What Happened In The Equifax Data Breach?

Equifax Data Breach Summary

Incident Overview:
In September 2017, Equifax, one of the largest credit reporting agencies in the United States, disclosed a massive data breach, which resulted in the Equifax breach litigation, that compromised the personal information of approximately 147 million people. This incident was one of the largest data breaches ever reported, affecting individuals in the U.S., Canada, and the UK.

Technical Root Cause:

• Vulnerability in Apache Struts: The breach stemmed from an unpatched vulnerability in Apache Struts, an open-source web application framework used by Equifax. Specifically, the vulnerability was CVE-2017-5638, a remote code execution flaw that allowed attackers to execute arbitrary commands on the affected server. This vulnerability was publicly known and had a patch available since March 2017, but Equifax failed to apply the patch in a timely manner.
• Security Practices: The breach highlighted several security lapses, including inadequate patch management, poor network segmentation, and insufficient monitoring of system vulnerabilities. The attackers entered the system through this single vulnerability and then moved laterally across Equifax’s network, accessing multiple databases.

Data Compromised:

• The breach exposed sensitive data including names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers and credit card details. For roughly 209,000 U.S. consumers, credit card numbers were also compromised.

Resolution:

• Immediate Actions: Equifax took several steps post-breach:
• They set up a dedicated website for consumers to check if their data was compromised.
• Offered one year of free credit monitoring and identity theft protection services through TrustedID Premier.
• Initiated a forensic investigation with external cybersecurity firms and law enforcement.
• Security Enhancements: Following the breach, Equifax undertook significant changes to its security infrastructure, including improving patch management, enhancing network security, and implementing better data protection strategies.

Court Cases and Legal Actions:

• Class Action Lawsuits: Equifax faced numerous class action lawsuits from consumers. These lawsuits accused Equifax of negligence in protecting data, with claims for damages due to financial losses, time spent on recovery, and the risk of identity theft. In July 2019, Equifax agreed to a settlement:
• A $700 million fund for consumer restitution, including payments for time spent on recovery efforts and credit monitoring services.
• An additional $125 million in fines and penalties to states and the Consumer Financial Protection Bureau (CFPB).
• Regulatory Actions:
• The Federal Trade Commission (FTC) in the U.S. imposed a $575 million fine, part of which was used for the consumer restitution fund.
• The UK’s Information Commissioner’s Office (ICO) fined Equifax £500,000, which was the maximum fine under the Data Protection Act 1998 at the time (GDPR fines were not applicable as the breach occurred before May 2018).
• Criminal Investigation: There was also a criminal investigation by the U.S. Department of Justice into former Equifax executives for insider trading, where they sold stock before the breach was public knowledge. This led to charges against some executives for insider trading.

Outcome and Lessons:

• Reputational and Financial Impact: Equifax faced significant reputational damage, loss of consumer trust, and financial penalties. The total cost of the breach, including legal fees, settlements, and security enhancements, ran into billions.
• Cybersecurity Lessons: The Equifax breach underscored the importance of:
• Timely application of security patches.
• Robust cybersecurity governance and monitoring practices.
• Effective communication during and after a breach.

This case remains a pivotal example in cybersecurity education, highlighting how even major corporations can be vulnerable to basic security oversights.