of malicious activity.

The reason the device didn't work, Equifax said, was because a digital certificate that would have helped the equipment inspect encrypted traffic had expired about ten months before the breach, preventing the equipment from doing its job.

As soon as Equifax staffers renewed the certificate, they immediately saw signs of suspicious activity.

Also: 143M consumers at risk in massive Equifax data breach TechRepublic

After investigating what happened and discovering the intrusion, Equifax took down the dispute portal on July 30, 2017, and reported the incident to its CEO the next day. At this point, the company started its internal investigation, which concluded with a public announcement of the breach on September 8, 2017.

During preparations for publicly disclosing the breach, various people also learned of the security incident. The US Securities and Exchange Commission (SEC) charged an Equifax executive and an engineer for insider trading in March and June, this year.

Also: Premera Blue Cross accused of destroying evidence in data breach lawsuit

Huge public backlash followed in the wake of the Equifax breach announcement. While some might think that the Equifax breach was a cornerstone moment in protecting consumer rights after data breaches, things haven't changed at all during the past year. If anything, they left a bad taste in everyone's mouth.

For starters, the Consumer Financial Protection Bureau pulled back from a full-scale probe of Equifax in February 2018. In May 2018, the Federal Trade Commission named a former Equifax lawyer head of its consumer protection office that was tasked with investigating Equifax in the first place. A bill introduced to sanction companies like Equifax in case of appalling breaches slowly died out, while another bill that would reward Equifax despite privacy breaches was introduced a few months later.

The GAO report released today opens old wounds and comes as a slap in the face of all those affected who expected actions and more than endless talks around the subject.

These are 2018's biggest hacks, leaks, and data breaches

Editorial standards