The Equifax Data Breach Pt. II: The Bits Hit The Fan

After its momentous breach, Equifax's CEO Richard Smith said: “Equifax will not be defined by this incident, but rather by how we respond.”
Well, he was spot on, but not in a good way.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

The Equifax Data Breach Pt. II: The Bits Hit The Fan

Link To Part 1

If you were both particularly attuned to website domain registrations, and a little bit psychic, you might have noticed something odd occur on September 5th, 2017, when a purchase was made for “equihax.com”. The man who bought “equihax” was named Brandan Schondorfer. He lived in the beautiful and historic city of Alexandria, Virginia, and worked for the cyber security firm Mandiant.

The reason you would’ve needed to be psychic to notice, and why such a registration would’ve seemed odd, is that even by September 5th–almost four months after attackers first broke into Equifax Incorporated’s internal computer systems, and began stealing the personal information of millions upon millions of Americans–you could have fit everybody who knew about any of it into one spacious conference room.

Project Sierra & Project Sparta

Richard Smith, Equifax’s CEO, was notified about the intrusion a month and a half earlier, on July 30th, the day after it was detected. Rather than notify the public, Smith claimed in later testimony to U.S. government officials that he kept the news secret in order to prevent copycat attackers from hearing about and carrying out similar attacks, sooner than they could defend against them.

Justified or not, the excuse gave his team ample time to respond to their discovery, without yet having to face public scrutiny. This was what everyone had been preparing for, even since 2005, when Tony Spinelli first got hired on as CSO. Emergency response, only a few weeks’ time, to rid the intruders, mitigate the damage and restore normalcy.

Richard Smith immediately formed two task teams: “Project Sierra” and “Project Sparta”. Project Sierra, also referred to as the company’s “crisis action team”, was responsible for addressing the hack–investigating the events, the causes, rewriting administrator account credentials, cleaning up the network, and everything in between. They worked alongside Mandiant but, otherwise, Sierra was an entirely covert operation. Nobody on the outside–not another Equifax employee, not your wife, not your dog–could know about Sierra.

Project Sparta’s job was to arrange for and staff a customer support center, develop protective tools for customers, and develop a website where customers of the company could go to determine whether they were affected by the incident. Sparta’s team members were also kept in the dark: they were only told that a large affiliate company had experienced a major data breach.
Typically in these scenarios, it’s not uncommon for employees to be kept in the dark regarding the identity of a breached client, when the information is not yet publicized. Of course, not knowing it’s your own company? That’s a little stranger. Like helping your wife plan out how to break up with her husband.

Website Fiasco

Equifax announced their data breach on September 7th, 2017, four months after that breach began, six weeks after finding out about it. They revealed that an unknown malicious entity now had access to the names, social security numbers, birthdays, addresses, and in some cases driver’s licenses and credit cards, of 143 million Americans, as well as some U.K. and Canadian citizens. That number later rose to 145 million.

One of those Americans who, presumably, lost all of his personal information to that hack is going to be speaking with us in today’s show. And he’s our very own Senior Producer.

“[Nate] Hi I’m Nate Nelson, Robin to Ran’s Batman, Woz to his Jobs, J to his PB.”

The same day the news broke, in an apology video posted to YouTube, Richard Smith proclaimed that, quote, “Equifax will not be defined by this incident, but rather by how we respond.” Platitude it may be, the statement turned out to have some truth to it. Equifax was, judged, in large part, by their response to the breach. Because, even with a free six weeks to prepare, that response was so, so bad. So bad that it’s almost hard to quantify.

“[Nate] Before I read into it, I’d assumed that Equifax was hacked because they didn’t care enough not to be. But that was reductionist of me: they’ve invested hundreds of millions into cyber defense, they’ve hired some good people, and their CEO–even before 2017–was more aware of the issue than some of his colleagues.

At the same time, we’ve been doing this show quite awhile now, and it’s tough to think of any story that demonstrates such glaring incompetence as this one. Mt. Gox is up there, but you can’t really equate a highly regulated credit agency with a crypto startup, so the comparison is null.

When I think about Equifax cyber security, I’m reminded of a kid I played baseball with, when I was younger. This kid had the nicest bat of anyone on the team: it was this dark, chestnut brown with golden accents, a sticky grip, and a thick barrel to really put a whack on the ball. Unfortunately, he himself wasn’t much of a player. Each time he’d go up to the plate with this killer bat and, inevitably, swing right over the ball.

So you can have the fanciest equipment, but still not know how to use it. That, in a nutshell, is Equifax.

