Could the Equifax hack have been state-sponsored?

In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same.

Nike Zheng, a Chinese cybersecurity researcher from a bustling industrial center near Shanghai, probably knew little about Equifax or the value of the data pulsing through its servers when he exposed a flaw in popular backend software for web applications called Apache Struts. Information he provided to Apache, which published it along with a fix on March 6, showed how the flaw could be used to steal data from any company using the software.

The average American had no reason to notice Apache’s post but it caught the attention of the global hacking community. Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. On March 10, hackers scanning the internet for computer systems vulnerable to the attack got a hit on an Equifax server in Atlanta, according to people familiar with the investigation.

Before long, hackers had penetrated Equifax. They may not have immediately grasped the value of their discovery, but, as the attack escalated over the following months, that first group—known as an entry crew—handed off to a more sophisticated team of hackers. They homed in on a bounty of staggering scale: the financial data—Social Security numbers, birth dates, addresses and more—of at least 143 million Americans. By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.

The handoff to more sophisticated hackers is among the evidence that led some investigators inside Equifax to suspect a nation-state was behind the hack. Many of the tools used were Chinese, and these people say the Equifax breach has the hallmarks of similar intrusions in recent years at giant health insurer Anthem Inc. and the US Office of Personnel Management; both were ultimately attributed to hackers working for Chinese intelligence.

Others involved in the investigation aren’t so sure, saying the evidence is inconclusive at best or points in other directions. One person briefed on the probe being conducted by the Federal Bureau of Investigation and US intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified. Mandiant, the security consulting firm hired by Equifax to
investigate the breach, said in a report distributed to Equifax clients on Sept. 19 that it didn’t have enough data to identify either the attackers or their country of origin.

Wherever the digital trail ultimately leads, one thing is clear: The scant details about the breach so far released by Equifax—besides angering millions of Americans—omit some of the most important elements of the intrusion and what the company has since learned about the hackers’ tactics and motives. Bloomberg has reconstructed the chain of events through interviews with more than a dozen people familiar with twin probes being conducted by Equifax and US law enforcement.

In one of the most telling revelations, Equifax and Mandiant got into a dispute just as the hackers were gaining a foothold in the company’s network. That rift, which appears to have squelched a broader look at weaknesses in the company’s security posture, looks to have given the intruders room to operate freely within the company’s network for months. According to an internal analysis of the attack, the hackers had time to customize their tools to more efficiently exploit Equifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data. The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company’s grasp through the summer. In an e-mailed statement, an Equifax spokesperson said: “We have had a professional, highly valuable relationship with Mandiant. We have no comment on the Mandiant investigation at this time.”

The massive breach occurred even though Equifax had invested millions in sophisticated security measures, ran a dedicated operations center and deployed a suite of expensive anti-intrusion software. The effectiveness of that armory appears to have been compromised by poor implementation and the departure of key personnel in recent years. But the company’s challenges may go still deeper. One US government official said leads being pursued by investigators include the possibility that the hackers had help from someone inside the company. “We have no evidence of malicious inside activity,” the Equifax spokesperson said. ”We understand that law enforcement has an ongoing investigation.”

The nature of the attack makes it harder to pin on particular perpetrators than either the Anthem or OPM hacks, said four people briefed on the probe. The attackers avoided using tools that investigators can use to fingerprint known groups. One of the tools used by the hackers—China Chopper—has a Chinese-language interface, but is also in use outside China, people familiar with the malware said.

The impact of the Equifax breach will echo for years. Millions of consumers will live with the worry that the hackers—either criminals or spies—hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe. The crisis has already claimed the scalp of Richard Smith, the chief executive officer. Meanwhile, the federal government has launched several probes, and the company has been hit with a flurry of lawsuits. “I think Equifax is going to pay or settle for an amount that has a ‘b’ in it,” says Erik Gordon, a University of Michigan business professor.

When Smith became Equifax CEO in 2005, the former General Electric Co. executive was underwhelmed by what he found. In a speech at the University of Georgia last month, he described a stagnating credit reporting agency with a “culture of tenure” and “average talent.” However, Smith also saw enormous potential because Equifax inhabited a uniquely lucrative niche in the modern global economy.

