Equifax Data Breach 2017

Equifax 2017 Data Breach: A Meticulous Timeline

With recent breachs like Equifax and Sonic, business as usual has changed. If your business does not adequately protect personally identifiable information (PII) you need to reconsider your priorities. Lawsuits are becoming a given along with the threat of fines, loss of business, reputational damage.

Equifax Breach Timeline

Data breaches occur every day, but this one broke the mold. In one of the most significant breaches in recent history, credit-reporting agency Equifax revealed that from mid-May through July, the personal information of 145.5 million consumers was compromised.

Exposed data included names, Social Security numbers, addresses, birth dates, and in some cases, driver’s license numbers. An estimated 209,000 unlucky people also had credit card information stolen The cause? A vulnerability in a web application–building tool called Apache Struts.

While people struggle to wrap their heads around the sheer magnitude of this breach—an estimated 44 percent of Americans are affected!—Equifax is reeling from the fallout: Among other things, the company is facing lost business (including a $7 million IRS contract), bracing for a multibillion dollar lawsuit, and drawing fire for potentially earning millions of dollars from the breach.

For a better understanding of the whole picture, take a look at the timeline detailing just how the Equifax breach went down.

Equifax Data Breach | Graphical Timeline

Click the chart for a larger view.

Timeline

Feb. 14

  • Apache is notified of the Struts vulnerability.

March 6

March 7

  • Vulnerability intelligence source VulnDB and exploit and vulnerable software archive Exploit Database makes a note of the vulnerability.

Mar 10

March 14

  • Security authority the CERT Division (part of the Carnegie Mellon–based Software Engineering Institute) publishes an advisory about the vulnerability.
  • Equifax becomes aware of the vulnerability. Later, the security department asserts it “took efforts to identify and patch any vulnerable systems.”

March 2017

  • Equifax suffers a separate security incident and retains Mandiant for forensics. The company begins to notify some outsiders and banking customers. The public is not yet informed of the breach, possibly because it does not involve PII loss.

May 14

Mid-May through July 2017

  • Criminal hackers attack and infiltrate Equifax servers, accessing the personal information of nearly 44 percent of the U.S. population, as well as residents of Canada and the U.K.

July 29

  • Equifax detects the security breach.

July 30

  • Equifax patches the vulnerability.

Aug. 1-2

  • Three top Equifax executives (the CFO, the U.S. Information Solutions President, and Workforce Solutions President) sell nearly $2 million worth of company stock.

Aug. 10

  • Equifax purchased identity protection company ID Watchdog two weeks after discovering the breach.

Sept. 7

  • Equifax officially announces the security breach to the public. The company directs consumers to a dedicated website to check if they are included in the breach. Later, the company states that the three executives did not know about the security breach when they sold their shares.
  • The first lawsuit against Equifax is filed.

Sept. 8

  • In the first day of trading after the announcement of the breach, Equifax shares drop 13.7 percent.
  • Equifax’s terms of use forces for credit protection forces consumers to waive their right to take join a class action suit. Sen. Elizabeth Warren (D-Mass.) tweets a criticism of the agreement, and New York Attorney General Eric Schneiderman tweets that his staff had demanded Equifax remove this language.
  • PII: LA Times reports that social security numbers, birth dates were compromised. There are two of the most critical pieces of personally identifiable information you own. Names, addresses and, in some cases, driver’s license numbers were also lost. Credit card numbers for 209,000 U.S. consumers were compromised, and dispute documents related to 182,000 U.S. consumers also were accessed. An unspecified number of people in Britain and Canada were affected.

Sept. 9

Sept. 9–20

  • Equifax’s official Twitter account repeatedly responds to consumer inquiries by directing them to a phishing website with a URL similar to the dedicated breach site.
  • Equifax sends some customers to fake website to for information on the breach. The fake website turns out to be run by a security researcher.

Sept. 11

  • Investigative reporter Brian Krebs criticizes Equifax’s breach response website, calling it “completely broken at best, and little more than a stalling tactic or sham at worst.”
  • Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Oregon, ask Equifax to provide information, including a timeline, information on whether government records were involved, and details about the company’s attempts to minimize consumer harm.

Sept. 12

Sept. 13

  • The CEO of Equifax is called to testify before Congress on October 3.

Sept .14

Sept. 15

  • Equifax provides a statement that includes specific details and reports the steps it has taken to meet regulatory standards and protect the personal data of consumers.
  • Chief Security Officer Susan Mauldin and CIO Dave Webb retire from Equifax. Though the official statement does not name the executives, Equifax provides those details when requested by CNNMoney. Mark Rohrwasser (head of international IT) steps in as CIO, and Russ Ayres (a member of Equifax’s IT operation) becomes chief security officer.
  • FREE Act: Legislation introduced to require free credit freezesFollow the CSR for updates on privacy regulations and analysis of data privacy and data breaches. 
  • By this point, Equifax stock has plummeted nearly 35 percent since the breach was publicized.