And the kid in the story was me, obviously, but let’s cut this part out of the podcast…”

Sure, I’ll cut it out, Nate, no problem…

Anyway, as news spread of the breach, Equifax’s customer support phone lines began ringing off the hook. The support center was both severely understaffed–leading, in many cases, to very long wait times–and also unhelpful across the board, directing just about everyone who called to one of two websites. The first website, “trustedidpremier.com”, was where you could go to see if you were personally impacted by the breach. It was problematic from the beginning. In order to see if your information had been stolen, you had to enter your last name and the last six digits of your social security number–not exactly the kind of identifiers you’d want to be handing out to a company that just lost all of its customer data.

If you were comfortable enough to use the form, you’d receive one of two responses–either that you were or weren’t impacted–as well as information on how to sign up for free credit monitoring the company had arranged for customers. But it didn’t really matter. When various journalists and citizens began playing around with the input fields – it became clear that Trusted ID was not checking a veritable database of names and social security numbers. Some got positive results from fake information, like “Test” and “123456”. Some people input their information on two different occasions, and received different answers each time. Amazingly, Trusted ID Premier is still live today, and still returns phony results.

“[Nate] Back in 2017, TrustedID told me my information was stolen, so for two years I took that information as fact. But, in preparation for this episode, I went back there.

I found that the site is about as good at sussing out fake data as you or I would be. So if you type in “Cobain” and “041994”, or “Jesus” “666666”, you’ll return a negative result. But, when I tried “Smith” and a set of random numbers, “171843”, it came back positive. To make sure I didn’t accidentally guess some real person’s information, I tried “Johnson” and “171843”, and also got a positive. I hit again with “Smith” and “171844”, 845, 846, et cetera, without fail, until I got bored with the game.

I’d love for somebody to explain how you even build a program like this. Like, we know that if it were based in real data it would return legitimate results. If it were a random generator, it would be worse at guessing than it is. Is it based in a fake data set? Or did somebody program this algorithm to approximate legit results? Ethics of the matter aside, from a technical perspective it’s intriguing.”

More Website Fiasco

So the “Trusted” ID Premier website was basically useless. But, actually, it was even worse than useless. In order to sign up for the free credit monitoring Equifax was offering–which didn’t even work at first, by the way, as noted by customers who weren’t able to sign up and activate the service–you first had to agree to Equifax’s Terms of Service, which included a mandatory arbitration clause barring your participation in any class action suit against the company. In other words, by accepting the free credit monitoring, you were giving up your right to sue Equifax. Richard Smith later called the clause a “mistake”, and the company was quickly pressured to remove it from the site.

The second website that Project Sparta set up was “equifaxsecurity2017.com”–a hub where individuals could go to find more information about the breach, and what to do about it. Some noted that it was not a sub-domain of equifax.com, but in fact its own, standalone site. Not only that, but to the eye, that URL just seemed a little…fishy. You know? “equifaxsecurity2017”–it sounds like what a hacker would call their fake Equifax website, to try and seem legitimate.

Nick Sweeting, a software engineer, set out to demonstrate the point when he paid ten dollars to register the domain “securityequifax2017.com” – the reverse of equifaxsecurity2017 – and another five to host it on a cheap server. He download all the content and code of equifaxsecurity2017, then copied it straight onto his mock website. In only twenty minutes’ time, Sweeting had a perfect copycat site: “securityequifax” looked identical to equifaxsecurity–that is, besides one large headline which read: “Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That’s So Easily Impersonated By Phishing Sites?”

A couple of weeks after going live, Chrome, Firefox and Safari had all blacklisted securityequifax. But not before it received 200,000 hits, from concerned customers who thought they were visiting a legitimate site. How did so many people get duped?

“[Nate] Because Equifax itself, on Twitter, had linked to the very phishing site created to mock their cyber security. Three times.”

Credit Freezes & Alerts

So you’re an adult American, and you think all of your most sensitive personal information may now be in the hands of someone with malicious intent. The website where you can check if you were, in fact, compromised, isn’t tethered to reality. The website where you can find out more information from the company is itself not secure. You can register for a year of free credit monitoring, by signing away your right to legal recourse. Where do you go now?

Most experts were making two recommendations to Equifax victims: to set up credit alerts, and freezes. Credit alerts allow you notice whenever any significant change in your credit score occurs, and Equifax had a website, “alerts.equifax.com”, where credit holders could sign up for such a service. Five days after the breach announcement, a security researcher named Martin Hall discovered that customers who visited the site might be vulnerable to having their information stolen again, because it was vulnerable to a type of attack called cross-site scripting attack. Cross-site scripting is one of the most common security flaws on the web today–a form of code injection, where an attacker can upload and trick an otherwise legitimate site into doing whatever they wish.