In the speech, Smith explained that the company gets its data for free (because regular consumers hand it over to the banks when they apply for credit). Then, he said, the company crunches the data
with the help of computer scientists and artificial intelligence and sells it back to the banks that gave Equifax the data in the first place. The business generates a gross margin of about 90 percent. “That’s a pretty unique model,” Smith said.

And one that he fully exploited. Smith acquired two dozen companies that have given Equifax new ways to package and sell data, while expanding operations to 25 countries and 10,000 employees. Business was good—the company’s stock price quadrupled under Smith’s watch, before the breach was announced—and its leaders lived well. Equifax executives were prone to bragging about their mansions and expensive gadgets. They took lavish trips to Miami, where they stayed in luxury hotels costing as much as $1,000 a night. Last year, Smith’s compensation was almost $15 million.

But the man who transformed Equifax was plagued each and every day by the fear that hackers would penetrate the company’s firewall and make off with the personal data of millions of people. By the time he gave the speech on Aug. 17, Smith knew of the hack but the public didn’t. He told the audience the risk of a breach was “my No. 1 worry” and lingered on the threats posed by spies and state-sponsored hackers.  Not long after becoming CEO, he hired Tony Spinelli, a well-regarded cyber expert, to overhaul the company’s security. The new team rehearsed breach scenarios, which involved 24-hour crisismanagement squads taking turns to address each given issue until it was resolved. Protocol included alerting the chief of security, who determined the severity of the breach, and then telling the executive leadership if a threat was considered serious.

Apparently, gaps remained. After the breach became public in September, Steve VanWieren, a vice president of data quality who left Equifax in January 2012 after almost 15 years, wrote in a post on LinkedIn that “it bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information.”Spinelli left in 2013, followed less than a year later by his top deputy, Nick Nedostup. Many rank and file followed them out the door, and key positions were filled by people who were not well-known in the clubby cybersecurity industry. The company hired Susan Mauldin, a former security chief at First Data Corp., to run the global security team. Mauldin introduced herself to colleagues as a card-carrying member of the National Rifle Association, according to a person familiar with the changes.

Two people who worked with Mauldin at Equifax say she seemed to be putting the right programs in place, or trying to. “Internally, security was viewed as a bottleneck,” one person said. “There was a lot of pressure to get things done. Anything related to IT was supposed to go through security.” Mauldin couldn’t be reached for comment.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people.

The company continued to invest heavily in state-of-the-art technology, and had a dedicated team to quickly patch vulnerabilities like the one identified by Zheng. Overseeing technology for Equifax was David Webb, a Kellogg MBA and Russian-language major hired in 2010 from Silicon Valley Bank, where he had been chief operations officer. But one former security leader said he finally joined the talent exodus because it felt like he was working with the “B team.”

Lapses in security began to catch up to the company in myriad ways beginning early this year. Since at least Feb. 1, Equifax had been aware that identity thieves were abusing a service that manages payroll data for companies, according to notices sent to victims.
Criminals were feeding stolen Social Security numbers and other personal information into login pages for Equifax Workforce Solutions, downloading W-2 and other tax forms for dozens of employees of clients including Northrop Grumman Corp., Whole Foods Market Inc. and Allegis Global Solutions Inc., a human resources company. They accessed the data freely for over a year to file fraudulent tax returns and steal the refunds before Equifax learned of the incidents. (KrebsOnSecurity.com, a cybersecurity blog, first reported the thefts in May.)

Equifax hired Mandiant in March to investigate any security weaknesses related to the scams, and in notifications mailed to victims throughout the summer, Equifax eventually said its systems weren’t breached to acquire the personal data used in the fraud.
However, there are signs that Smith and others were aware something far more serious was going on. The investigation in March was described internally as “a top-secret project” and one that Smith was overseeing personally, according to one person with direct knowledge of the matter.
The relationship with Mandiant broke down sometime over the next several weeks—a period that would later turn out to be critical in how the breach unfolded. Mandiant warned Equifax that its unpatched systems and misconfigured security policies could indicate major problems, a person familiar with the perspectives of both sides said. For its part, Equifax believed Mandiant had sent an undertrained team without the expertise it expected from a marquee security company. A Mandiant spokesman declined to comment on the March investigation.