Sept. 18

  • As of today, Equifax is facing 30 class-action lawsuits in 19 federal judicial districts. Class actions and lawsuits are now much more likely to happen in the wake of a data breach. As a business, you must mitigate your risk with products like CSR Readiness®. Make sure that you have a created a defensible position should a breach occur by taking action to secure the handling of your PII.

Sept. 21

Sept. 22

Sept. 26

  • Equifax CEO Richard Smith retires. Board member Mark Feidler is appointed chairman, and Paulino do Rego Barros Jr. is appointed interim CEO.

Sept. 27

  • San Franciso files against Equifax in part for failing to notify consumers in a timely manner. Data breach notification laws vary by state and are quite specific. You must notify consumers based on their state of residence, not your state of business. Your business can make compliance with data breach reporting laws easy by using CSR's patented and award-winning Breach Reporting Service™.

Oct. 2

  • Equifax announces that forensic computer security company Mandiant has identified another 2.5 million people whose PII has been compromised. The number of victims surges from 143 million to 145.5 million.

Oct. 3

  • Equifax’s former CEO Richard Smith testifies in front of the House Digital Commerce and Consumer Protection subcommittee. Amidst strong criticism, he admits “mistakes were made.”

Oct. 8

  • Work History PII: KrebsOnSecurity points out that your Work History data is vulnerable on Equifax's TALX service - especially if hackers have your social security number and date of birth via the Equifax breach or other security incidents.

Oct. 10

Oct. 12

  • Equifax says it has removed spyware from its breach response site. This malicious code had prompted users to download spyware disguised as an update to Adobe Flash Player software.

Oct. 18

Primary Sources

More Sources

https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

http://fortune.com/2017/10/12/equifax-latest-cyber-scare/

http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html

https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach/

http://fortune.com/2017/10/13/irs-equifax-contract-security-breach/

https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit

http://time.com/money/4969163/equifax-hearing-elizabeth-warren-richard-smith/

https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=68718645

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5638

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

https://www.wsj.com/articles/hackers-entered-equifax-systems-in-march-1505943617

http://www.kb.cert.org/vuls/id/834067

http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html

https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed

https://www.equifaxsecurity2017.com/

http://money.cnn.com/2017/09/12/news/equifax-hack-canada-uk/index.html

http://www.npr.org/sections/thetwo-way/2017/09/08/549434187/3-equifax-executives-sold-stock-days-after-hack-that-wasnt-disclosed-for-a-month

http://www.oregonlive.com/portland/index.ssf/2017/09/two_oregon_residents_file_clas.html

http://www.npr.org/sections/thetwo-way/2017/09/21/552681357/after-massive-data-breach-equifax-directed-customers-to-fake-site

https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire

https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832

https://www.usatoday.com/story/opinion/2017/09/12/equifax-ceo-we-make-changes-editorials-debates/659738001/

http://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking/

http://www.equifaxsecurity2017.com/2017/09/15/equifax-releases-details-cybersecurity-incident-announces-personnel-changes/

http://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832

http://money.cnn.com/2017/09/15/news/equifax-top-executives-retiring/index.html

http://www.marketwatch.com/story/2-top-equifax-execs-retire-in-wake-of-massive-data-breach-2017-09-15

http://www.pennlive.com/news/2017/09/lawsuits_rolling_in_over_equif.html

https://www.usatoday.com/story/tech/talkingtech/2017/09/21/equifax-support-team-sent-victims-breach-phishing-site/688188001/

https://www.usatoday.com/story/money/2017/09/22/do-you-want-sue-equifax-over-cyberbreach-winning-lawsuit-may-not-so-easy/684455001

https://investor.equifax.com/news-and-events/news/2017/09-26-2017-140531280

https://www.usatoday.com/story/tech/2017/10/02/equifax-breach-hit-2-5-million-more-americans-than-first-believed/725100001

https://www.usatoday.com/story/tech/news/2017/10/03/equifax-ex-ceo-faces-questions-why-its-internal-controls-failed/725756001

https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/

http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/

https://www.cnbc.com/2017/10/10/equifax-says-15-point-2-million-uk-records-accessed-in-cyber-breach.html

https://www.washingtonpost.com/news/the-switch/wp/2017/09/14/the-ftc-confirms-its-investigating-the-equifax-breach-adding-to-a-chorus-of-official-criticism/

https://investorplace.com/2017/10/dont-count-equifax-inc-stock-out-just-yet/ 

https://krebsonsecurity.com/2017/10/equifax-breach-fallout-your-salary-history/ 

https://www.housingwire.com/articles/41411-san-francisco-sues-equifax-over-massive-data-breach 

https://www.warren.senate.gov/?p=press_release&id=1837 

https://mchenry.house.gov/news/documentsingle.aspx?DocumentID=398734 

http://www.latimes.com/business/hiltzik/la-fi-hiltzik-equifax-breach-20170908-story.html