Equifax hacking a year later: back on the situation

On the occasion of the anniversary of the major breach of Equifax, lawmakers released a report (PDF) detailing exactly how the credit watch company had been hacked.

The report comes from the Government Accountability Office, a federal government oversight agency. The GAO reviewed the Equifax documents as well as the files of the company's cybersecurity consultant to determine how the company was hacked and what credit monitoring services should be put in place to protect themselves.

The monitoring group also discovered that Equifax had refused the help of the Department of Homeland Security, opting instead for a private third-party cyber security firm to manage its response to the violations.

The attack process began on March 10, when hackers searched the Web for servers with vulnerabilities that US-CERT had warned of two days ago. Two months later, on May 13, they won the jackpot through the Equifax Dispute Resolution Portal – a section where people could go to the credit monitoring service.

There, hackers used a vulnerability Apache Struts, a problem several months old of which Equifax had knowledge, but failed to correct, and had access to three login credentials. They used these login credentials from the conflict portal and found that it allowed them to access 48 other servers containing personal information.

The thieves spent 76 days in the Equifax network before being detected. According to the report, hackers stole data piece by piece in 51 databases so as not to trigger an alarm.

Equifax was only aware of the attack on July 29, more than two months later, and interrupted access to thieves on July 30.

Since then, Equifax has reportedly implemented a new management system to manage vulnerability updates and verify that the fix was released.

Senator Ron Wyden, Democrat of Oregon, Senator Elizabeth Warren, Democrat of Massachusetts, Rep. Elijah Cummings, Democrat of Maryland and Rep. Trey Gowdy, Republican of South Carolina, were the four lawmakers to have asked for the report. .

"Today 's report highlights Equifax failures and failures that led to one of the largest and most consequential data breaches in the world. history of the United States, "Cummings said in a statement. "Now that we know more about what led to the Equifax breach, it is essential that we develop serious and concrete proposals to help the American people."

Security: Keep up to date with the latest security breaches, hacks, patches, and other cybersecurity issues that keep you out at night.

Blockchain Decoded: CNET looks at bitcoin that powers technology – and soon, a myriad of services that will change your life.