Connect with us

Hi, what are you looking for?



Attackers Made 9,000 Unauthorized Database Queries in Equifax Hack: Report

It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).

It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).

In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom. The incident resulted in social security numbers, dates of birth, email addresses, addresses, driver’s license numbers, payment cards, dispute documents, and other data getting compromised.

Now, roughly one year after the breach came to light, the GAO published a report detailing the Equifax breach. The agency’s report, commissioned by several U.S. senators and representatives, is based on documents from Equifax and the cybersecurity consultants called in by the company following the breach, public statements filed by Equifax, and documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).

According to the GAO report, attackers started scanning Equifax’s systems for the Struts vulnerability just a few days after the existence of the security hole was made public. One of the affected systems was an online dispute portal, on which the attackers gained the ability to execute system-level commands. That enabled them to start querying tens of databases in an effort to find personally identifiable information (PII).

Equifax’s security systems not only failed to detect the Struts vulnerability in the online portal, they also failed to detect the attackers once they gained access.

The GAO says the hackers executed roughly 9,000 database queries, some of which returned personal information. The breach was ultimately detected by the company’s security team during routine checks.

“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,” the GAO report reads.

Advertisement. Scroll to continue reading.

The misconfiguration was caused by a digital certificate that had expired 10 months before the breach occurred, which allowed the attackers to run commands and exfiltrate data over an encrypted connection without being detected.

The investigation that followed the breach also revealed that the credit reporting agency had failed to implement proper network segmentation, enabling malicious actors to access many databases beyond those related to the online dispute portal that they initially hacked.

Another problem highlighted in the report is related to the fact that credentials for accessing multiple databases were stored without being encrypted in one database that the attackers accessed.

The GAO pointed out that the 9,000 queries run by the attackers showed the lack of restrictions for the frequency of database queries – the number of queries conducted for normal operations would have been much smaller.

The report notes that the IRS, SSA and USPS, which conducted their own investigations into the incident, made some modifications to their contracts with Equifax – they changed notification requirements for future breaches – and the IRS even terminated one of its contracts.

However, following the GAO report, many rushed to point out that no real actions were taken against Equifax.

The Consumers Union, the advocacy division of Consumer Reports, noted that not much has changed since the incident became public.

“Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information,” the organization said. “Equifax itself has suffered minimal consequences and continues to do business more or less as before. And the legal and regulatory system governing the credit reporting industry and data security more broadly remains inadequate, despite some recent progress.”

Senator Elizabeth Warren, one of the officials who commissioned the GAO report and who a few months ago published a report of her own, commented, “One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information – and the Trump Administration and Republican-controlled Congress have done nothing.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.