Equifax Hack Leaves Consumers, Financial Firms Scrambling

By AnnaMaria Andriotis, Robert McMillan and Christina RexrodeFeaturesDow Jones Newswires

Consumers, financial firms and regulators were scrambling Friday to assess the damage the massive hack at Equifax Inc. could cause even as the credit-reporting company came under attack on multiple fronts for its handling of the cyberattack.

Consumers criticized the company's attempts to help protect them from identity thieves, citing a confusing process and difficulty signing up for credit-monitoring services. In Washington, regulators said they are examining the company's actions and two congressional committees said they would hold hearings examining the breach, which exposed personal financial information of potentially 143 million Americans.

Continue Reading Below

On Wall Street, investors battered the company's shares, sending them down nearly 14%.

The hack is under investigation by the Federal Bureau of Investigation. It ranks as one of the three worst data breaches of all time, alongside Yahoo's loss of more than 1 billion records, disclosed last year, and Sony's 2014 cyberattack, which exposed confidential data and knocked computers and telephones offline.

Equifax didn't reply to requests for comment.

The Equifax hack is potentially the most dangerous of all, though, because the attackers were able to gain vast quantities of personal identification -- names, addresses, social security numbers and dates of birth -- at one time.

"It's certainly the worst single breach of personal information that I know of," said Avivah Litan, a vice president with industry-research firm Gartner Inc. "This data is the key to everyone's files and interactions with financial services, government and health care."

As they grappled with what to do next, consumers and some lenders questioned the amount of time it took the company to disclose the problem after its discovery in late July. "Bad news should travel fast," said Paul Murphy, chief executive of Cadence Bancorporation in Houston. "That's just a rule in business and it's disappointing that it took so long."

Officials at multiple banks said Friday they still needed more information from Equifax about what exactly had been hacked, and were struggling to form strategies until then. Officials at some banks said they didn't yet have the information they needed to figure out which customers might have been affected -- making the situation worse than some previous breaches. For example, after data breaches at Target Corp. or Home Depot Inc., banks were able to pull information on which customers' cards had been used at those retailers.

"It's not even clear at this time how the breach occurred or who's responsible for the breach, and those are important details," said Jeremy Dalpiaz, assistant vice president for cyber- and data-security policy for the Independent Community Bankers of America.

Banks also worried about losses that could accrue from any fraud stemming from the hack, both in terms of who will be liable and any chill it could put on lending.

"If a big bank loses $1 million, that's one thing," said Dan Berger, CEO of the National Association of Federally-Insured Credit Unions. "If a smaller financial institution loses $100,000, that could put it in the red for the year. The impact of these data breaches could be catastrophic."

Investigators are still trying to assess how the hack occurred, although they have determined it was a coordinated, large-scale attack.

When Equifax uncovered the hack in late July, the company didn't immediately realize its extent, according to people familiar with the investigation. The company engaged FireEye Inc.'s Mandiant cyber investigations division -- the same company that had investigated Yahoo's data breach.

In subsequent weeks, the firm informed Equifax that the impact could be big, possibly affecting around 50 million accounts, said a person familiar with the matter. But a couple of weeks after that, the firm updated its estimates, telling Equifax that they found the hit was much bigger than thought, the person said.

Equifax executives decided to hold off on informing the public until they had more clarity on the number of people impacted and the types of information that were compromised, the person said.

Although many questions about the precise techniques used by the hackers are still unanswered, investigators determined the hackers had broken in via a vulnerability in the company's web-server software. This point of entry appears to have been web-server software called Apache Struts, according to people familiar with the matter.

In March, security researchers at Cisco Systems Inc. warned that a bug in the Struts software was being leveraged in a "high number" of attacks. And it appears that Equifax wasn't working with the latest version of Apache Struts, according to people familiar with the matter.

Although it isn't clear if this vulnerability was the hackers' main line of attack, this possibility has raised broader concerns. It could increase risk in the credit space more broadly, Barclays analyst Manav Patnaik wrote in a note Thursday night that discussed the Apache Struts vulnerability.

TransUnion, another of the big credit-reporting companies, said Friday that it was investigating "the nature of this attack" to "determine what, if any, actions from TransUnion might be appropriate."

There were some earlier signs of a problem at Equifax before its announcement of the breach Thursday. In August, hackers claiming to have obtained credit-card data from Equifax attempted to sell their database in online forums, according to Andrew Komarov, an independent security researcher. They failed to come to terms, however, and don't appear to have sold the information as of Friday, Mr. Komarov said.

Equifax said that 209,000 credit-card numbers were stolen as part of the attack. A database that size could fetch $500,000 on the black market, Mr. Komarov said.

The broader data-set of data including personal information would likely be worth several hundred thousand dollars, if the hackers could find a buyer, said Andrei Barysevich, director of advanced collection at intelligence research firm Recorded Future Inc.

Write to AnnaMaria Andriotis at annamaria.andriotis@wsj.com, Robert McMillan at Robert.Mcmillan@wsj.com and Christina Rexrode at christina.rexrode@wsj.com

(END) Dow Jones Newswires

September 08, 2017 18:39 ET (22:39 GMT)