Name

Professor or Instructor

ICT 350V

30 April 2024

2017 Equifax Security Breach: One of the Largest Breaches in History

Equifax is an American consumer credit reporting agency, or CRA, founded in 1899 as

Retail Credit Company in Atlanta, GA. Being one of the largest CRA’s in the United States,

Equifax processes and handles the data of hundreds of millions of consumers every year. But on

September 7, 2017, Equifax CEO at the time Rick Smith had announced that a data breach had

occurred within the company, which was said to have affected 143 million Americans (further

investigation into the breach shows that this number is closer to 148 million Americans)

(Haselton, 2017). This was not the first time that Equifax had experienced a breach; in May of

2016, an attack on Equifax’s W-2 Express website resulted in the data of 430,000 people to be

revealed, including names, addresses, and social security numbers (Brewster, 2017a). But this

breach was different, not just because of the sheer amount of people affected, but because of how

Equifax responded to the breach, and what exactly they did to secure and store consumer data.

So how did this happen? Who was in charge, and more importantly, what did Equifax do to

remedy the situation? The 2017 Equifax data breach is a helpful reminder of the risks associated

with giving sensitive data to any company.

While the company reported the breach in September of 2017, the hackers had gotten

access to the data in May of 2017 (Miyashiro, 2021). Equifax had actually discovered the breach

nearly a month prior, on July 29, 2017, but chose to not inform consumers and instead consulted

the cybersecurity management company, Mandiant, to investigate the situation (Electronic

Privacy Information Center, n.d.). To make matters worse, multiple, executive level employees

had sold Equifax stock just days after the discovery of the breach (Ng & Musil, 2017). Buying

and selling stock based on information that has not been made public is a crime, but Equifax had

claimed that none of the executives (including their Chief Financial Officer, John Gamble) had

known about the breach . That raises one question: how does the CFO not know about a data

breach that affected nearly all of their consumer base? Much of the data that was breached

included extremely sensitive information, such as Social Security numbers, addresses, full

names, and credit card information, leaving consumers at risk of their data being sold on the dark

web for fraud. John Ulziemer, a credit expert who has worked with Equifax and FICO, states

“It's very problematic for hackers to have all that important information all in one place…This

information is perpetually valuable. You are not going to change your name or date of birth or

Social Security number. In five years they will be the same, unlike a credit card that takes five

minutes to cancel over the phone” (Bomey et al., 2017). Data breaches of any kind can result in

identity theft, but the direct release of non-changeable data puts all Equifax consumers in

extreme danger of being victims of financial crimes.

So how exactly did the hackers get into the Equifax database, and what exploits were

used? Well, there was an exploit in the Apache Struts Java framework, which was what Equifax

used for various web applications. Essentially, the parser of Apache, Jakarta, did not handle files

uploaded to the web server properly, allowing for hackers to insert malicious code into the

content-type header of an HTTP request, which is then executed by Struts (Brewster,

2017b)(Miyashiro, 2021). Apache had discovered the exploit and thoroughly issued a patch in

March of 2017 (Newman, 2017). A day later, on March 8th, the Department of Homeland

security notified Equifax, Experian, and TransUnion of the exploit and patch, and urged them to
update their systems. Unfortunately, Equifax did not update the system in a timely manner,

leaving them vulnerable to an exploit rated level 10 by the National Institute of Standards and

Technology (NIST) on the Common Vulnerability Scoring System or CVSS (PSI) scale. A few

days later, on the 10th, hackers had gained access to the Equifax network through their dispute

portal, which allowed them to spread malicious software through other systems, allowing them

to have access to the data of 143 million consumers through the Equifax system from May to

July 2017 (Miyashiro, 2021). Once Equifax had noticed suspicious activity on their network,

they had attempted but failed to locate the vulnerability (Electronic Privacy Information Center,

n.d.), where no further attempt was made to find and patch the vulnerability. Equifax had also

failed to renew their SSL certificates, alongside having a non-serious approach to following their

own cybersecurity and privacy policies. The lack of procedure, alongside detrimental security

practices, were the root cause of the breach.