Cross-site scripting seems to have been a wide-ranging security hole for Equifax, as one Twitter user named x0rz pointed out on the day of the hack. x0rz was able to hack Equifax’s main site, such that it would present a pop-up window to the user reading “We don’t care”. According to records, the bug that made Equifax’s sites vulnerable to Cross-site scripting had been reported to Equifax as early as March of 2016. When Martin Hall tried reaching out to Equifax to inform them of their vulnerability, he did not hear back.

So you think you might’ve been included in the Equifax hack, but you’re cautious about signing up for fraud alerts. The best thing you can do now is pay ten or so dollars to each of the reporting agencies, to freeze your credit. Freezing is what it sounds like: your credit is rendered unusable for any reason–say, buying a car or a house–until you, its owner, chooses to unfreeze. Many forward-thinking people did this following news of the breach, as a precaution for avoiding identity theft.

But you know, by now, what’s about to happen. Right? How could Equifax have possibly screwed up credit freezing–the one thing every expert recommended, as the only fail-safe way of keeping thieves away from your most sensitive assets?

Equifax tried charging customers to freeze their credit, before walking that back amid harsh criticism. So, as long as you waited a few days after September 7th, you were able to freeze your credit simply by calling the company. The problem, of course, is that as easily as you could freeze your own credit, any malicious actor with the kind of information leaked in the Equifax breach could just as easily unfreeze it. To avoid this issue, if you did freeze your credit, you were given a piece of information known only to you, to be evoked any time you wanted to unfreeze. That piece of information was a PIN number. But rather than issuing randomized PIN numbers, yours would be comprised of the date and time when you instituted the freeze.

If this sounds familiar – that’s because it’s almost the exact same mistake Equifax did a year earlier, when half a million customers of the Kroger retail company got hacked through Equifax, due to such faulty PIN numbers: an incident I told you about in part 1 of this episode.
Amazing, isn’t it? I would have thought Equifax had learned their lesson – but apparently they didn’t.

Legal Action Against Equifax

With no other obvious solution, some Americans chose to sue Equifax. A few of them–very few–actually got good money for it in small claims court. The New York Times met one woman who won seven and a half thousand dollars in San Francisco, and another who got five and a half thousand. Most were not so lucky, earning small dollar amounts or free monitoring or nothing, depending on where they filed.

For everybody else, a class-action suit was set in motion in the Northern District of Georgia. The basis of the case would appear obvious–that Equifax’s insufficient data security lead to damages for customers. But, in a court of law, these sorts of things tend to look a little less clear. In the case of Kroger, for example, Equifax lawyers tried getting their case dismissed on the basis that injury to those affected was merely, quote, “speculative and hypothetical”. Because hacks occur all the time, and your information can and possibly is lost through any number of means already, can we ever definitively say whether one hack is the cause of one individual’s loss? How can you quantify the damage associated with the leaking of a social security number to an unknown entity? Equifax lawyers used the same response that they did in 2016, in 2018, arguing the plaintiff had not, quote, “sufficiently alleged injury and proximate causation”. In English: the victims couldn’t definitively prove that Equifax caused them real-life harm. On this basis, Equifax’s lawyers attempted to get the case thrown out of court. Fortunately, the presiding judge struck down that attempt.

On multiple occasions during his testimony at Capitol Hill, on October 4th of 2017, Richard Smith seemed to try blaming the breach on a single, unnamed employee. He claimed that this individual from IT was responsible for not getting the message to the right people, and didn’t implement the software fix that would have prevented the breach. Of course, this individual was never named. Was Smith attempting to blame a made-up employee for the company’s failure? If this wasn’t a scapegoat, and Smith really was telling the truth, what kind of company would leave power over 145 million Americans’ personal information in the hands of a single person?

Smith spent hours that day, being grilled by members of the Senate Banking Committee. When Senator Elizabeth Warren of Massachusetts got her chance to speak, she took seven minutes to deliberately pick Smith and his company apart, as examples of corrupt big business profiting off its own failure.

And she wasn’t wrong. The free credit monitoring Equifax offered customers affected by the breach was made to last only one year. The company was set to make hundreds of millions off of customers who wished to continue the service after its first year. If you didn’t want your credit monitoring through Equifax, LifeLock was the most popular alternative among customers of the breach. But LifeLock buys credit monitoring from Equifax, meaning all the customers who flooded them in the days after the breach were unwittingly filling the pockets of the very company that forced them there in the first place.

Securing your information would be enough of a headache, if it were your fault that it were lost. But it’s not. And so you find yourself sitting on the phone some day, on hold with customer service, when the thought crosses your mind: all this jumping through hoops, just so that a company that collects all of your most sensitive information, without your consent, doesn’t include damaging false information in their own product, which you have no power over in the first place. Like, you don’t have to ask a bartender not to spike your drink, or a lifeguard not to mix the pool water with the septic tank water. But you have to pay Equifax to not accidentally ruin your life?

