Even more Equifax blundersIf you’re tired of hearing about Equifax, unfortunately, it appears as though news surrounding the credit bureau’s massive data breach that impacted 143 million consumers (or more) is not going to slow anytime soon. According to a confidential report sent by Equifax and compiled by Mandiant, the arm of cybersecurity firm FireEye it hired to investigate the breach, the initial intrusion occurred much earlier than originally reported. Although Equifax has yet to disseminate this information to the general public via its website (as of Sept. 20 when this post was written), several news outlets including the Wall Street Journal have gotten hold of the report and made its contents public. The details of the report, which we will discuss below, make it clear that the company was aware of potential security issues long before it officially uncovered evidence of data theft on July 29. This revision of the breach’s timeline serves to make the unloading of $1.8 million in company stock by high-level employees more than a month before the data breach was disclosed even more suspicious. Unfortunately for Equifax, blunder after blunder keeps piling up, each one serving to incite further anger and concern from the 143 million people facing the reality of having their most sensitive data stolen. Here’s what you need to know.

It’s likely the hackers accessed Equifax’s systems in March

The report Equifax sent to a select number of its customers, including many financial institutions, featured a cover page dated Sept. 19 and signed by the company’s brand new chief information officer and chief security officer. Note that the employees who previously held these titles announced their immediate retirement on Sept. 15, in a statement posted to the Equifax data breach website. In the report, Mandiant said the first evidence of hackers in Equifax’s systems was March 10 — just two days after the Apache Struts vulnerability was discovered and patched — and it is likely that after successfully infiltrating, they spent the next couple of months watching and waiting. This is common for hackers, as evidenced by a separate report issued by FireEye in March, which noted that in the U.S. the average length of time between a company being hacked and it discovering the intrusion — dubbed “dwell time” — is 100 days; by comparison, it took Equifax 141 days.

What did the hackers do while they were inside Equifax?

Equifax stated in its Sept. 15 update that it took efforts to patch the Apache Struts vulnerability in March after it was notified, but regardless, hackers were able to gain access. Mandiant determined that the hackers eventually accessed files which contained confidential Equifax credentials (e.g., usernames and passwords) and used these to search databases and access sensitive information and documents stored within those databases. They accessed numerous database tables within several databases, which accounts for the massive amount of information that was compromised and its reach. In addition to all this, the hackers compromised two systems which supported Equifax’s online dispute application, which is what people used to file a dispute challenging an error on their credit report. One of the likely reasons the hackers were able to stay undetected for so long is that they set up approximately 30 “web shells,” or hidden pages, which allowed them to run remote commands on the Equifax systems even if the Apache Struts vulnerability was patched. At this time, the identity of the intruders is unknown, but Mandiant and the FBI are both continuing to work with Equifax to investigate.

Is it possible there were two separate hacks?

Some information published prior to the Wall Street Journal’s article on the Mandiant report indicated that there could have been two separate intrusions — one in March and the other the May intrusion which was first disclosed. It isn’t entirely clear yet whether there is any evidence pointing to separate attacks, but it is known that Mandiant was contacted in March to investigate what Equifax has said is a separate incident from the one discovered on July 29 — which leads to more questions as to how thorough an investigation Equifax allowed at the time, whether there were multiple instances of weak security within its website or how the employees under scrutiny for selling stock could possibly argue that they didn’t have any foreknowledge of a security incident. Only time and clearer, accessible information — such as a readable version of Mandiant’s investigative report — will tell the truth.

Equifax blunders continue in customer response

In addition to all of the controversy regarding when Equifax was breached, the company has continued to blunder in its consumer response. Not only are concerned consumers having difficulty getting through to a representative, but the company’s Twitter account has been caught on multiple occasions since Sept. 9 accidentally providing the wrong web address to its breach response site. The real address is equifaxsecurity2017.com, but some Tweets sent out have directed people to securityequifax2017.com — a fake phishing site set up by a software engineer who wanted to show just how easy it is to duplicate the Equifax response website. Phishing emails and similar scams are frequently used to target victims of data breaches like this, preying on people’s confusion and concern to further victimize them. Be sure to read through our scams blog to learn how to spot and avoid these and other common scams. Although it is fortunate that these accidental wrong-address tweets have directed people to a safe spoof site, it’s still extremely concerning that they would get published in the first place, and adds to the pile of blunders Equifax has made in the short weeks since it disclosed this breach and undermines any faith people might have left that the company can protect them.

We will continue to closely follow the Equifax breach as it progresses, so bookmark our blog to keep in the know. Not sure whether or not the free credit monitoring and identity protection provided by Equifax is enough? We will have a review of the TrustedID Premier service Equifax is offering coming soon, and in the meantime, you can read about our pick for the best alternative identity theft protection service.