The response from Equifax to the general public was also quite abysmal. On top of

revealing the breach over a month after it occurred, the company also accidentally sent

consumers concerned about the breach to a fake phishing site that resembled their own. The

website was called equifaxsecurity2017.com, but developer Nick Sweeting had gotten the

domain securityequifax2017.com in order to show just how easy it is to create fake, but still

legitimate sounding names and use them for nefarious purposes (Last Week Tonight, 2017). Even

crazier, Equifax then tweeted Sweeting’s website on their Twitter 8 times, sending consumers to

the fake website. Hilarious, right? It gets even better, because in the wake of the breach, Equifax

had offered one year free of credit monitoring. There was a string attached, however. Equifax

had implemented a forced arbitration clause, which essentially takes away the right to sue from

anyone who accepts the credit monitoring. This initially caused outrage, but Equifax had
clarified that consumers would still be entitled to sue. “To be as clear as possible, we will not

apply any arbitration clause or class-action waiver against consumers for claims related to the

free products offered in response to the cybersecurity incident or for claims related to the

cybersecurity incident itself,” said Wyatt Jefferies, a company spokesman (Lazarus, 2017).

Furthermore, three executive employees had been accused of insider trading, resulting in former

Chief Information Officer Jun Ying being sentenced to four months in prison, with a year of

supervised release, a fine of $55,000 and restitution of over $100,000 (United States Attorney’s

Office, 2019). Another employee, Equifax software engineering manager Sudhakar Reddy

Bonthu, was also sentenced for insider trading (U.S. Securities and Exchange Commission,

2018). As stated by Lazarus, Equifax is certainly not winning any awards for their response.

Equifax faced severe consequences in face of the breach. Alongside the sentencing of two

former Equifax employees, the company also faced steep litigation, including a $425 million

settlement with the Federal Trade Commission and other agencies and states (FTC, 2022).

Equifax also hired a new Chief Information Security Officer in February 2018 (Newman, 2018).

The CISO, Jamil Farshchi, had expressed optimism and hoped to reform the security practices at

Equifax. “One of the things that I really love about being a CISO in a post-breach environment is

it gives you such an immense opportunity to drive fundamental, meaningful change in a very

short timeframe” (Newman, 2018). Things such as proper procedure for regular software

updates, alongside a more regimented security training have all been things that have been

implemented in the company since the breach. Congressional hearings also took place in October

2017 to identify the mistakes that took place during this breach. The House of Representatives

Committee on Oversight and Government Reform have published a report regarding the breach,

which discovered 2.5 million more Americans who were affected by the breach, raising that
number to 148 million affected in the United States. Congress had recommended for the

company to increase their transparency with consumers, as well as suggesting strengthening the

enforcement tools at the disposal of the FTC. A key part of the recommendations was the

decrease usage and storage of Social Security numbers. “Social Security numbers are widely

used by the public and private sector to both identify and authenticate individuals. Authenticators

are only useful if they are kept confidential. Attackers stole the Social Security numbers of an

estimated 145 million consumers from Equifax. As a result of this breach, nearly half of the

country’s Social Security numbers are no longer confidential.” In the aftermath of the situation,

Equifax has made a decently strong effort to improve their IT security systems as well as

becoming more transparent with consumers on how their data is used and stored.

So, complacency in procedure, lack of regimented security practices, alongside the mass

collection and storage of highly sensitive data were all factors that lead to the breach. Equifax

could have done a lot better in a multitude of ways that would have prevented this breach. But

this breach uncovers much more not just about Equifax, but of all CRA’s in the United States and

across the globe. CRA’s are essential for finding housing, work, and managing one's financial

assets, which gives these companies a lot more leverage than desirable in terms of what data we

give them and what they can do with that data. The Electronic Privacy Information Center, or

EPIC, has outlined some steps that can be taken to help better protect consumers, such as

offering free freezes of credit and credit monitoring. The time in which Equifax took to inform

the public is also a center point for improvement still. EPIC encourages congress to establish a

standardized procedure to notify victims of a breach within 24 to 72 hours, which could prevent

a lot of harm from the leak. The usage of Social Security numbers should also be taken into

consideration; the Social Security number has no built-in feature for safety, and was never
supposed to be used as an identifiable piece of information. Usage of this overly important

number must be heavily restricted, and should furthermore not be stored by these companies. At

its core, our data is what is used to identify us and as a way to keep track of what we have done,

which is why it is so important that data security is of the utmost importance for any CRA.

