The Equifax data breach that compromised the personal data of almost 150 million Americans in 2017 unfolded like a classic robbery.
The criminals identified a flaw in the credit agency’s security system, executed a plan of attack to penetrate it and devised a scheme to cover their tracks on their way out, according to a criminal indictment unsealed Monday.
Those alleged criminals, four members of the Chinese military, exploited a flaw in software that allowed U.S. consumers to dispute problems with their Equifax credit reports. That gave the hackers access to Americans’ personal information, according to the indictment.
The breach occurred after Equifax security officials failed to install a software upgrade that had been recommended to seal off digital intruders from obtaining access to the names, birthdates and Social Security numbers of the victims, the indictment says.
The U.S. Department of Justice announced that a federal grand jury in Atlanta delivered a nine-count indictment accusing four hackers and members of China’s People’s Liberation Army – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – of serving as masterminds of the hack.
FBI Deputy Director David Bowdich said there’s no evidence the Chinese military used the stolen information for illegal purposes, but the “brazen theft” illustrates that “China is one of the most significant threats to our national security today.”
Security group:Equifax had patch 2 months before hack and didn’t install it
According to the indictment, the hackers:
• Recognized that Equifax failed to install an upgrade to Apache Struts software, which Apache recommended around March 7, 2017. The software underpinned an online portal that allowed consumers to dispute their credit report details.
• Used the flaw to upload programming language to an Equifax server to gain remote access to the system.
• Uncovered Equifax database credentials and “thereby falsely represented that they were authorized users of Equifax’s network.”
• Searched the system about 9,000 times for sensitive personal information while hiding the searches through encryption.
• Stuffed the personal information in temporary files, compressed them and divided them into smaller-sized files to increase their chances of transmitting the stolen data without being noticed.
• Used 34 servers in 20 countries during the breach and employed various other techniques, such as remote-desktop access and encrypted log-ins, to mask the origin of the hack.
• Deleted the compressed files after transferring the data into external storage, then configured settings to wipe out information tracking their activity.
The Apache Foundation – which oversees the widely used open-source software that the hackers exploited to obtain access to Equifax servers – revealed in September 2017 that “the Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner.”
Equifax acknowledged that the criminals who gained access to its customer data exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
Equifax CEO Mark Begor said Monday in a statement that the company has made significant investments since the breach to bolster its data protection, including $1.25 billion for “enhanced security and technology” from 2018 to 2020.
“Our industry-leading cloud technology transformation will make us more secure and enable us to innovate and develop solutions. … Today’s announcement is another positive step forward in helping us turn the page on the cybersecurity attack as we continue our focus on being a leader in data security,” he said.
Could a similar hack happen to others?
“The reality is there’s little consequence for companies that are holding onto this information” and fail to protect it, said Adam Garber, consumer watchdog with the Public Interest Research Group’s Education Fund. “And without those consequences, there’s not a lot of incentive for them to stay on top of the highest data security (protocol) out there.”
John Yanchunis, an attorney at law firm Morgan & Morgan who helped lead negotiations for a $380.5 million settlement with consumers affected by the Equifax breach, said companies need an incentive to take proactive security steps.
“All too often we see companies acting out of consequence instead of conscience,” he said.
Can companies play defense?
But are companies capable of fending off military hacking attempts at all?
“Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult,” Equifax CEO Begor said in a statement. “Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand. These cyber attacks on U.S. companies continue to escalate and are increasingly challenging to defend when well-financed state actors are involved.”
PIRG’s Garber said the fact that state-sponsored actors have significant capabilities doesn’t excuse companies from making a sophisticated effort to protect consumers.
“Is anything ever perfectly secure? Probably not. But they should do everything in their power to make sure that it’s safe,” he said.
Yanchunis said companies can hire ethical hackers to test their systems for vulnerabilities and award them when they find flaws. Companies should also implement early detection systems and conduct breach simulations to better prepare themselves for inevitable attacks, he said.
Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey.