The Equifax data breach that compromised the personal data of almost 150 million Americans in 2017 unfolded like a classic robbery.
The criminals identified a flaw in the credit agency’s security system, executed a plan of attack to penetrate it and devised a scheme to cover their tracks on their way out, according to a criminal indictment unsealed Monday.
Those alleged criminals, four members of the Chinese military, exploited a flaw in software that allowed U.S. consumers to dispute problems with their Equifax credit reports. That gave the hackers access to Americans’ personal information, according to the indictment.
The breach occurred after Equifax security officials failed to install a software upgrade that had been recommended to seal off digital intruders from obtaining access to the names, birthdates and Social Security numbers of the victims, the indictment says.
The U.S. Department of Justice announced that a federal grand jury in Atlanta delivered a nine-count indictment accusing four hackers and members of China’s People’s Liberation Army – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – of serving as masterminds of the hack.
FBI Deputy Director David Bowdich said there’s no evidence the Chinese military used the stolen information for illegal purposes, but the “brazen theft” illustrates that “China is one of the most significant threats to our national security today.”
Equifax hacking:Four members of Chinese army charged with stealing 145 million Americans’ data
Security group:Equifax had patch 2 months before hack and didn’t install it
According to the indictment, the hackers:
• Recognized that Equifax failed to install an upgrade to Apache Struts software, which Apache recommended around March 7, 2017. The software underpinned an online portal that allowed consumers to dispute their credit report details.
• Used the flaw to upload programming language to an Equifax server to gain remote access to the system.
• Uncovered Equifax database credentials and “thereby falsely represented that they were authorized users of Equifax’s network.”
• Searched the system about 9,000 times for sensitive personal information while hiding the searches through encryption.
• Stuffed the personal information in temporary files, compressed them and divided them into smaller-sized files to increase their chances of transmitting the stolen data without being noticed.
• Used 34 servers in 20 countries during the breach and employed various other techniques, such as remote-desktop access and encrypted log-ins, to mask the origin of the hack.
• Deleted the compressed files after transferring the data into external storage, then configured settings to wipe out information tracking their activity.
The Apache Foundation – which oversees the widely used open-source software that the hackers exploited to obtain access to Equifax servers – revealed in September 2017 that “the Equifax data compromise was due to (Equifax’s) failure to install the security updates provided in a timely manner.”
Equifax acknowledged that the criminals who gained access to its customer data exploited a website application vulnerability known as Apache Struts CVE-2017-5638.
Equifax CEO Mark Begor said Monday in a statement that the company has made significant investments since the breach to bolster its data protection, including $1.25 billion for “enhanced security and technology” from 2018 to 2020.
“Our industry-leading cloud technology transformation will make us more secure and enable us to innovate and develop solutions. … Today’s announcement is another positive step forward in helping us turn the page on the cybersecurity attack as we continue our focus on being a leader in data security,” he said.
Could a similar hack happen to others?
“The reality is there’s little consequence for companies that are holding onto this information” and who fail to protect it, said Adam Garber, consumer watchdog with the Public Interest Research Group’s Education Fund. “And without those consequences, there’s not a lot of incentive for them to stay on top of the highest data security (protocol) out there.”
John Yanchunis, an attorney at law firm Morgan & Morgan who helped lead negotiations for a $380.5 million settlement with consumers affected by the Equifax breach, said companies need an incentive to take proactive security steps.
“All too often we see companies acting out of consequence instead of conscience,” he said.
Can companies play defense?
But are companies capable of fending off military hacking attempts at all?
“Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult,” Equifax CEO Begor said in a statement. “Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand. These cyber attacks on U.S. companies continue to escalate and are increasingly challenging to defend when well-financed state actors are involved.”
PIRG’s Garber said the fact that state-sponsored actors have significant capabilities doesn’t excuse companies from making a sophisticated effort to protect consumers.
“Is anything ever perfectly secure? Probably not. But they should do everything in their power to make sure that it’s safe,” he said.
Yanchunis said companies can hire ethical hackers to test their systems for vulnerabilities and award them when they find flaws. Companies should also implement early detection systems and conduct breach simulations to better prepare themselves for inevitable attacks, he said.
Consumers have few defenses
But how can consumers prepare themselves as more and more personal information falls into the wrong hands?
You can take steps to protect yourself: stop reusing passwords and get a password manager, deploy two-factor verification, and exercise caution when installing software on your computer or apps on your phone.
Still, it’s nearly impossible to insulate yourself from data breaches like the one at Equifax in which thieves made off with Social Security numbers, driver’s license numbers and other information which can then be used to impersonate you and wreck your financial record.
If your identity is stolen, it takes time to prove you’re a victim. In the meantime, your credit cards can be denied, collection agencies may harass you and you can get turned down for mortgage applications.
Consumer advocates urge anyone whose data has been breached to monitor your accounts regularly to keep fraudsters from opening credit cards and other loans in your name. You can set up fraud alerts with credit bureaus or freeze your credit. But, advocates say, problems can keep popping up, often for years.
Security experts say corporations across all industries are vulnerable to hacks. Credit reporting agencies by their very nature amass the kind of sensitive personal data that can be used to swipe someone’s identity.
Monday’s indictment does not detract from “vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner, the senior Democrat on the Senate Intelligence Committee, said in a statement. He has introduced legislation to hold credit reporting agencies including Equifax accountable for such breaches.
Contributing: Jessica Guynn
Source Article from https://www.usatoday.com/story/tech/2020/02/10/2017-equifax-data-breach-chinese-military-hack/4712788002/
Comments