In February of 2020, the US Department of Justice had charged 4 Chinese hackers from

the People’s Liberation Army of China as the perpetrators of the attack (Bomey, 2020). And

while there is no evidence that the data has been used illegally, the data is still vulnerable and at

risk of being sold. And that is the worst part about the situation. While Equifax has had to settle

for billions across the globe, it is only a dent for the company that is valued at over $22 billion

dollars. The real victims are the people who’s sensitive and unchangeable data are in the hands of

hackers with no regard to their well being. This information could destroy so many people, yet

the federal government has still not instituted any federally reaching privacy law. Consumers,

even if they take data security seriously, are essentially helpless when breaches like these occur.

All the while the former CEO gets to keep his pension valued at over $18 million (Miyashiro,

2021). Whether or not Equifax have learned from this is up for debate, but the bleak reality is

that consumers will simply have to live with this breach, and will still be forced to use one of the

three CRA agencies available. Our data is now a commodity, something to be sold, used, and

then thrown away. But our data is also so much more important than just being a product, it tells

a story of who we are and what we do. And we cannot simply continue to put up with the

carelessness and negligence that so many companies seem to have with our data.
 References

Bomey, N. (2020, February 11). How Chinese military hackers allegedly pulled off the Equifax

data breach, stealing data from 145 million Americans. USA TODAY.

https://www.usatoday.com/story/tech/2020/02/10/2017-equifax-data-breach-chinese-milit

ary-hack/4712788002/

Bomey, N., Dastagir, A. E., Shell, A., & McCoy, K. (2017, September 18). Equifax data breach:

What you need to know about hacking crisis. USA TODAY.

https://www.usatoday.com/story/money/2017/09/15/equifax-data-breach-what-you-need-

know-hacking-crisis/670166001/

Brewster, T. (2017a, September 11). A brief history of Equifax security fails. Forbes.

https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/?s

h=6cb76d89677c

Brewster, T. (2017b, September 14). How hackers broke Equifax: Exploiting a patchable

vulnerability. Forbes.

https://www.forbes.com/sites/thomasbrewster/2017/09/14/equifax-hack-the-result-of-patc

hed-vulnerability/?sh=75ff93c5cda4

Electronic Privacy Information Center. (n.d.). Equifax Data breach. Retrieved April 30, 2024,

from https://archive.epic.org/privacy/data-breach/equifax/

Haselton, T. (2017, September 8). Credit reporting firm Equifax says data breach could

potentially affect 143 million US consumers. CNBC.

https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incid

ent-could-potentially-affect-143-million-us-consumers.html
Last Week Tonight. (2017, October 16). Equifax: Last Week Tonight with John Oliver (HBO)

[Video]. YouTube. https://www.youtube.com/watch?v=mPjgRKW_Jmk

Lazarus, D. (2017, September 12). The real outrage isn’t Equifax’s arbitration clause — it’s all

the others - Los Angeles Times. Los Angeles Times.

https://www.latimes.com/business/lazarus/la-fi-lazarus-equifax-arbitration-clauses-20170

912-story.html

Miyashiro, I. K. M. (2021, April 30). Case study: Equifax Data Breach. Seven Pillars Institute.

https://sevenpillarsinstitute.org/case-study-equifax-data-breach/

Newman, L. H. (2017, September 14). The Equifax breach was entirely preventable. WIRED.

https://www.wired.com/story/equifax-breach-no-excuse/

Newman, L. H. (2018, July 25). Equifax’s security overhaul, a year after its epic breach. WIRED.

https://www.wired.com/story/equifax-security-overhaul-year-after-breach/

Ng, A., & Musil, S. (2017, September 7). Equifax data breach may affect up to 143 million

people. CNET.

https://www.cnet.com/news/privacy/equifax-data-leak-hits-nearly-half-of-the-us-populati

on/

United States Attorney’s Office. (2019, June 27). Former Equifax employee sentenced for insider

trading.

https://www.justice.gov/usao-ndga/pr/former-equifax-employee-sentenced-insider-trading

U.S. Securities and Exchange Commission. (2018, June 28). Former Equifax manager charged

with insider trading. U.S. Securities And Exchange Commission.

https://www.sec.gov/news/press-release/2018-115