The Equifax Data Breach: A Preventable Catastrophe

In September 2017, the American credit reporting agency Equifax announced that hackers had gained access to the company’s data. This news instantly spread through the media and caused a sensation, as it involved 143 million American consumers.

The attackers stole highly sensitive information: names, birth dates, physical addresses, Social Security numbers, and credit card details. But the most surprising part was that this massive incident could have been easily prevented.

The first vulnerability exploited by the attackers was CVE-2017-5638. A patch for it had already been released at the time, but Equifax’s cybersecurity team failed to install it in time – and the hackers took notice.

Later, the attackers took advantage of another flaw – the lack of network segmentation. They quickly moved to other servers and gained access to a large number of computers. There, credentials were stored in plain text – another major cybersecurity mistake.

A report from the U.S. Government Accountability Office noted that Equifax had the necessary tools to decrypt, analyze, and re-encrypt data. However, they weren’t used because the TLS certificate had expired, and encrypted traffic was not being inspected.

The breach was discovered only on July 29, 2017, while the hackers had started their activity back on March 10. That means the attackers had four and a half months to execute their plan. It was only after renewing the expired TLS certificate that the company’s administrators detected the security breach.

To this day, the identity of the attackers remains unknown. The stolen data never appeared on the dark web, suggesting the hackers didn’t immediately try to monetize it. Additionally, even after gaining direct access to the data, the attackers waited two months before starting to exfiltrate it on a large scale.

Based on these signs, U.S. authorities believe that different hackers operated at different stages of the breach: initially, access brokers infiltrated the system, then sold their access to more sophisticated attackers. After the investigation, the U.S. accused China of being behind the attack, and Equifax ended up losing $1.38 billion as a result of the incident.

Key mistakes by Equifax and lessons cybersecurity professionals should learn:

1. Ignoring security updates leads to critical vulnerabilities.
2. Lack of IT asset control prevents timely threat detection.
3. Slow incident response allows attackers to remain undetected for extended periods.
4. Storing data without encryption makes it an easy target.
5. Weak cybersecurity culture within a company creates conditions for repeated incidents.
6. Lack of timely penetration testing and security audits eliminates the chance to detect and fix critical flaws.

The Equifax incident demonstrates that even large companies can suffer catastrophic losses if they neglect basic principles of cyber hygiene - and that carelessness in security can have national and even global consequences.