Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans, Motherboard has learned. Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline.
This revelation opens the possibility that more than one group of hackers broke into the company. And, more importantly, it raises new questions about Equifax's own security practices, and whether the company took the right precautions and heeded warnings of serious vulnerabilities before its disastrous hack.
Late last year, a security researcher started looking into some of the servers and websites that Equifax had on the internet. In just a few hours, after scanning the company's public-facing infrastructure, the researcher couldn't believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence, the researcher told Motherboard.
"All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app."
The site looked like a portal made only for employees, but was completely exposed to anyone on the internet. It displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax's customers, according to the researcher. Motherboard saw multiple sets of the data they were able to access.
"I didn't have to do anything fancy," the researcher told Motherboard, explaining that the site was vulnerable to a basic "forced browsing" bug. The researcher requested anonymity out of professional concerns.
"All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app," they said. In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax's customers in 10 minutes: "I've seen a lot of bad things, but not this bad."
While probing Equifax servers and sites, the researcher said that they were also able to take control—or get shell access as hackers refer to it—on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection, a common, basic way of attacking sites. Many servers were running outdated software. According to one analysis performed in early September, Equifax had thousands of servers exposed on the internet, indicating both massive sprawl and loose control of its infrastructure, which increased the company's attack surface.
After discovering all these issues in December, the researcher said they immediately reported them to the company.
"It should've been fixed the moment it was found. It would have taken them five minutes, they could've just taken the site down," they told me. "In this case it was just 'please take this site down, make it not public.' That's all they needed to do."
According to the researcher, Equifax didn't take the site down until June.
Everyone knows what happened next.
On September 7, Equifax, the largest credit reporting agency in the United States, disclosed this massive hack of its internal systems. The firm, which, ironically, sells services to monitor data breaches, revealed hackers had stolen the sensitive personal data of 145.5 million Americans, including social security numbers, names, home addresses, and driver's license numbers. For many former Equifax employees, this breach came as no surprise.
Given that banks and other financial institutions rely on Equifax's data to verify the identity of potential customers seeking credit, this was a massive, damaging hack not only to the 145.5 million victims, but the whole US economy. Equifax has publicly blamed the breach on an unpatched vulnerability in the web application software Apache Struts and on one employee who failed to identify it and patch it on a specific consumer dispute portal.
The consumer dispute portal where Equifax says the the breach happened is not the same one that the security researcher identified as vulnerable last year. But the type of data exposed is similar, and according to Equifax's own timeline, the vulnerable website discovered by the researcher was still up when the company was hacked in May, and was still up three months after a reported separate breach.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
The researcher's findings, in other words, showed there were multiple ways into Equifax's networks. Months later, the hackers, who stole the records of 145.5 million Americans and 700,000 Brits, exploited more than 30 different servers, according to Bloomberg. Considering all the bugs and vulnerabilities they identified, the anonymous security researcher is convinced Equifax wasn't just hacked by one group of attackers.
"If it took me three hours to find that website, I definitely think I'm not the only one who found it," they said. "It wasn't just one breach. It was maybe dozens."
Equifax declined to answer any specific questions about the researcher's findings. "As a matter of policy, Equifax does not comment publicly on internal security operations," the company told me in a statement.
Data breaches are part of life, but given the sensitivity of the data Equifax handles, as well as the way it botched the breach's disclosure, many in the information security world say Equifax didn't do enough to keep our data safe.
That opinion is also held by many former Equifax employees, who told me the company didn't take security seriously enough.
Motherboard spoke to 14 former Equifax employees to gauge whether a spectacular hack like this one was something the company should've foreseen and prepared for. We granted anonymity to these employees because they signed nondisclosure agreements with the company. While there was no consensus, the majority of former employees, some of whom worked in the security team or alongside it, said a breach like this was inevitable.
"The degree of risk [Equifax] assumes is found, by most of the IT staff who worked elsewhere, to be preposterous," said a former employee, who worked in IT at Equifax and is now a cybersecurity engineer.
"Being a trusted steward of data is vital to the mission of Equifax," the company's former CEO Richard Smith, who resigned in the wake of the data breach, told lawmakers during a hearing on October 4. "I've been there for 12 years, Mr. Chairman, and we embarked upon a very aggressive ramp-up in creating a culture, creating processes investing in people, in tools to put security top of mind."
Another former employee, who was part of the cybersecurity team and left the company this year, said that Equifax hired Deloitte last year to do a security audit. The audit found several problems, including a careless approach to patching systems, according to the former employee.
"Given the amount of data they have access to and the sensitivity of it, security isn't at the forefront of everybody's mind, not how it should be."
"Nobody took that security audit seriously," the former cybersecurity team employee told me. "Every time there was a discussion about doing something, we had a tough time to get management to understand what we were even asking."
When I asked a current employee on the cybersecurity team to confirm this fact, they replied that they weren't sure about Deloitte specifically because Equifax brings in security consultants regularly. A Deloitte spokesperson declined to comment, saying "confidentiality prohibits us from confirming or discussing client engagements."
Equifax declined to answer a series of specific question for this story. Instead, a spokesperson sent the following statement:
"As a matter of policy, Equifax does not comment publicly on internal security operations. However, as our former CEO recently testified to Congress, Equifax has in the past conducted thorough security reviews using expert external review teams," the statement read. "He further testified that Equifax expended significant resources to install industry standard cybersecurity defenses and put in place processes to address vulnerabilities. Since the recent breach, additional remediation steps have been taken. It is incorrect to suggest reports were ignored."
Perhaps, Equifax's disastrous data breach was a foregone conclusion, given the company's history of security mishaps. Some of the former employees we spoke to had specific stories about vulnerabilities that remained unpatched, internal portals that weren't as secure as they should have been, and infrastructure that didn't require two-factor authentication to log in to.
One year, according to the former employee who worked in IT, he and his team found that someone had programmed files to be inappropriately wiped on multiple servers—an act of internal sabotage, he said. But the team had no way of discovering who did it—there were no activity logs or ways to track who had set up the script.
"Luck is what found it," he said. "It isn't like [Equifax] had file integrity monitoring or anything like that to discover it—not even on systems with sensitive information."
These issues have been the norm at Equifax, according to the people I spoke to. One person, who worked at Equifax around 10 years ago, recalled that during his time there he warned the company of some servers that needed to be patched because they had open file-sharing ports that could be exploited by worms. The company did nothing, and, three months later, some servers got infected with the infamous Conficker worm, the source said.
"It's the same problem, but 10 years later," the source said.
As Bloomberg reported in September, Equifax employees were so worried a hack might be coming that they used to joke that the over-100-year-old company was just one hack away from bankruptcy.
"It's a strange company. Given the amount of data they have access to and the sensitivity of it, security isn't at the forefront of everybody's mind, not how it should be," another former Equifax cybersecurity employee told me. "It was always a bit of a struggle there to get anything done."
The anonymous researcher who could've downloaded all Americans' data knows this very well.
"I couldn't believe it, it was shocking," they told me. "It was just disgusting to see them take this long to do anything about it."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.