The report comes from the Government Accountability Office, a watchdog organization from the federal government. The GAO reviewed documents from Equifax as well as files from the company’s cybersecurity consultant to figure out how the company was hacked and what credit-monitoring services should do to protect itself.
The watchdog group also discovered that Equifax turned down assistance from the Department of Homeland Security, opting instead for a private, third-party cybersecurity company to help manage its breach response.
The attack process started on March 10 when hackers searched the web for any servers with vulnerabilities that the US-CERT warned about just two days earlier. Two months later, on May 13, they hit the jackpot with Equifax’s dispute portal — a section where people could go to argue claims from the credit-monitoring service.
There, hackers used an Apache Struts vulnerability, a months-old issue that Equifax knew about but failed to fix, and gained access to login credentials three servers. They used those login credentials from the dispute portal and found that it allowed them to access another 48 servers containing personal information.
The thieves spent 76 days within Equifax’s network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn’t raise any alarms.
Equifax didn’t know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30.
Since then, Equifax said that it’s implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.
Sen. Ron Wyden, a Democrat from Oregon, Sen. Elizabeth Warren, a Democrat from Massachusetts, Rep. Elijah Cummings, a Democrat from Maryland, and Rep. Trey Gowdy, a Republican from South Carolina, were the four lawmakers who requested the report.
‘Today’s report highlights the breakdowns and failures at Equifax that led to one of the largest and most consequential data breaches in United States history,’ Cummings said in a statement. ‘Now that we know even more about what led to the Equifax breach, it is critical that we develop serious and concrete proposals to help the American people.’