The U.S. Government recently released a detailed report on how the Equifax hack happened and the consequences of the incident. In its latest report, the Government Accountability Office (GAO) published a complete investigation details about the credit reporting company. The report comes almost a year after the breach that exposed the personal details of 145.5 million users, including Social Security numbers, credit card numbers and driver’s license numbers.
The GAO report stated that the incident occurred because Equifax failed to segment its databases into smaller networks, which allowed the attacker to get access to all of its customers’ data.
“After successfully extracting PII from Equifax databases, the attackers removed the data in small increments, using standard encrypted web protocols to disguise the exchanges as normal network traffic,” the GAO investigation report said.
On July 29, 2017, Equifax’s security team observed suspicious network traffic associated with its U.S. online dispute portal web application and blocked the suspicious traffic that was identified. But the company waited until after the close of trading nearly six weeks later to disclose the breach to consumers and Equifax’s investors. After discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online.
The incident potentially affected personal information of 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers. Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents and is working with regulators in those countries. Equifax made a public disclosure of the incident on September 7, 2017, after hackers exfiltrated data for 76 days.
Equifax said that they were unable to detect the hackers’ moment for 76 days was because of malfunction of a device that’s meant to inspect network traffic for signs of malicious activity.