I wish the GAO would do this more often. Makes an interesting case for my Computer Security class.

https://www.zdnet.com/article/us-government-releases-post-mortem-report-on-equifax-hack/

US government releases post-mortem report on Equifax hack

The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident.

The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens.

… Equifax IT administrators circulate this advisory on an internal mailing list. Unbeknownst to its IT administrators, the mailing list was out-of-date and did not include all its systems administrators, indirectly leading to an incomplete patch of Equifax's servers.

… A week after the US-CERT advisory, Equifax staff scans its own systems for the presence of the Struts vulnerability, but the dispute portal does not show up as vulnerable.

… During this second intrusion, Equifax says attackers issued queries from the online dispute portal systems to other databases in search of personal data.

"This search led to a data repository containing PII, as well as unencrypted usernames and passwords that could provide the attackers access to several other Equifax databases," the report says.

This data helped attackers to expand their initial access from three databases to 48. Logs showed attackers then ran approximately 9,000 queries to gather Equifax customer info.

The GAO report says this happened because Equifax failed to segment its databases into smaller networks. This, in turn, allowed the attacker direct and easy access to all of its customers' data.

… Equifax said that the reason hackers were not detected for 76 days was because a device meant to inspect network traffic had been misconfigured and didn't check encrypted traffic for signs of malicious activity.

Interesting. A Russian in Georgia.

http://thehill.com/policy/cybersecurity/405629-russian-national-extradited-to-us-for-alleged-hacking-campaign-against

Russian national extradited to US for alleged hacking campaign against financial institutions

A Russian man accused of launching a major hacking campaign against U.S. financial institutions was extradited to the United States on Monday, the U.S. Attorney’s Office for the Southern District of New York announced Friday.

Andrei Tyurin was extradited from the country of Georgia and arrived in the U.S. on Friday.

… “Tyurin’s alleged hacking activities were so prolific, they lay claim to the largest theft of U.S. customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,” U.S. Attorney for Manhattan Geoffrey Berman said in a statement.