Equifax data breach: A look at how it happened
Nearly 148 million Americans had their information stolen in the Equifax data breach of 2017, which germinated with a software vulnerability.
The Equifax breach was one of the largest in modern history. Hackers took control after discovering a software vulnerability. Equifax knew of the vulnerability and failed to implement a patch in time.
Once inside, hackers stole the personal information of nearly half of the American population. So, what happened, and is there anything you can do to survive the fallout of data breaches like this?
Key points:
- Equifax data was leaked from May to June 2017 and the company announced the breach on September 7, 2017.
- A software vulnerability in Equifax’ systems was left alone for weeks which led to the data breach.
- The breach left about 148 million Americans vulnerable to identity theft and fraud.
Overview of the Equifax data breach
Nearly 148 million Americans¹ plus 15.2 million UK citizens² and 19,000 Canadian citizens³ had their information stolen from Equifax between May and July 2017.
As you'll see in the timeline below, this event stems from a flaw in a software program that was discovered but not patched right away. The vulnerability existed for a couple of months before hackers were able to exploit it. After that, the hackers had another couple of months to take all the data they could before Equifax implemented the patch.
According to a Bloomberg report⁴, the hackers had enough time to use several methods in order to find the most sensitive pieces of information to steal. They started with an entry crew who gained access to Equifax. This crew then handed the operation off to a more seasoned group of hackers who got around firewalls and other internal security blocks to organize and export large amounts of data.
Equifax waited over a month before notifying the public of the breach. In January 2019, Equifax agreed to a settlement⁵ that involved the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories. Equifax set aside $300 million to provide credit monitoring and compensate consumers, $175 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the CFPB.
Equifax data breach timeline
Here’s a basic timeline of what happened:
- March 7, 2017: Apache Software reported a vulnerability and released a patch to Apache Struts.
- March 8, 2017: The Department of Homeland Security notified Equifax about the Apache Struts vulnerability.
- May 13, 2017: Hackers exploited the vulnerability in Equifax’s software.
- July 29, 2017: Equifax noticed suspicious website traffic and applied the Apache patch.
- July 30, 2017: Equifax took down a web application after more suspicious activity.
- August 2, 2017: Equifax hired Mandiant, a cybersecurity firm, to investigate the breach.
- September 7, 2017: Equifax publicly announced the breach through a Tweet.
- March 1, 2018: - Equifax announced that an additional 2.4 million U.S. consumers had their information stolen.
- June 22, 2019: Equifax entered into a settlement with the FTC, CFPB, and 50 U.S. states and territories.
- January 22, 2020: The initial deadline passed for consumers to submit a claim under the class action lawsuit.
- January 22, 2024: The extended deadline to submit a class action claim passed.
What was stolen?
The hackers stole personally identifiable information for almost 148 million Americans. This included:
- Names
- Social security numbers
- Birth dates
- Addresses
- Driver’s license numbers
This was one of the largest social security data breaches in recent history. The amount of personal information provided bad actors all they need to commit fraud.
Are you at risk?
Identity theft can affect your credit and cause you to be denied for loans or new cards. You might also pay higher interest rates on the cards you have if someone steals your identity and doesn’t pay their debts. And since employers and landlords check your credit, you might have a harder time finding housing or getting a job.
The class action breach settlement administrator maintains a website where you can learn about the breach and check if your information was stolen. You can visit it at equifaxbreachsettlement.com to check if your information was exposed.
At this time, the deadlines for filing claims for compensation have passed.
Equifax response and settlement
Looking at the timeline, Equifax's senior leadership waited quite some time before alerting the public of the breach. According to the class action complaint⁶,
“By waiting approximately 7 weeks after Equifax discovered the breach to notify consumers, Equifax deprived consumers of an opportunity to take immediate precautionary measures to protect themselves from identity theft and fraud.”
Ultimately, Equifax denied wrongdoing and no judgment of wrongdoing was made. Instead, Equifax settled a class action lawsuit with the group of about 148 million U.S. consumers. Here’s what the impacted consumers could receive:
- Free credit monitoring
- Up to $125 in compensation
- Reimbursement of $25 per hour for up to 20 hours for time spent recovering from fraud or identity theft
- Out of pocket losses up to $20,000
- Free identity restoration services for up to 7 years
Note that all deadlines to receive these benefits have passed.
Who stole the information?
The U.S. government indicted four Chinese military-backed hackers⁷ for attacking Equifax and stealing data. Curiously, the data never turned up for sale on the black market⁸. Instead, analysts theorized that the data was more likely used for spying purposes. The Chinese government denied the allegations.
Aftermath from the breach
Unfortunately, problems from the data breach didn’t stop when it was discovered. According to the consumer class action complaint⁹, Equifax set up a website that was designed to help consumers get information on the breach. However, this site had flaws of its own that made it vulnerable to hackers.
Scammers manipulated code on the site to disseminate adware and get more personal information from consumers. Scammers also took advantage of anxious consumers through phishing emails. They posed as legitimate resources for breach recovery so they could steal even more information.
What can you do to safeguard your information?
The effects of the Equifax breach continue even today. Millions of people live in anxiety wondering whether someone has access to their private financial information. The good news is you can protect your personal data and digital footprint in a few ways.
Monitoring your credit is one of the best things to do after a breach, which is why companies often offer it for free in these situations. Any American can get free credit reports¹⁰ each week from the three national credit bureaus. The bureaus began the program during the COVID-19 pandemic and then permanently extended it.
You can also implement a credit freeze, which requires new creditors to take extra steps to verify your identity. A credit freeze is free and you can remove it whenever you want. Practice secure online habits like using different passwords for your accounts and two-factor authentication.
Another option to consider is Mozilla Monitor, which scans data broker sites for your information. Monitor can let you know if a site you have an account with was breached, and it can alert you if your information shows up on a list of data brokers and people search sites. This is a common scenario after a major data leak like the Equifax breach.
¹ Bernard, T. S., Hsu, T., Perlroth, N., and Lieber,R. (2017, September 7) Equifax Says Cyberattack May Have Affected 143 Million in the U.S. New York Times. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
² McCrank, J. (2021, September 30). Equifax says 15.2 million UK records exposed in cyber breach. Reuters. https://www.reuters.com/article/world/equifax-says-15-2-million-uk-records-exposed-in-cyber-breach-idUSKBN1CF2JR/
³ Canadian Press. (2017, November 28). Equifax says more than 19,000 Canadians affected by security breach. CBC/Radio-Canada. https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066
⁴ Riley, M., Robertson, J., and Sharpe, A. (2017, September 29). The Equifax Hack Has the Hallmarks of State-Sponsored Pros. Bloomberg. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
⁵ Federal Trade Commission. (2019, July 22). Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach. https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach
⁶ Davis et al. vs. Equifax. Case 1:17-md-02800-TWT, (2018). https://www.equifaxbreachsettlement.com/admin/services/connectedapps.cms.extensions/1.0.0.0/ed93e6d9-c6b0-4829-994c-a7687661917f_1033_Consolidated-Consumer-Class-Action-Complaint-20180514.pdf
⁷ U.S. Department of Justice. (2020, February 10). Office of Public Affairs, U.S. Department of Justice. Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax. https://www.justice.gov/archives/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking
⁸ Fazzini, K. (2019, February 13). The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme. CNBC. https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html
⁹ Ibid., Davis et al. vs. Equifax.
¹⁰ National Institute of Mental Health. (2018, July). Anxiety disorders. U.S. Department of Health and Human Services, National Institutes of Health. https://consumer.ftc.gov/articles/free-credit-reports
