A great mystery has gripped the security world for some time now, and unfortunately more questions are being raised than answers. Over 17 months on from the incident, experts are still hunting for the stolen data of around 143 million people after the unprecedented Equifax breach. They are looking in all the right places: dark, underground websites that put information like this up for sale on a daily basis. But despite the frantic search for this data, or any evidence that it has been sold, the trail remains cold.
On the 7th September 2017, the world awoke to the consumer data scandal of the decade. Equifax, one of the largest repositories of America’s most sensitive financial data, had fallen victim to one of the largest data breaches in history. The consumer credit reporting agency had the extensive personal information of nearly 143 million Americans exposed and stolen.
This information ranged from dates of birth, credit-card numbers, driver’s license scans, social security numbers, credit dispute details and more. The scandal triggered a change in credit freeze laws and instilled new regulatory oversight of credit rating agencies, as well as seeing the CEO, Richard Smith, stepping down.
Then, strangely, the data disappeared completely.
The Hunt Begins
Data ‘hunters’ – experts who scour the dark web for stolen information – began a full-scale search for the data which, considering its value, had to end up for sale somewhere. But their searches were fruitless; 17 months later and no one has been able to locate the data on any of the hundreds of underground websites.
Stolen consumer data usually goes up for sale soon after a company is hacked. The hackers aim to have the data palmed off before the company gets a sniff that it was stolen, so they work fast. If they wait too long and the company realises what has happened, that company or its customers will likely make changes and render the data useless.
Recently, the Chief Information Security Officer of Equifax, Jamil Farshchi made the following statement:
“We are all working to be able to consistently determine whether this data is out there and whether it has ever been out there. And at this time there has been absolutely no indication whatsoever that the data has been disclosed, that it has been used or that it has been offered for sale.”
The good news is that the information does not appear to have been sold to cybercriminals. The bad news is that it is still out there. The data could be stored in a discrete place for later use, or even be released in such an incremental, drip-fed way that no one has noticed its circulation yet.
Or, it could have been placed in the hands of someone whose interests are not financial, for example a foreign intelligence agency.
The first major theory that emerged was that the data was stolen by intelligence officers working for a foreign state. Others argued that the data was stolen by ordinary criminals and not sold, because the hackers were afraid that it was too hot and putting it up for sale would lead law enforcement straight to them.
Going straight down the middle between these two theories, a consensus has begun to develop amongst investigators and experts. The story goes that the breach began with a low-level criminal who exploited the multiple vulnerabilities in Equifax’s defences but was not capable of doing more damage by moving further into the company’s systems. The criminal then sought help through the criminal underground, and the call was answered by a nation-state intelligence agency.
This new ‘buyer’ used highly sophisticated techniques and tools to hack deeper into the company’s database, exfiltrating millions of terabytes of data and causing utter chaos. What exactly would they do with this information? Well, they could combine it with other stolen data, analyse it using artificial intelligence and create an algorithm of who is likely to be, or to become, a spy for the US government.
This hand-off to more sophisticated attackers is reminiscent of two previous attacks – the breach of Anthem and of the US Office of Personnel Management, which were eventually attributed to Chinese intelligence. This exact narrative was also intricately explored in a Bloomberg piece in September 2017, with convincing effect.
The stolen credit reporting data also gives insights that can be used to turn people into agents, influencers or informants for a foreign government. This is done by identifying people with significant financial problems, who could be comprised using bribes or high-paying jobs. After all, financial distress is a common reason for committing espionage.
With this in mind, experts are expanding their sights to current news; looking for stories of bribery, of unexpected people rising through the ranks, of spies being caught or politicians speaking differently. However, it is important to remember that this is simply a theory, albeit a concerning and somewhat convincing one.
The Confusing Contradictions
This entire story, however, flies in the face of the over 240 class action law suits that have been filed by consumers against Equifax. Over the months, multitudes of stories have been emerging from individuals that claim to be victims of the breach, and have had anything from credit cards, car loans, mortgages, driver’s licenses and student loans fraudulently made in their name.
One law suit, Allen et al v Equifax, combines over 50 individuals who seemingly had their personally identifiable information stolen during the Equifax breach. This data has allegedly been used to open things such as bank accounts and phone accounts, with one victim claiming she had insurance claims made on her behalf between May and June 2017.
It could very well be that these are simply victims of the 7,125,940 million data records that were compromised per day in 2017, according to international digital security company Gemalto. It could have nothing to do with the Equifax breach, or it could be part of a brilliant scheme to drip feed the data through the dark web to avoid raising any alarms.
There are many possibilities when it comes to a breach of this magnitude, and especially one shrouded in such mystery. What we know for certain is that individuals and organisations alike will continue to feel the effects of the Equifax breach for many years to come. The lingering feelings of distrust and failure have spread out towards policy, politics, business organisation and consumption. At the end of the day, the data is out there because the company failed to protect it, and it will be used one way or another by whomever controls it now.
Author: Elsa Chapple, Agilient Consultant