2017 Equifax breachMost data breaches are news today, forgotten tomorrow, but a handful live on thanks to the enormous impact they have on consumers. The 2013 Target breach is one of those breaches people can never stop talking about, and it’s been joined in infamy by the massive 2017 Equifax breach. Ultimately determined to have exposed the personal information of just under 148 million people — including social security numbers, addresses, driver’s licenses and much more — this breach sent shock waves around the world, partially due to its size but also because of the breathtaking failure of Equifax to protect data that many victims didn’t even know it possessed in the first place. One year later, more light has been shed on what circumstances led the breach to happen, but the millions of people who were impacted still have no real justice. How did this breach happen, what consequences — if any — has Equifax suffered and what can affected consumers expect for the future? Keep reading to find out.

Just how badly did Equifax fail?

In the weeks and months after the breach was publicly disclosed on Sept. 7, 2017, details about how the attack could have happened and the many mistakes made by Equifax employees on multiple levels came out. However, a recently published report from the U.S. Government Accountability Office (GAO), commissioned by several congress members, revealed that the blunders were far greater than anyone could have imagined. To understand the various points at which Equifax failed, it helps to follow the breach’s timeline. The GAO published with its report a chart depicting the reconstructed path that the attackers took to access the data, seen below.

Equifax GAO Report

The timeline for the breach:

  • March 8, 2017: The United States Computer Emergency Readiness Team issued a warning about a vulnerability that required a patch, which Equifax received, but did not successfully pass onto everyone who needed to see it due to an outdated email list. As a result, not all Equifax servers received the patch for this vulnerability.
  • March 10, 2017: Hackers began scanning the Internet for servers with this particular vulnerability.
  • May 13, 2017: The attackers hit payday when they gained access to Equifax’s online dispute portal server. After testing some commands to see if their presence was detected, the attackers went on to issue queries to other databases, ultimately gaining access to 51 databases in total.
  • May 14 – July 29, 2017: The hackers slowly siphoned data from the tens of databases containing highly sensitive personal information belonging to millions, taking advantage of the multiple security fails to stay hidden.
  • July 29 – 30, 2017: Equifax discovers the intrusion and raises the alarm, ultimately kicking the attackers out the next day.

Multiple failures enabled the attackers’ success

This breach was able to happen in the first place because of the unpatched Apache Struts vulnerability, but that was just one in a long line of errors and oversights that enabled the hackers to proliferate. First, although Equifax had installed a tool on its servers to detect malicious traffic, a 10-month expired certificate prevented that tool from working properly, and an additional lack of restrictions on the frequency of database queries enabled them to run some 9,000 queries without being flagged. Second, one of the databases the hackers gained access to contained unencrypted login credentials that enabled them to access other databases — something made easier by the fact that their databases weren’t separated (or segmented) from one another.

By the time the alarm was raised on July 29, the damage had already been done. Equifax alerted the FBI and also retained the services of a private cybersecurity firm to investigate, ultimately notifying the public more than a month after the breach was uncovered. The GAO report notes that Equifax turned down an offer of assistance from the Department of Homeland Security, opting to hire the third-party firm instead to help it deal with the breach. As of now, it is still unknown who perpetrated the attack or what, if anything, has been done with all the data the attackers absconded. However, it’s worth noting that there are still open investigations on the breach by the Consumer Financial Protection Bureau and Federal Trade Commission that might bring more to light — if and when they ever come to fruition.

What consequences has Equifax suffered?

Internally, Equifax has gone through a lot of change — its CEO and CSO stepped down quickly after the breach, and based on information gathered by the GAO for its report as well as what’s been published by Equifax itself, the company has spent $200 million on a full overhaul of its cybersecurity. It has also changed many of its processes for reporting, communication and handling security matters like patches and updates. But for many consumers — as well as the lawmakers pushing to get something done to punish Equifax — this isn’t nearly enough. Despite all the noise made in the first few months post-Equifax (e.g., the congressional hearings we covered last October), very little has actually happened by way of fines, sanctions or other punishments as consequences for this breach. Though both the CFPB and FTC investigations began with some promise, both seem to have lost their edge as the year trudged on.

