How the Equifax Data Breach Happened: What We Know Now

CNN/Stylemagazine.com Newswire | 9/19/2017, 10:49 a.m.
Hackers were able to access personal data of 143 million Equifax customers. How did it happen? Much is still unknown. ...
Equifax says a giant cybersecurity breach compromised the personal information of as many as 143 million Americans, almost half the country.

Jackie Wattles and Selena Larson

(CNN Money) -- Hackers were able to access personal data of 143 million Equifax customers.

How did it happen?

Much is still unknown. But it came down to a flaw in a tool designed to build web applications, the company said in a press release this week. And Equifax admitted it was aware of the security flaw a full two months before the company says hackers first gained accessed to its data.

Some of the information hackers had access to includes names, Social Security numbers, birth dates, addresses and some driver's license numbers.

The tool is called Apache Struts, and it's used by many large businesses and government organizations. Equifax used it to support its online dispute portal -- where Equifax customers go to log issues with their credit reports. The flaw allowed hackers to take control of a website.

A cybersecurity arm of the U.S. Department of Homeland Security, US-CERT, "identified and disclosed" the Apache Struts flaw in March, Equifax said in a statement.

And the company's security department "was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems."

Yet, according to the company, hackers exploited the flaw months later.

Equifax has said it discovered the data breach on July 29. On Friday, it said it waited until it "observed additional suspicious activity" a day later to take the affected web application offline.

And on August 2 Equifax contacted Mandiant, a professional cybersecurity firm, to help the company assess what data had been compromised.

With help from Mandiant, Equifax was able to determine a series of breaches had occurred from May 13 through July 30, the company said.

Patching software at big corporations with many machines does take time. They must first identify the vulnerability, then implement and test the patch to make sure it doesn't break anything before making it public.

However, security experts say Equifax should have moved faster.

"There's really no excuse whether it's a difficult patch or not, for an organization of that size with that kind of magnitude of data," said Jon Hendren, director of strategy at security firm UpGuard. "When you're a big organization like that, it's a systemic failure of process and the blame goes straight to the top."

Equifax has also been widely criticized for waiting more than a month to alert its customers and shareholders about the hack.

On Friday, the company announced its chief information officer and chief security officer are "retiring."