Although the hackers inside Equifax were able to evade detection for months, once the hack was discovered on July 29, investigators quickly reconstructed their movements down to the individual commands they used. The company’s suite of tools included Moloch, which works much like a black box after an airliner crash by keeping a record of a network’s internal communications and data traffic. Using Moloch, investigators reconstructed every step.

Once the hackers found the vulnerability Zheng reported, they installed a simple backdoor known as a web shell. It didn’t matter if Equifax fixed the vulnerability after that. The hackers had an invisible portal into the company’s network. The Moloch data suggests the initial group of hackers struggled to jump through internal roadblocks like firewalls and security policies, but that changed once the advanced team took over. Those intruders used special tunneling tools to slide around firewalls, analyzing and cracking one database after the next—while stockpiling data on the company’s own storage systems.

Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It’s not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.

Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. Groups known to exploit web shells most effectively include teams with links to Chinese intelligence, including one nicknamed Shell Crew. Some investigators within Equifax reached the conclusion that they were facing Chinese state hackers relatively quickly after analyzing the Moloch data, according to a person briefed on those discussions. If the Equifax breach was a purely criminal act, one would expect at least some of the

stolen data, especially the credit card numbers that were taken, to have showed up for sale on the black market. That hasn’t happened.

What’s more, banks are typically asked to shut down all stolen cards if investigators are near certain who is behind a hack. In this case, they still aren’t sure. That’s why on Sept. 11, the FBI asked several major banks to monitor the credit card accounts of small batches of consumers—in one case just 20 people—for suspicious activity. Investigators were still looking for anything that could give them insight into the hackers’ identity and motives, according to security experts.

“This wasn’t a credit card play,” said one person familiar with the investigation. “This was a ‘get as much data as you can on every American’ play.” But it probably won’t be known if state hackers— from China or another country—were involved until US intelligence agencies and law enforcement complete their work.

That could take weeks or months, but Equifax is already a changed company. Smith has handed the reins to Paulino do Rego Barros, who will be interim CEO until the board finds a permanent replacement. Smith’s departure was preceded by the early retirement of the company’s two top security officials, chief information officer Webb and chief security officer Mauldin. Federal investigators are probing suspicious stock sales by other executives that happened not long after Equifax discovered the breach. And lawmakers are making ominous noises about boosting oversight of the credit reporting industry, which is largely unregulated.

“What member of Congress can vote against tighter regulation when every congressional district has nearly half its voters affected by this?” says Gordon, the Michigan business professor. “The lobbying wins when there is no organized group fighting back, but you don’t need an organized group when you have 143 million angry people

With Dune Lawrence and Jennifer Surane

Allstate releases its Harvey loss estimate (and it’s big)

Allstate is expecting insurance losses of about $593 million in August in the wake of Hurricane Harvey.

That’s more than three times the $181 million in losses recorded in July – and Allstate’s August insurance losses may not yet be fully accounted for.

Allstate said that because of the widespread nature of the damage inflicted by Harvey, which slammed into Texas on August 25, its estimated losses for the month may still grow. The devastation from the storm has also prevented some people from reaching their homes or cars, meaning there may be other losses yet to be accounted for, according to local news station NBC 5.

The Insurance Council of Texas has estimated overall insured losses from Harvey to be nearly $19 billion. That includes an estimated $11 billion in payments to homeowners with flood insurance, NBC 5 reported.

Harvey impacted an area stretching from Houston to Louisiana, killing more than 70 people and damaging or destroying more than 250,000 homes. Days later, Hurricane Irma devastated the Caribbean and Florida. Last week, German reinsurer Munich Re became the first to warn that it might not hit previous financial goals thanks to the impact of the hurricanes, NBC 5 reported.

Hurricane Irma claims in Florida worth $3.1 billion so far

Based on reports by property and casualty insurers to Florida’s Office of Insurance Regulation, the total number of insurance claims filed following Hurricane Irma to date is 496,532 – worth an estimated $3.1 billion.

The state’s insurance regulator revealed the numbers yesterday, which included claims to private companies that underwrite flood coverage. However, the numbers do not include the roughly 17,000 claims (as of Thursday) filed in the state to the National Flood Insurance Program (NFIP). Of the tallied claims, 428,269 were for residential properties and 18,239 for commercial properties.