As of now, the head of the FTC unit investigating Equifax is Andrew Smith, a former lawyer who once defended the credit bureau in court. And there have been rumors of the CFPB putting its investigation on hold, though those were disputed by the bureau’s chief after more than 30 Democratic senators sent a letter in protest of the rumored shuttering of the investigation. Some congress members have tried to put through a bill that would penalize credit reporting agencies for failing to protect consumer data, but so far, it’s gone nowhere. Under the proposed legislation, Equifax would have racked up $14.3 billion in fines for its breach. Thus far, the company has paid nothing outside what it’s spent on cybersecurity and PR campaigns (as well as fees leveraged in a handful of small-claims court cases).

What can consumers expect for the future?

Free credit monitoring will end soon

Consumers who signed up for the free credit monitoring Equifax was offering up until Jan. 31, 2018 might remember that the service was supposed to last one year. For many, that year is about to be up, and you might wonder what happens next. We received conflicting information, as a call placed to TrustedID Premier customer service on Sept. 11 told us that when our editor’s year was up — on Sept. 14, 2018, to be exact — the site would no longer be accessible and the service would no longer exist. An email she received dated Sept. 4, however, told her that she was receiving a free extension on her TrustedID Premier service “until further notice.” This conflicting information brought back memories of the chaos surrounding the customer service Equifax set up to handle consumer queries a year ago. It’s apparent that it still hasn’t quite gotten it right. Ultimately, those who enrolled in TrustedID Premier last year should be prepared for the service to come to an end at some point in the next year. While Equifax has followed in the footsteps of Experian and TransUnion in setting up a free-for-everyone credit locking service called Lock & Alert (the credit bureaus’ answer to the impending doom of for-cost credit freezes), these free tools don’t monitor your credit. Thus, if that’s something you still want, you’ll need to pay for a service to do so. You can learn about the best options by reading our credit monitoring reviews. Additionally, as credit freezes will be free as of Sept. 21, we think it’s wise to consider this step instead of utilizing a credit lock tool provided by the credit bureaus.

Your data might still be out there

The hardest aspect of the entire Equifax breach to swallow is that, as mentioned earlier, it’s still unknown who hacked the credit bureau or what they have done with the massive cache of data they stole. In the aftermath, many people were stunned to learn just how much data Equifax, a company they’d never dealt with or possibly even heard of before, had on them. The numerous blunders in disclosing and responding to the breach coupled with the new facts turned up in the GOA report serve to drive home the point that we make all the time: you should live your life assuming that your information is already compromised and act accordingly. What does this mean? It means you should be routinely checking your credit reports, analyzing your bank and credit card statements, keeping an eye on mail received at your home (as well as your email inbox) and practicing smart cybersecurity habits on all of your devices — including your phone.

Can you sue Equifax?

Unsurprisingly, a plethora of lawsuits have been filed against Equifax. Some people have chosen to go it alone, with a few coming out of small claims court the victors. One enterprising London man even created an app that helps streamline the process to help those who want to sue on their own. In addition, a staggering 400 plus class-action lawsuits were rolled into one case that will be heard by a judge in Atlanta, where Equifax is based. If you elect to participate in a class-action lawsuit, or you want to go it alone, make sure you do your research beforehand and avoid falling for any scams along the way.

Equifax’s name will leave a bad taste in the mouths of millions for many years after this breach, but only time will tell whether we’ll learn more about who was behind it or see any true justice leveraged against the credit bureau by the federal government. The best consumers can do is to stay informed, which you can do by keeping up with our cybersecurity blog. We don’t know when the next big data breach will occur, but you can be sure we’ll be there to help you figure out what to do.