- Equifax’s data breach on Sept. 7, 2017, stunned markets and American consumers, but where the data of those 143 million people disappeared to has remained a mystery.
- CNBC talked to experts, intelligence officials, dark web data “hunters” and Equifax to discover where they expect the data has gone, and what it is being used for.
- The prevailing theory today is that the data was stolen by a nation-state for spying purposes, not by criminals looking to cash in on stolen identities.
On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.
It was the consumer data security scandal of the decade. The information included Social Security numbers, driver’s license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.
Then, something unusual happened. The data disappeared. Completely. CNBC talked to eight experts, including data “hunters” who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.
But none of them knows where the data is now. It’s never appeared on any hundreds of underground websites selling stolen information. Security experts haven’t seen the data used in any of the ways they’d expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.
But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.
One data hunter dives in
The missing Equifax data has been a 17-month-long obsession for Jeffrey, a cybersecurity analyst at one of the world’s largest banks. To him, it represents a sort of professional Lost City of Atlantis or Holy Grail.
Jeffrey is not the analyst’s real name. He asked to remain anonymous because he was not authorized to speak to the media. He also asked that his bank remain anonymous, because he’s one of such a narrow pool of a specific type of employee that even the name of his bank could be used to identify him.
Jeffrey is a “hunter” on the bank’s “hunt team,” and his job is searching for data on the dark web or darknet — a set of web sites that can only be accessed with special software that protects the user’s anonymity. The dark web can be used for many purposes, but most prominently serves as the internet’s underground black market, where criminals buy, sell and trade credit card data, personal information and criminal services.
Jeffrey trolls the dark web for stolen personal data that looks like it might be brand new, especially if it looks like it might belong to customers of the bank or its rivals. He is often one of the first to know that another company has been breached, and his team is often among the first to inform the victims that their systems have been breached.
So Jeffrey was surprised when he learned about the Equifax breach at the same time as everybody else, when the company announced it to the world.
Stolen consumer information usually goes up for sale immediately after a company is hacked, he explains. Criminals aim for speed so they can sell the data before a company’s tripwires ever detect it was stolen. The longer they wait, the more likely the victims and the institutions will make changes to render the data useless. This is especially true with credit card numbers, which can quickly be canceled once fraudulent charges start cropping up on them. Or when Social Security numbers — like those stolen in the Equifax breach — start getting flagged for fraud.