Here at TrustDALE, we have been following the massive data breach at Equifax from day one. Now, there is some breaking news about who's to blame. And now that we know who's to blame, our next step is to figure out what they plan to do with all that data, and how to protect ourselves.
The Equifax Data Breach
On September 7, 2017, Equifax announced that its servers had been hacked, and the personal information of an estimated 140 million Americans was compromised. However, this disclosure came a full forty days after Equifax first learned of the breach.
The problem began in March of 2017. Equifax used a software framework called Apache Struts to run its systems handling credit disputes for consumers. On March 7, 2017, a security patch was released for Apache Struts to repair a known security flaw that could be exploited by hackers. Although the patch was released publicly, Equifax did not install the patch, leaving its systems vulnerable.
Two months later, on May 12, 2017, hackers used the security flaw to break into Equifax's computer systems. The breach continued until July 29, 2017, when Equifax discovered it. By July 30, the very next day, Equifax had shut down the breach, but not before hackers downloaded the personal information of about 140 million Americans. For context, there are about 128 million households in the US. So it is likely that at least one member of every American family had their data stolen.
Response to the Equifax Data Breach
Reactions to the breach ranged from public relations disasters and political chastisement to class action lawsuits on behalf of consumers. Equifax eventually took steps to offer free credit monitoring for affected individuals, as well as offering free credit freezes.
At that time, TrustDALE recommended that all affected consumers freeze their credit to prevent hackers and criminals from using their data to open up accounts in their name. Law enforcement agencies expected the hackers to start selling the valuable data on the dark web, where criminals could buy the data and use it to open fake accounts and commit other types of identity fraud.
However, no such sales occurred, leading to further speculation as to who hacked the data and what they planned to do with it. One theory was that the hackers were holding onto the data until the investigations slowed, at which point it could be sold more easily. But two and a half years later, investigators have still not seen this data go one sale.
Who is Responsible
On February 10, 2020, US officials indicted four members of the Chinese army in relation to the breach. According to US investigators, the data breach was conducted on behalf of the Chinese government. However, it remains to be seen precisely what the Chinese government plans to do with all that data.
One possibility is that China hopes to infiltrate the US economic system, in much the same way the foreign governments have infiltrated our political system. If China can even partially shut down the US credit market—either by force or by injecting uncertainty into the system—they can bring the US economy to a grinding halt. Banks would be reluctant to lend money, which is crucial to the functioning of US markets.
Another possibility is that China hopes to use personal information to access high-profile individuals and blackmail them into cooperation with Chinese interests.
Whatever the reason behind China's actions, the US response has been disappointing. To this day, not a single law has been passed to deal with the fallout of the breach or to punish China for its behavior.
At this time, TrustDALE still encouraged consumers to freeze their credit. We will continue to follow this story and bring you any updates as they occur.