Two weeks ago, credit agency Equifax announced an unprecedented breach of consumer personal data where records for 143 million customers in the United States alone were stolen. Equifax told the world that it discovered the breach in July, and it began in May. Turns out that the second half of that statement isn’t quite true.
The Wall Street Journal obtained a confidential memo to Equifax from the company investigating the breach, FireEye’s Mandiant group, which details when the hackers gained access to Equifax’s systems.
Intruders used the Apache Struts vulnerability, which was discovered in March 2017, to gain access to the Equifax system in March, not in May as previously stated.
While the theft of data took place sometime between May and when Equifax learned about the breach in July, the baddies were moving about in Equifax’s systems undetected, even creating backdoors on secret web pages so they could log in from anywhere even after the breached IDs were discovered and stopped working.
The March access may have been information-gathering missions to find out which areas of the system are vulnerable to attacks, and could have been an effort on the part of the hackers to to cast a wide net and find websites that hadn’t yet been patched after the vulnerability was discovered.
After gaining access to Equifax’s web interface, the hackers went after the sensitive data like Social Security numbers, birth dates, and driver’s license numbers,
Equifax left that back door open for four months even after a patch became available. It normally takes around 100 days for companies to go public about a breach, and Equifax took 140 days.
What the experts still don’t know
The person or group behind the attack still hasn’t been identified, but we do now know that their methods and tools don’t match up with any other group known to be hacking sites for personal gain now. It’s also not clear what the hackers plan to do with the data.