Equifax 2017 Data Breach: A Meticulous Timeline
With recent breachs like Equifax and Sonic, business as usual has changed. If your business does not adequately protect personally identifiable information (PII) you need to reconsider your priorities. Lawsuits are becoming a given along with the threat of fines, loss of business, reputational damage.
Data breaches occur every day, but this one broke the mold. In one of the most significant breaches in recent history, credit-reporting agency Equifax revealed that from mid-May through July, the personal information of 145.5 million consumers was compromised.
Exposed data included names, Social Security numbers, addresses, birth dates, and in some cases, driver’s license numbers. An estimated 209,000 unlucky people also had credit card information stolen The cause? A vulnerability in a web application–building tool called Apache Struts.
While people struggle to wrap their heads around the sheer magnitude of this breach—an estimated 44 percent of Americans are affected!—Equifax is reeling from the fallout: Among other things, the company is facing lost business (including a $7 million IRS contract), bracing for a multibillion dollar lawsuit, and drawing fire for potentially earning millions of dollars from the breach.
For a better understanding of the whole picture, take a look at the timeline detailing just how the Equifax breach went down.
Click the chart for a larger view.
- Apache is notified of the Struts vulnerability.
- Apache releases an upgrade to address the vulnerability.
- Vulnerability intelligence source VulnDB and exploit and vulnerable software archive Exploit Database makes a note of the vulnerability.
- The MITRE Corporation adds a description and seven references, and the National Vulnerability Database (NVD) includes the vulnerability in the database (via CVE).
- Hackers break into the Equifax computer network for the first time (according to security firm FireEye Inc.).
- Security authority the CERT Division (part of the Carnegie Mellon–based Software Engineering Institute) publishes an advisory about the vulnerability.
- Equifax becomes aware of the vulnerability. Later, the security department asserts it “took efforts to identify and patch any vulnerable systems.”
- Equifax suffers a separate security incident and retains Mandiant for forensics. The company begins to notify some outsiders and banking customers. The public is not yet informed of the breach, possibly because it does not involve PII loss.
- The Equifax data breach occurs (per the company’s official statement).
Mid-May through July 2017
- Criminal hackers attack and infiltrate Equifax servers, accessing the personal information of nearly 44 percent of the U.S. population, as well as residents of Canada and the U.K.
- Equifax detects the security breach.
- Equifax patches the vulnerability.
- Three top Equifax executives (the CFO, the U.S. Information Solutions President, and Workforce Solutions President) sell nearly $2 million worth of company stock.
- Equifax purchased identity protection company ID Watchdog two weeks after discovering the breach.
- Equifax officially announces the security breach to the public. The company directs consumers to a dedicated website to check if they are included in the breach. Later, the company states that the three executives did not know about the security breach when they sold their shares.
- The first lawsuit against Equifax is filed.
- In the first day of trading after the announcement of the breach, Equifax shares drop 13.7 percent.
- PII: LA Times reports that social security numbers, birth dates were compromised. There are two of the most critical pieces of personally identifiable information you own. Names, addresses and, in some cases, driver’s license numbers were also lost. Credit card numbers for 209,000 U.S. consumers were compromised, and dispute documents related to 182,000 U.S. consumers also were accessed. An unspecified number of people in Britain and Canada were affected.
- The Apache Software Foundation’s releases an official statement to Equifax.
- Equifax’s official Twitter account repeatedly responds to consumer inquiries by directing them to a phishing website with a URL similar to the dedicated breach site.
- Equifax sends some customers to fake website to for information on the breach. The fake website turns out to be run by a security researcher.
- Investigative reporter Brian Krebs criticizes Equifax’s breach response website, calling it “completely broken at best, and little more than a stalling tactic or sham at worst.”
- Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Oregon, ask Equifax to provide information, including a timeline, information on whether government records were involved, and details about the company’s attempts to minimize consumer harm.
- Equifax announces the retirement of two senior computer security execs.
- In a USA TODAY op-ed, the CEO of Equifax apologizes. “This is the most humbling moment in our 118-year history,” he writes.
- Articles criticizing the breach response site continue to be published. Experts note that the site could be vulnerable to phishing and hacking threats.
- PROTECT Act: Legislation introduced to force the credit reporting firms to get federal cybersecurity reviews and to stop using Social Security numbers to identify people.
- The CEO of Equifax is called to testify before Congress on October 3.
- Equifax confirms that Apache Struts security flaw is to blame for the breach.
- The Federal Trade Commision states it is investigating the data breach.
- Equifax shares drop 5 percent to $94.19.
- Equifax provides a statement that includes specific details and reports the steps it has taken to meet regulatory standards and protect the personal data of consumers.
- Chief Security Officer Susan Mauldin and CIO Dave Webb retire from Equifax. Though the official statement does not name the executives, Equifax provides those details when requested by CNNMoney. Mark Rohrwasser (head of international IT) steps in as CIO, and Russ Ayres (a member of Equifax’s IT operation) becomes chief security officer.
- FREE Act: Legislation introduced to require free credit freezes. Follow the CSR for updates on privacy regulations and analysis of data privacy and data breaches.
- By this point, Equifax stock has plummeted nearly 35 percent since the breach was publicized.
- As of today, Equifax is facing 30 class-action lawsuits in 19 federal judicial districts. Class actions and lawsuits are now much more likely to happen in the wake of a data breach. As a business, you must mitigate your risk with products like CSR Readiness®. Make sure that you have a created a defensible position should a breach occur by taking action to secure the handling of your PII.
- Within a day of the breach, scammers created 194 phishing sites similar to the Equifax breach response site. Equifax reveals it directed data breach victims to one of these sites and apologizes.
- As of today, Equifax is facing more than 70 class-action lawsuits.
- Equifax CEO Richard Smith retires. Board member Mark Feidler is appointed chairman, and Paulino do Rego Barros Jr. is appointed interim CEO.
- San Franciso files against Equifax in part for failing to notify consumers in a timely manner. Data breach notification laws vary by state and are quite specific. You must notify consumers based on their state of residence, not your state of business. Your business can make compliance with data breach reporting laws easy by using CSR's patented and award-winning Breach Reporting Service™.
- Equifax announces that forensic computer security company Mandiant has identified another 2.5 million people whose PII has been compromised. The number of victims surges from 143 million to 145.5 million.
- Equifax’s former CEO Richard Smith testifies in front of the House Digital Commerce and Consumer Protection subcommittee. Amidst strong criticism, he admits “mistakes were made.”
- Work History PII: KrebsOnSecurity points out that your Work History data is vulnerable on Equifax's TALX service - especially if hackers have your social security number and date of birth via the Equifax breach or other security incidents.
- More statistics emerge: Equifax says 15.2 million UK consumers were affected by the breach, with 693,665 facing disclosure of sensitive personal data. Stolen driver’s license numbers are estimated at 10 to 11 million.
- Equifax says it has removed spyware from its breach response site. This malicious code had prompted users to download spyware disguised as an update to Adobe Flash Player software.
- Equifax stock has been recovering since its low point and is now down 22.6% from just before the announcement of the breach. While the company has taked a beating, it appears that it will survive and move on.