What We Know and Don’t Know About the Equifax Hack

The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.

What We Don’t Know

• It is not clear who had access to the website software exploited by the hackers. Although Equifax said that the hackers had exploited the vulnerability in a “U.S. website application,” that does not mean it was one of the company’s public-facing websites. It could mean that the exploited software was only available to Equifax employees. If that was the case, the hackers who exploited the flaw could have had access to the company’s private network.

• It is also unclear why the company did not patch the vulnerability and why other security methods failed to stop the attack. Within three days of the vulnerability being revealed, public reports said that hackers were already exploiting the bug on websites. Had Equifax followed the advice of the community of software developers who oversee Struts, “this breach would not have occurred,” said Oege de Moor, the chief executive of the security firm Semmle.

Mr. de Moor said that the publicly available instructions for patching the bug were “clear and simple.”


In addition to personal information, the Equifax hackers stole credit card numbers for about 209,000 consumers. But exactly who undertook the online breach remains unclear.

Elise Amendola/Associated Press

But there are other ways of guarding against potential attacks. Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. “You have to have layered security controls,” Ms. Litan said. “You have to assume that your prevention methods are going to fail.”

• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the “PastHole Hacking Team” has claimed responsibility, and threatened to release the data on Friday if their ransom demand of 600 Bitcoin — roughly $2.5 million — is not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.

• That doesn’t mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state’s behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.

Other security experts said it would be smart to consider motivation and intent. “Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. “Are there standard cybercriminals out there with the purchasing power for that type of data?”

Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.

• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.

Continue reading the main story