For Elizabeth Warren and others, poor information security was less the cause of Equifax’s problems than a symptom of their corrupt business model. A model where citizens are used but not included in the process, where a preoccupation with profit supersedes due diligence, and powerful executives are not held to account for their actions.

“[Nate]I don’t think people are angry at Equifax because they got breached. I think the breach is a way for us to engage with how angry we are at Equifax, for what they represent. Corrupt, crony capitalism. Profiteering with no accountability. The rich taking what they want from the rest of us, because we’re powerless to stop them.

The Equifax hack was a problem, but it was never really the problem. The problem has, is, and will continue to be that a company like this can exist in the first place.”

The Aftermath of the Breach

A year after announcing their data breach, Equifax is just about as good as new. According to their own numbers, the company generated four percent more revenue in the first quarter of 2018 than they had in 2017.

The U.S. government has initiated two investigations into the breach. One, from the Consumer Financial Protection Bureau, has slowed to a halt as a result of changing presidential administrations, and now seems dead in its tracks. The other is headed by the Federal Trade Commission. Last year, Republicans appointed a former Equifax lawyer as the organization’s leader.

Democratic Senators Elizabeth Warren and Mark Warner sponsored a bill which would have allowed the FTC greater oversight in the industry, and penalized Equifax 1.5 billion dollars–or 100 dollars per customer–half of which would be distributed back to affected customers. That bill never went anywhere.

Some Equifax executives and employees were made to leave the company. CSO Susan Mauldin was one of those who, in response to the bad press, stepped down. So did Chief Information Officer David Webb. The board of directors decided Richard Smith’s tenure as CEO was over, and on September 26th, 2017, Smith announced he’d be retiring. Note, however, the terminology: none of these executives were formally fired, they became retired.

More often than not, the larger conversation about the Equifax hack overlooks the hackers themselves. Part of the reason why is we just don’t know who they were. Some suspected ties to the Chinese government. That the attack was carried out by one team, and then passed to another team of hackers, suggested they may have been of a nation-state apparatus. According to Bloomberg, the attack resembled similar attacks on the U.S. Office of Personnel Management, and Anthem Incorporated, both carried out by Chinese-linked groups. One of the tools used by the hackers–China Chopper–has a default Mandarin interface, though it’s also used by hackers outside of China. Crucially, the leaked Equifax data has not been discovered on the black market.

On the other hand, Mandiant–the firm that most closely analyzed the events–found 35 IP addresses associated with the attackers, but no methods connecting them to hackers found in any of their previous investigations, including those from China.

The Independent Community Bankers of America, or ICBA, sued Equifax for costs related to replacing and securing customer information. Importantly, the filing claimed that some of the customer data lost in the Equifax breach had been used to make purchases with credit cards, and even apply for mortgages. If the stolen data was used for financial gain, it might suggest that the hackers were not of a nation-state apparatus.

Nobody can say for certain whether these were Chinese hackers, Chinese government hackers, or hackers from anywhere else in the world. Frankly, it may sound counterintuitive, but Americans should pray that it was the Chinese. If a nation-state hacked Equifax, their motivations likely have more to do with power and politics. If an independent criminal entity hacked Equifax, the consequences could be much worse to you and your family.

If you are an adult American listening to this show right now, there’s about a 75 percent chance that every bit of your most sensitive personal identifying information is in the hands of a malicious entity. Two-and-a-half years later, we still don’t know why they took your information, or what they plan to do with it. Maybe it’ll be nothing. Or maybe they’re lying, waiting. They have all the time in the world, because so long as you live, your name, birthday and social security number will remain the same. The Equifax hack occurred in 2017, but you could be a victim of it for the rest of your life.

“[Nate] I sometimes fantasize about my Equifax hacker, and how they’ll use my information. Here’s what I’m thinking…

Open: a cold, dark warehouse. I’m out fighting crime with my partner, who looks like Ran but dresses better and wears cooler glasses. We’re busting up an underground cybercrime mafia, shooting and beating up more bad guys than we can count. Finally, we make our way up the stairs to where the ringleader is. Sidekick Ran points his gun…

“Wait! Don’t shoot!” the man shouts. He steps out of the shadows. “Don’t you recognize me? We used to do podcasts together. I’m Nate Nelson.”

Ran stops, confused. He looks at me, then him.

“What? This is ridiculous!” I say. “This guy doesn’t even look like me. You can’t seriously believe him…”

Ran slowly steps back, turning the gun at me now, then at him, back and forth as he debates what to do. “Okay, everybody calm down,” he says nervously, taking one hand off the gun to wipe the bead of sweat dripping from his brow. “There’s just one way to settle this. Only the true Nate Nelson would know his home address, phone number and social security number.”

The man lists off all my personal information. Ran shoots me between the eyes. I die. The end.”