THE EQUIFAX DATA BREACH may have been the work of Chinese intelligence and bears similarities to the September 2015 attack on the US Office of Personnel Management.
According to Bloomberg, citing sources involved in the investigation, the attack on Equifax was launched within a week of the security flaw of the Apache Struts web application framework being disclosed.
Bloomberg's research suggests that once Equifax had been penetrated, the 'entry crew' handed off to more sophisticated hackers who not only drained Equifax's database of every last element of private data, but set-up up more than 30 separate entry points into Equifax's systems.
"The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up," according to Bloomberg, which claims to have reconstructed the attack via interviews with people involved in the investigations being conducted by both Equifax and the FBI.
It suggests that the attack coincided with a dispute between Equifax and Mandiant, one of its security partners brought-in to help deal with a different security problem, just as the attack was getting underway. Equifax accused Mandiant of using the classic consulting sales trick of using the A-team to sell its services and sending in the B-team after the contract was signed.
This dispute led Equifax to ignore the initial results of Mandiant's work indicated "unpatched systems and misconfigured security policies" - although these claims might equally indicate backside covering on the part of Mandiant.
The attackers, though, weren't slow to take advantage of Equifax's security shortcomings: "According to an internal analysis of the attack, the hackers had time to customise their tools to more efficiently exploit Equifax's software, and to query and analyse dozens of databases to decide which held the most valuable data."
And, despite investing a lot of money in intrusion detection software and a cybersecurity team, both were "compromised by poor implementation and the departure of key personnel in recent years", it adds.
Furthermore, while the finger of blame has been pointed at China, the attackers did not necessarily use tools that unambiguously pointed in that direction.
"One of the tools used by the hackers - China Chopper - has a Chinese-language interface, but is also in use outside China," added Bloomberg.
It also noted that staff appeared to have too easy access to personal data, according to former vice president of data quality, Steve VanWieren, who left five years ago, although the company says that there is no evidence of insider involvement.
While the reporting of the attack has focused on the risk of identity theft arising as a result of the compromise, if an intelligence service is behind it they will no doubt be interested in the addresses of people - such as military personnel or dissidents - who may wish to remain hidden from foreign governments. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe