On Behalf of Equifax, I’m Sorry

A new free service will let consumers lock or unlock access to their credit data any time they like.

By Paulino do Rego Barros Jr
Sept. 27, 2017 5:20 p.m. ET

On behalf of Equifax , I want to express my sincere and total apology to every consumer affected by our recent data breach. People across the country and around the world, including our friends and family members, put their trust in our company. We didn’t live up to expectations.

We were hacked. That’s the simple fact. But we compounded the problem with insufficient support for consumers. Our website did not function as it should have, and our call center couldn’t manage the volume of calls we received. Answers to key consumer questions were too often delayed, incomplete or both. We know it’s our job to earn back your trust.

We will act quickly and forcefully to correct our mistakes, while simultaneously developing a new approach to protecting consumer data. In the near term, our responsibility is to provide timely, reassuring support to every affected consumer. Our longer-term plan is to give consumers the power to protect and control access to their personal credit data.

I was appointed Equifax’s interim chief executive officer on Tuesday. I won’t pretend to have figured out all the answers in two days. But I have been listening carefully to consumers and critics. I have heard the frustration and fear. I know we have to do a better job of helping you.

Although we have made mistakes, we have successfully managed a tremendous volume of calls and clicks. And we’re getting better each day. But it’s not enough. I’ve told our team we have to do whatever it takes to upgrade the website and improve the call centers.

We have started work on our website, and I see significant signs of progress. I won’t accept anything less than a superior process for consumers. We will make this site right or we will build another one from scratch. You have my word.

The same goes for the call centers. There is no excuse for delayed calls or agents who can’t answer key questions. We will add agents and expand training until calls are answered promptly and knowledgeably. I will personally review a daily report on their operations.

We will also extend the services we are offering consumers. We have heard your concern that the window to sign up for free credit freezes with Equifax is too brief, so we are extending the deadline to the end of January. Likewise, we are extending the sign-up period for TrustedID Premier, the complimentary package we are offering all U.S. consumers, through the end of January.

We hope these immediate actions will go a long way toward addressing the concerns we are hearing from consumers. We know they won’t solve the larger problem. We have to see this breach as a turning point — not just for Equifax, but for everyone interested in protecting personal data. Consumers need the power to control access to personal data.

Critics will say we are late to the party. But we have been studying and developing a potential solution for some time, as have others. Now it is time to act.

So here is our commitment: By Jan. 31, Equifax will offer a new service allowing all consumers the option of controlling access to their personal credit data. The service we are developing will let consumers easily lock and unlock access to their Equifax credit files. You will be able to do this at will. It will be reliable, safe and simple. Most significantly, the service will be offered free, for life.

With the extension of the complimentary TrustedID package and free credit freezes into the new year, combined with the introduction of this new service by the end of January, we will be able to offer consumers both short- and long-term support for their personal data security.

There is no magic cure for data breaches. As we all know, every organization is at risk. When consumers have access to our new service, however, the cybercrime business will become a lot more difficult, and we are committed to doing what we can to help millions of consumers rest easier.

Mr. Rego Barros is interim CEO of Equifax.

Whole Foods Discloses Data Breach

Company said taproom and full-service restaurant customers, not grocery shoppers, were affected

Sept. 28, 2017

In the latest data breach involving consumer data, Whole Foods Market said card-payment information of customers who drank and dined in its taprooms and full-service restaurants has been hacked.

The grocery-store chain, now part of Amazon.com Inc., said its restaurants and taprooms use a separate checkout system and information of its grocery shoppers weren’t affected. Amazon transactions were also not accessed in the breach, Whole Foods said in a statement on its website.

The company said it has hired a cybersecurity firm to help it investigate the hack and contacted law enforcement.

“While most Whole Foods Market stores do not have these taprooms and restaurants, Whole Foods Market encourages its customers to closely monitor their payment card statements and report any unauthorized charges to the issuing bank,” the company said.

A Whole Foods spokeswoman declined to comment beyond what it stated in the release.

The sit-down restaurants and wine bars are focused in the company’s urban locations.

Whole Foods’s announcement comes after fast-food chain Sonic Corp. said earlier this week its credit-card processor notified the company about a possible hack of customer-payment data.

Also earlier this month, Charter Communications Inc.’s Time Warner Cable acknowledged that personal records of millions of subscribers were left unprotected on a server.

2.5 Million More People Potentially Exposed in Equifax Breach

OCT. 2, 2017

Millions more people were affected by Equifax’s data breach than the credit bureau initially estimated, Equifax said on Monday.

The company increased its estimate on the number of Americans whose personal information was potentially exposed to 145.5 million, some 2.5 million more than it had previously disclosed.

The additional accounts were found during a forensic review by Mandiant, a cybersecurity firm hired by Equifax to investigate the attack, according to a company statement.

Equifax has been reeling since its announcement last month that hackers exploited a vulnerability in its website software to access its systems and extract sensitive personal information of millions of consumers. The material that was stolen included names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

Paulino do Rego Barros Jr., a longtime Equifax executive who was promoted after Mr. Smith’s departure to serve as the company’s interim chief executive, said that he was advised on Sunday that Mandiant had completed the forensic phase of its investigation and found the additional accounts that were potentially at risk.

Equifax said it would mail written notices to the 2.5 million newly identified people.

Mandiant’s review found no evidence that the thieves gained access to databases outside the United States, Equifax said. But 8,000 Canadian consumers were affected, and an investigation into whether the data of some British consumers was exposed remains in progress, the company said.

Equifax's then-CEO waited three weeks to inform board of massive data breach, testimony says

Oct. 2, 2017

Equifax's former chief executive waited nearly three weeks to tell the company's board of directors about the now infamous data breach, as a group of company and outside security experts scrambled to figure out what had happened, according to written testimony prepared for his visit to Capitol Hill on Tuesday.

Richard Smith, Equifax's former CEO who abruptly retired last week, learned about the hack on July 31 and hired outside legal and investigative experts and contacted federal law enforcement the same week. But he didn't inform the company's board for another 20 days.

In the meantime, King & Spalding, a law firm, and Mandiant, a cybersecurity forensic consulting firm, investigated what happened. Mandiant and Equifax worked "literally around the clock" to identify and understand unauthorized activity on its network and the scale of the hack, including whether personal information was taken.

The company also contacted the FBI on Aug. 2, he says, and the agency has an ongoing investigation.

Smith's prepared remarks were released Monday in advance of his appearance before the House Energy and Commerce Committee on Tuesday. He's also scheduled to testify before the Senate Banking and the Senate Judiciary committees on Wednesday and the House Financial Services Committee on Thursday.

According to the testimony, on Aug. 15, Smith learned that consumer personal information had been taken in the hack, and he requested a detailed briefing. Two days later, Smith had a "senior leadership team meeting to receive the detailed briefing on the investigation." The testimony doesn't say who attended that meeting.

Smith says he notified the board's lead independent director, Mark Feidler, and executives who run Equifax's business units about the breach on Aug. 22.

The full board was told of the breach and the investigation of it on Aug. 24 and 25, according to the testimony. They began developing a plan to help affected consumers.

Smith convened a Sept. 1 board meeting to discuss the size of the breach, the ongoing investigation, and the company's public disclosure and response.

Smith's prepared remarks were released Monday in advance of his appearance before the House Energy and Commerce Committee on Tuesday. He's also scheduled to testify before the Senate Banking and the Senate Judiciary committees on Wednesday and the House Financial Services Committee on Thursday.

The timeline in Tuesday's testimony doesn't specifically say who inside the company other than Smith and the security team knew about the breach before he says he told management and the board. But among the swirl of state and federal investigations that have opened since the breach was disclosed to the public on Sept. 7 are stock sales by three company insiders — the chief financial officer and two business heads — in early August.

Unusual trading activity in Equifax options on Aug. 21, now known to be one day before Smith says he told the lead director, also has drawn scrutiny.

Yahoo Triples Estimate of Breached Accounts to 3 Billion

Company disclosed late last year that 2013 hack exposed private information of over 1 billion users

Oct. 3, 2017

A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.

The figure, which Verizon said was based on new information, is three times the 1 billion accounts Yahoo said were affected when it first disclosed the breach in December 2016. The new disclosure, four months after Verizon completed its acquisition of Yahoo, shows that executives are still coming to grips with the extent of the security problem in what was already the largest hacking incident in history by number of users.

A spokesman for Oath, the new name of Verizon’s Yahoo unit, said the company determined last week that the break-in was much worse than thought, after it received new information from outside the company. He declined to elaborate on the source of that information. Compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth, the spokesman said.

The disclosure is the latest chapter in a long-running saga that tattered the reputation of a former Silicon Valley icon and continues to spawn problems for its new owner. It began in September 2016, two months after Verizon agreed to acquire the fallen internet pioneer, with Yahoo first disclosing a separate attack that took place in 2014 and affected 500 million accounts. Yahoo later revealed the larger 2013 incident.

Several other major cyberattacks have focused attention on the vulnerability of big companies that possess enormous amounts of vital personal information about their customers.

The number of individuals affected by the 2013 attack is smaller than 3 billion, because some people​have multiple accounts​across Yahoo’s sites, including email, fantasy sports, Tumblr and Flickr, the spokesman said. He said Oath will immediately begin notifying the users who own the additional roughly 2 billion accounts. That is expected to take several days and occur via email, the spokesman said.

Victims won’t need to take any additional action, however, because Yahoo already forced all account holders to reset their passwords after the initial December 2016 disclosure.

In an emailed statement, Verizon’s chief information security officer, Chandra McMahon, said the company is “committed to the highest standards of accountability and transparency” and that Yahoo’s cybersecurity team was benefiting from Verizon’s “experience and resources.”

The breaches have been costly for Yahoo. Verizon agreed to buy it in mid-2016 for $4.83 billion, but the deal was delayed after Yahoo’s disclosure of the two large hacks, plus a third incident in which hackers forged digital files, called cookies, that could have been used to access 32 million user accounts.

Verizon knocked $350 million off the deal price as a result of those breaches, ultimately paying $4.48 billion. The deal closed in June 2017, and Verizon gave up its right to sue the entity that sold Yahoo, now called Altaba Inc., over any allegations that it had covered up the hacks. Yahoo now operates alongside AOL in Verizon’s Oath subsidiary, which is seeking to build a digital media and advertising business.

In addition, Yahoo’s former Chief Executive, Marissa Mayer, gave up her 2016 cash bonus following the incident and the company’s top lawyer, Ronald Bell, resigned after a board review found problems with the company’s handling of this and the other breaches.

About 43 consumer class-action lawsuits have been filed against the company relating to these security incidents, Yahoo said in a May filing with the SEC. The SEC itself has opened an investigation into whether Yahoo should have reported the two incidents sooner to investors.

The Oath spokesman said the new disclosure won’t affect the terms of Verizon’s acquisition, in which it agreed to evenly split with Altaba costs and liabilities related to any lawsuits from consumers or partners about the breaches. Altaba retains liability for the SEC investigation and any shareholder lawsuits.

Lawmakers Slam Equifax Ex-CEO Over Hack

Company executives say they weren’t aware of the significance of the data breach, initially

Oct. 3, 2017

Former Equifax Inc. EFX 2.45% chief Richard Smith repeatedly told legislators Tuesday that he and other executives weren’t aware of the significance of the company’s data breach until weeks after it was detected in late July.

Those assertions failed to mollify members of Congress who slammed Mr. Smith and Equifax for allowing the hack to happen, failing to immediately realize its significance and the handling of the problem after disclosing it publicly.

Lawmakers also raised questions about the current structure of credit-reporting companies, whether they need more regulation and the amount of consumer information that they gather.

Mr. Smith, testifying before a subcommittee of the House Committee on Energy and Commerce, said the company initially knew there was an incident involving “suspicious activity,” but not that millions of Americans’ personal information had been compromised.

“It is unconscionable that Equifax failed so spectacularly to protect people’s most sensitive personal data,” said Rep. Ben Ray Luján (D., N.M.), who questioned what the company was doing to prevent another attack and how it would compensate affected consumers.

The grilling of Mr. Smith, who stepped aside last week as the company’s chairman and chief executive, kicked off a series of congressional hearings this week set to examine the company’s hack.

Under questioning by committee members, Mr. Smith provided more details about how the stage was set for the breach, which has affected potentially 145.5 million Americans. After the company received a public notice of a security vulnerability, an employee failed to notify other staff to patch the software issue, Mr. Smith said. He didn’t name the employee.

Mr. Smith told legislators the error was compounded by a scanning system that failed to pick up the vulnerability. Subsequent investigations found this vulnerability allowed hackers to enter Equifax’s systems.

“It’s like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults,” said Rep. Greg Walden, (R., Ore.), the chairman of the full Energy and Commerce Committee. He called Equifax’s response to consumers “ham-handed.”

Mr. Smith said the reason the scanning system failed to pick up on the vulnerability is still under investigation.

The former CEO faced questions about when he was notified of the breach and what exactly he knew about it. Equifax said its security team noticed suspicious activity on July 29. Mr. Smith said he was informed two days later, on July 31, by his then-chief information officer.

Mr. Smith said a “suspicious movement of data” had occurred in a dispute portal, which is where consumers go to contest information on their credit reports.

Lawmakers pressed Mr. Smith on what the company’s chief legal officer, John J. Kelley, knew regarding the incident at the end of July. Mr. Smith said Mr. Kelley was also informed July 31 of suspicious activity.

Lawmakers also asked about three senior executives who sold shares on Aug. 1 and 2. Mr. Smith confirmed that Mr. Kelley would have been required to sign off on such sales. Earlier this week, The Wall Street Journal reported that Equifax’s board is reviewing Mr. Kelley’s actions in regard to the share sales. Rep. Tony Cárdenas (D., Calif.) said he would like to request a hearing with Mr. Kelley.

The company has said those three executives who sold shares weren’t aware of a breach at the time. Mr. Smith said all three executives are “honorable men, men of integrity” and that they followed proper procedures in selling the shares. All three are still at Equifax.

The Equifax hackers haven’t been identified, and Mr. Smith wouldn’t say whether he thought the cyberattack was state-sponsored. He said only that the company has “engaged the FBI.”

Mr. Smith said Equifax has spent $250 million over the past three years on beefing up its data security. From when he became CEO in 2005, when the company had virtually no focus on cybersecurity, Equifax now has a team of 225 professionals around the world, Mr. Smith said.

Lawmakers were broadly critical of the credit-reporting industry, which is headed by three major companies: Equifax, Experian PLC and TransUnion. The industry is underregulated and collects detailed information on Americans who don’t have a choice in the matter, Rep. Jan Schakowsky (D., Ill.) said.

“We can’t trust credit-reporting (companies) to self-regulate,” she said.

Equifax has offered free services to help protect consumers from identity theft. But Rep. Luján jousted with Mr. Smith over what the company could do to compensate consumers who might be harmed because of the Equifax breach. For example, Mr. Luján asked if Equifax would compensate consumers whose identity was stolen.

“It’s hard for me to tell if someone has been harmed,” Mr. Smith replied, “so I can’t answer the question.”

One of the biggest concerns expressed by committee members was the notion that consumers now face a continuing threat because of the theft of Social Security numbers. Those in theory could be used to steal consumers’ identities at any time from now on. “This is forever, right?” asked Rep. Jerry McNerney (D., Calif.).

End of the Social Security Number? A White House Official Thinks So

One possibility is using cryptographic keys, or a combination of long random numbers

Oct. 3, 2017

WASHINGTON—The administration of President Donald Trump is exploring ways to replace the Social Security number with a safer system based on modern technology in the wake of the Equifax Inc. EFX 2.45% hack, the White House cybersecurity czar said Tuesday.

Rob Joyce, the White House’s cybersecurity coordinator, said one possibility is using cryptographic keys, or a combination of long random numbers, to unlock personal data. The merit of such numbers is that they could be revoked once they are found to be compromised, he said.

“I feel very strongly that the Social Security number has outlived its usefulness,” Mr. Joyce said at a cybersecurity conference hosted by the Washington Post. “It’s a flawed system. If you think about it, every time we use the Social Security number, we put it at risk.” He described the current system as “untenable,” noting that his own Social Security number has been compromised at least four times.

“We’ve got a modern digital age. We’ve got to find a way to use that modern cryptographic identifier to help us drive down that risk,” Mr. Joyce said, adding he has asked various departments and federal agencies to submit ideas. He didn’t provide a schedule for further policy steps.

The White House official spoke Tuesday morning just as members of Congress grilled former Equifax Chief Executive Richard Smith at House panel hearing, asking questions about how the data breach occurred and how to address cybersecurity risks involving credit-rating firms. The hack exposed the personal data of 145.5 million Americans, including people’s Social Security numbers and dates of birth—data that can’t be changed even if it has been compromised.

Mr. Smith told lawmakers the hack might provide the basis for a discussion on whether to replace Social Security numbers. “How secure is a Social Security number? Is that the best identifier?” Mr. Smith asked at the hearing.

Some Democratic lawmakers are calling for new regulations for the credit-rating industry, including shifting the control of personal data to individuals by allowing them to opt into or opt out of the credit bureaus’ systems. Such moves would drastically change the business model for Equifax and its rivals Experian PLC and TransUnion .

IRS awards multimillion-dollar fraud-prevention contract to Equifax

The no-bid contract was issued last week, as the company continued facing fallout from its massive security breach.

10/03/2017

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

A contract award for Equifax's data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will "verify taxpayer identity" and "assist in ongoing identity verification and validations" at the IRS, according to the award.

The notice describes the contract as a "sole source order," meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

Lawmakers on both sides of the aisle blasted the IRS decision.

"In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed," Senate Finance Chairman Orrin Hatch (R-Utah) told POLITICO in a statement.

The committee's ranking member, Sen. Ron Wyden (D-Ore.), piled on: "The Finance Committee will be looking into why Equifax was the only company to apply for and be rewarded with this. I will continue to take every measure possible to prevent taxpayer data from being compromised as this arrangement moves forward.”

The IRS defended its decision in a statement, saying that Equifax told the agency that none of its data was involved in the breach and that Equifax already provides similar services to the IRS under a previous contract.

"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the statement reads. "At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."

Equifax did not respond to requests for comment.

Equifax disclosed a cybersecurity breach in September that potentially compromised the personal information, including Social Security numbers, of more than 145 million Americans — data that security experts have described as the crown jewels for identity thieves. The company is one of three major credit reporting bureaus whose data determine whether consumers qualify for mortgages, auto loans, credit cards and other financial commitments.

Reps. Suzan DelBene (D-Wash.) and Earl Blumenauer (D-Ore.) separately penned letters to IRS Commissioner John Koskinen demanding he explain the agency's rationale for awarding the contract to Equifax and provide information on any alternatives the agency considered.

"I was initially under the impression that my staff was sharing a copy of the Onion, until I realized this story was, in fact, true," Blumenauer wrote.

The IRS, which has suffered its own embarrassing data breaches as well as a tidal wave of tax-identity fraud, has taken steps to improve its outdated information technology with the help of $106.4 million that Congress earmarked for cybersecurity upgrades and identity theft prevention efforts.

Hatch questioned the agency's security systems in a letter to Koskinen last month. Hatch said he was concerned that the IRS lacked the technology necessary "to safeguard the integrity of our tax administration system."

Equifax Removes Webpage to Investigate Possible Hacking

Oct. 12, 2017 6:40 p.m. ET

Equifax Inc. said Thursday that its website was used to serve “malicious content” to consumers.

The issue was due to code created by an unnamed vendor that Equifax was using to collect performance data on the company’s website.

Equifax, already under scrutiny for its security practices, moved one of its webpages offline “to conduct further analysis” amid reports of a possible hack on Thursday. It has removed the vendor’s code from its webpage.

This latest cyber issue emerged five weeks after Equifax disclosed a massive hack that compromised vital personal information for potentially 145.5 million Americans.

Following that, the company’s chief executive, as well as its chief information and security officers, retired.

The malicious content was discovered earlier this week by security researcher Randy Abrams as he tried to examine his own credit report on the Equifax website.

The problem was that Equifax’s site was delivering fraudulent Adobe Flash updates to some visitors who tried to obtain free credit reports. The updates, while appearing to be a new version of Adobe Systems Inc.’s widely used software were fake, said Mr. Abrams.

If installed, the updates would likely install malicious “adware” on the user’s computer, he said. “They just want to hijack your browser and redirect it to disreputable sites,” Mr. Abrams said of the adware creators.

Mr. Abrams noted the problem in a blog post and this was later reported on by website Ars Technica. Mr. Abrams later surmised that the problem likely stemmed from a third-party analytics website used on the Equifax website. Equifax confirmed this on Thursday.

The link Equifax has taken down is on one of its pages that allows certain consumers, including those who have received notice that they have been denied for credit, to get a free or discounted credit report

Equifax Identifies Additional 2.4 Million Affected by 2017 Breach

March 1, 2018

Equifax Inc. said more U.S. consumers were affected by its large data breach last year than originally disclosed.

The company on Thursday said that it identified about 2.4 million U.S. consumers whose names and partial driver’s license information were stolen. The company said the consumers affected “were not in the previously identified” population of cyberattack victims.

That brings the total number of U.S. consumers whose personal information was compromised by the breach to 147.9 million, up from 145.5 million previously.

This is the second revision to the numbers that the company has made since disclosing the breach in September. Equifax had initially said that about 143 million U.S. consumers had been affected.

The new information was disclosed as part of the Atlanta-based company’s continuing analysis into the data that was compromised in the attack. Equifax said its analysis into the impact of the breach continues.

The company also reported fourth-quarter earnings rose 40%, to $172 million, beating expectations due to a benefit from the new U.S. tax law and revenue growth in international markets. The U.S. division of Equifax that works closely with banks and other lenders reported a drop in year-over-year revenue, while overall operating expenses rose 8% as the company deals with security improvements and litigation costs.

More than five months after the company reported the breach, the extent to which it has affected consumers continues to expand. The Wall Street Journal reported last month that hackers accessed additional consumer information than the company publicly disclosed last year, including tax identification numbers, email addresses and driver’s license information beyond the license numbers it originally disclosed.

That information was disclosed in response to questions posed to the company by the Senate Banking Committee. In addition, in a response to a question from committee member Sen. Elizabeth Warren (D., Mass.), Equifax said its internal investigation of the breach was continuing.

Lawmakers have expressed frustration with what they described as a lack of clarity coming from the company. Reps. Greg Walden (R., Ore.) and Bob Latta (R., Ohio) said Thursday that Equifax has provided the House Energy and Commerce Committee with partial responses to its questions since former CEO Richard Smith appeared before the committee in October. They also cited “delay[s] in full disclosure.”

Former Equifax executive charged with insider trading ahead of data breach

A former Equifax executive faces insider trading charges by the Securities and Exchange Commission in connection with trades he made before the company announced a massive data breach last summer.

The SEC says Jun Ying, who was to become the company's next chief information officer, used confidential information to exercise his vested Equifax stock options and then sell the shares before the company publicly reported a breach that affected more than 145 million people.

Because of the trades, Ying was able to avoid $117,000 in losses, the SEC said Wednesday.

Ying is not one of the three Equifax executives who attracted attention for disclosing stock sales just days before the breach was made public.

This story is developing. Please check back for updates.

The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme

Feb 13, 2019

On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.

It was the consumer data security scandal of the decade. The information included Social Security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.

Then, something unusual happened. The data disappeared. Completely.

CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.

But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.

But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.


One data hunter dives in

The missing Equifax data has been a 17-month-long obsession for Jeffrey, a cybersecurity analyst at one of the world's largest banks. To him, it represents a sort of professional Lost City of Atlantis or Holy Grail.

Jeffrey is not the analyst's real name. He asked to remain anonymous because he was not authorized to speak to the media. He also asked that his bank remain anonymous, because he's one of such a narrow pool of a specific type of employee that even the name of his bank could be used to identify him.

Jeffrey is a "hunter" on the bank's "hunt team," and his job is searching for data on the dark web or darknet — a set of web sites that can only be accessed with special software that protects the user's anonymity. The dark web can be used for many purposes, but most prominently serves as the internet's underground black market, where criminals buy, sell and trade credit card data, personal information and criminal services.

Jeffrey trolls the dark web for stolen personal data that looks like it might be brand new, especially if it looks like it might belong to customers of the bank or its rivals. He is often one of the first to know that another company has been breached, and his team is often among the first to inform the victims that their systems have been breached.

So Jeffrey was surprised when he learned about the Equifax breach at the same time as everybody else, when the company announced it to the world.

Stolen consumer information usually goes up for sale immediately after a company is hacked, he explains. Criminals aim for speed so they can sell the data before a company's tripwires ever detect it was stolen. The longer they wait, the more likely the victims and the institutions will make changes to render the data useless. This is especially true with credit card numbers, which can quickly be canceled once fraudulent charges start cropping up on them. Or when Social Security numbers — like those stolen in the Equifax breach — start getting flagged for fraud.

Equifax said it had first identified the attack in July, and it may have started even earlier than that. Jeffrey said he had occasionally seen data for sale from the credit reporting bureaus, other banks and organizations that deal in credit scores, like mortgage servicers. But he had never seen any data that looked like it had come from Equifax on any criminal forum.

"Of course I thought this data was stolen by criminals. Even if there's [a nation-state] behind it, this is really valuable stuff, and the criminals and nation-state stuff can be really mixed. Or, a nation-state would sell it just to save face. This level of data is worth a lot more than most," Jeffrey recalls thinking at the time.

Jeffrey had only recently started his career as a hunter, but he was sure he'd find something on Equifax. He hunted at work, and he hunted at home. He asked his friends. He bothered people he met online.


He made no progress.

Jeffrey was not alone.

"We have been working very closely with authorities — federal authorities, state authorities — as well as our partners and customers, and our own very advanced threat intelligence team," Jamil Farshchi, the chief information security officer of Equifax, told CNBC.

"We are all working to be able to consistently determine whether this data is out there and whether it has ever been out there. And at this time there has been absolutely no indication, whatsoever, that the data has been disclosed, that it has been used or that it has been offered for sale."

. . .

. . . .


Two leading theories

As soon as the investigation started, in September 2017, stakeholders had lots of theories about who stole the data and why. Those theories eventually grouped into two sides.

Jeffrey, who formerly served in law enforcement, tends to see the world in shades of criminals versus cops. Like most other people with this kind of background, he believed the data was stolen by criminals and was not turning up for sale on the dark web because the hackers feared that the data was too hot, and that law enforcement would immediately catch them — like the thief who stole the Mona Lisa.

The other theory, favored by investigators with an intelligence background, focused on intelligence officers working for a foreign nation-state.

As several independent investigations wound down, the experts following the case came to a general consensus that split the middle. The breach probably started with a low-level criminal who exploited a vulnerability in Equifax's defenses but was not experienced or capable enough to do more damage by moving further throughout the company. This criminal then sought help via the criminal underground and shared or sold information about the vulnerability. The buyer was probably a proxy for the Russian or Chinese government.

That buyer used far more sophisticated tools and techniques to hack deeper into Equifax's databases and exfiltrate — an industry term for "steal" that implies moving huge amounts of data undetected — the now-infamous terabytes of consumer credit information.

One former senior intelligence official with direct knowledge of the Equifax investigation summarized the prevailing expert opinion on how the foreign intelligence agency is using the data. (This person asked to speak on the condition of anonymity because he isn't authorized in his current role to speak to media.)

First, he said, the foreign government is probably combining this information with other stolen data, then analyzing it using artificial intelligence or machine learning to figure out who's likely to be — or to become — a spy for the U.S. government. He pointed to other data breaches that focused on information that could be useful for identifying spies, such as a 2015 breach of the Office of Personnel Management, which processes the lengthy security clearance applications for U.S. government officials.

Second, credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government, influencers or, for lower-level employees, data thieves or informants. In particular, the credit information can be used to identify people in key positions who have significant financial problems and could be compromised by bribes or high-paying jobs, the former official said. Financial distress is one of the most common reasons people commit espionage.

The Equifax data provides information that could identify people who aren't even in these positions of influence yet, he said, and could be valuable for years to come.

About that credit freeze

If this leading theory is right, the only people who needed to worry about the Equifax breach were people in sensitive government positions or with lots of access, influence and power: future senators, overseas CIA officers, people who oversee U.S. corporate data centers or senior financial executives of technology companies, for instance.

The fevered advertisements that urged consumers to check whether their data had been compromised and take numerous steps to freeze it and monitor it turns out to have been unnecessary for this breach — at least so far.

Still, Farshchi said credit freezes and monitoring services are still the best way to determine whether personal data has been stolen or your identity misused. Experts outside Equifax have long agreed.

As for Jeffrey, he said he and many of his contemporaries will continue hunting for the data, probably on their own time. About once a week, he says, he gets up early with a cup of coffee and sets his sights on his usual dark web haunts with Equifax in mind.

Knowing that an intelligence agency probably has the data, he said he's also reading the news more often. He looks for stories about bribery, graft, spies being caught or politicians suddenly spouting rhetoric in defense of hostile nations where they hadn't before.

"I think I'm going to be watching some news feed some day a decade from now and see that some politician is trying to do some crazy deal with some country we supposedly don't like," he wrote via secured text message. "And I'm really going to wonder: am I finally looking at the Equifax data after all this time?"