The Washington PostDemocracy Dies in Darkness

The three big questions Equifax hasn’t answered

The credit reporting agency, Equifax, announced on Sept. 7 that a hack has impacted the credit histories of up to 143 million Americans. (Video: Amber Ferguson/The Washington Post)

As pressure builds on Equifax to explain how criminals hacked into a massive trove of data on 143 million Americans, the list of unanswered questions is long. But most boil down to three big ones:

No. 1: What measures did Equifax take to protect personal information?

No. 2: What measures should Equifax have taken to protect personal information?

No. 3: What’s the gap between the answers to Questions 1 and 2?

The credit-rating agency has been so stinting about information on its hack — even after keeping the episode secret from the public for six unexplained weeks after detecting the intrusion — that there’s no way to evaluate 1, 2 or especially 3 yet.

But notably absent from the public statements by Equifax have been key terms such as “encryption” or “system monitoring” or “penetration testing.” All are staples of modern online security widely adopted across corporate America and especially within the financial services industry, given the high degree of sensitivity about the information it keeps on us all.

Equifax has not responded to repeated Washington Post requests about the nature of its security measures and whether any of its data was kept in encrypted form. The scant information that has trickled out has outside security experts concerned about the scale of the hack and the sensitivity of the data exposed, including Social Security numbers, birth dates, home addresses, driver’s-license information — a virtual starter kit for identity theft.

A breach of “143 million records either suggests a very patient, sophisticated hacker or an incredibly weak security system,” said Matthew Green, a Johns Hopkins University cryptographer and security expert.

The uncommonly stern and detailed letter sent Monday by Sens. Orrin G. Hatch (R-Utah) and Ron Wyden (D-Ore.) — the chairman of the Senate Finance Committee and its ranking Democrat — drove at exactly these issues, warning about the hack’s potential to create massive costs to consumers targeted by identity thieves and “irreparable harm” to government programs that might be inundated with fraudulent requests for refunds or benefits.

“Encrypting this data is obviously an essential first step, but it’s not a silver bullet,” Wyden said in a statement to The Post. “Companies that hold Americans’ most sensitive personal data have to make security the top priority at every single stage. That means having the staff and resources to protect our personal information, and regularly conducting security audits, patching software and quickly fixing flaws discovered by outside experts.”

The White House appears to be on a similar track. President Trump’s homeland security and counterterrorism adviser, Thomas Bossert, summoned the chief executives of nation’s two other leading credit agencies, Experian and TransUnion, on Monday to discuss whether their systems are hardened against an attack similar to the one that struck Equifax, according to people familiar with the meeting who spoke on the condition of anonymity to discuss the private talks. (Neither company replied to requests for comment from The Post on Tuesday morning.)

There also are committee hearings and investigations brewing on Capitol Hill, as well as several class-action suits filed on behalf of the hack’s victims. Taken together, the political and legal action related to this breach has clouded the future of Equifax, an Atlanta-based company that collects and analyzes the data of 820 million consumers and 91 million businesses in 24 countries.

The company has seen its stock fall about 20 percent since announcing the breach Thursday. It discovered the intrusion, which the company believes started in May, on July 29 — a delay that also has upset some lawmakers who have long pushed for more prompt and fulsome reporting about hacks.

“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax said in a statement provided Tuesday. “Senators Hatch and Wyden raise many topics in their letter on behalf of the U.S. Senate Finance Committee, and we plan to be responsive in helping them to gather the information the Committee needs about this situation.”

The massive breach by the Chinese government of the Office of Personnel Management databases should have served as a wake-up call about the security risks of sensitive personal information, said Anthony J. Ferrante, head of cybersecurity and senior managing director for FTI Consulting and a former White House cybersecurity official in the Obama and Trump administrations.

“The OPM breach should have taught us a very valuable lesson — that if entities are going to store this type of sensitive personal data, they have to take the necessary steps to protect it,” Ferrante said.

What’s also troubling, he added, is that “people really don’t get to choose to give Equifax their data. It’s impossible to stay away from this as an industry service unless you plan to live off the grid.”

Outside security experts trying to understand the breach have focused on Equifax’s statements that the hackers gained access to data through a “website application vulnerability” but that “core” credit-reporting databases were not breached. If those statements prove to be true, that suggests a serious intrusion but one that stops short of a total compromise of the company’s computer systems, experts say.

A more limited breach could be managed by hackers defeating the security on an Equifax online portal — perhaps one placed on another company’s website — and using this access to gradually siphon off sensitive records, one by one or in small batches.

Encrypting the data as it sat on the company’s servers would not be sufficient to defeat such an attack, experts say. Such systems are built to rapidly decrypt data so that it can be used for routine business purposes such as providing credit reports. This resembles the encryption that’s increasingly common on personal computers or smartphones; it’s great at keeping data from getting stolen wholesale, but hackers with access to your device — and with the credentials to operate it — could gradually request all the data on your drive one file at a time and gradually send it back to themselves over an Internet connection.

“Everything is going to be hacked eventually. That’s just the way it goes,” said Russell Vines, a cybersecurity expert at Consumers Union. “So everyone has to make provisions for what happens after.”

Aside from encrypting the data itself, the most advanced security systems have means for detecting unusual behavior within the system. Gaining access to 143 million records — even if it happened over months — should have been the kind of event that an advanced monitoring system is built to detect, several experts said.

“Designing and implementing an application to be secure is what the field of software security is all about,” said Gary McGraw, vice president for security technology at Synopsys. “Sadly, it is extremely clear in this case what happens when software security fails.”

There is one problem revealed by the Equifax hack that is surely not the company’s fault. The American financial system’s reliance on Social Security numbers and other fixed data is hardly a state-of-the-art method for verifying the identity of people applying for loans, jobs, security clearances, tax refunds or government benefits.

As many victims of identity theft have discovered, it can be maddeningly difficult to regain control of sensitive data once it’s loose on the Internet — something that more and more Americans are going to be experiencing for themselves in the months and years ahead.

“This is like the match for a financial infrastructure that was already soaked in kerosene,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a civil liberties group.

Ellen Nakashima contributed to this report