Florida Association of Insurance Agents president and CEO Jeff Grady believes the inflow of Irma-related claims has peaked and he would be surprised if damage totals hit the much higher levels projected by catastrophe modeling firms such as AIR Worldwide and CoreLogic.

“It seems the initial damage estimates might have been high based on the lack of structural damage in many parts of the state,” Grady told Sun Sentinel.

Grady explained that most of the total claims tallied by the state will likely not result in payouts because they will not exceed their hurricane deductibles, which is usually equal to 2%-5% of their insured value.

Sun Sentinel reported that only 46,060 claims have been closed so far – 17,784 of those claims were closed with no payments.

The largest number of claims was filed in Miami-Dade County – 55,012, followed by Orange County with 44,696 claims, and Broward with 38,836 claims.

The most heavily-impacted community when comparing claims as a percentage of population is Monroe County, with 15.3 claims for every 100 residents. It was followed by Rural Highlands County with 10.2 claims per 100 residents and Seminole County with 8.5 claims per 100 residents.

Florida International University’s College of Business released a report yesterday that projected total wind loss in Florida reaching $19.4 billion. Insurers, however, will only have to pay out $6.3 billion of the total, since most of the damage will not exceed hurricane deductibles.

California insurance regulator orders companies to stop discriminatory pricing

In response to an investigative report, the California Department of Insurance has ordered Nationwide and USAA to not charge motorists in minority neighborhoods more than policyholders with similar risk profiles who live in predominantly white neighborhoods.

Released in April 2017, a report by ProPublica examined publicly-available auto insurance pricing data in four states – Illinois, Missouri, Texas and California. ProPublica found that many insurance companies were penalizing motorists in minority neighborhoods with higher auto insurance costs.

While California fared better than the other states featured in the report, ProPublica found that Safeco, Liberty Mutual, Nationwide and USAA charged at least 10% more in minority zip codes than in predominantly white zip codes with the same risk. Liberty Mutual was deemed the worst offender among the major insurers, with a 32% difference in certain zip codes.

Proposition 103 exists in California law to prevent auto insurers from discriminating against minority motorists.

“California drivers are once again benefitting from Proposition 103: to our knowledge, no other state besides California investigated the overcharges exposed in ProPublica’s study,” said initiative author Harvey Rosenfield. “Insurance Commissioner Dave Jones correctly recognized the need to follow up on the ProPublica report…”

The state Department of Insurance has not published the results of its own investigation into the matter. The agency has also chosen not to seek refunds for consumers who may have been overcharged in the past, and it has not revealed what measures it will take to prevent other insurers from committing the same mistake.

Consumer Watchdog has sworn to press for further action from the insurance regulator.

“The Department must provide the public with a full explanation of how it conducted its investigation, and exactly what it found, particularly the data that would show how much people already have been overcharged,” the consumer advocate said in a statement.

“The Department must also ensure that every insurance company doing business in California obey the law that the voters put into place to prevent these kinds of overcharges.”

Here are the insurers who will face the biggest hit from Harvey

Morgan Stanley believes that major insurers operating in Texas could stand to lose billions of dollars to claims made following Hurricane Harvey – with State Farm and Allstate to take the bulk of the hit.

The bank said that if media reports on the hurricane’s damage – ranging between $30 billion and $40 billion – are correct, then Harvey would rank as the fourth worst storm in US history, when adjusted for inflation.

Although Harvey brought strong winds to Texas, it was the severe, flood-causing rainfall that caused the most damages, Morgan Stanley observed.

“Early estimates on wind losses from RMS are in the low single digit $billions. Flooding has been extensive and could cause more insured losses than wind,” the bank said in its release.

The bank also found that in Texas, the 10 largest homeowners’ insurers are responsible for the bulk of that market, and thus are anticipated to lose the most.

“The homeowners market is concentrated (the top-10 account for ~77% of the market), but wind losses could be less than flood losses,” it said.

State Farm commanded the largest homeowners’ market share, at 21.5%. Allstate came in second, with 12.7%, followed by Farmers with 10.9%. Of the rest that made the list, USAA has 10.1% of the market, Liberty 8.2%, Travelers 3.7%, Nationwide 3.0%, Texas Farm Bureau 2.8%, PGR 2.2%, and CB 2.1%.

Business Insider reported that the stock prices of Allstate and Travelers were down 1.53% and 2.63%, respectively, Monday afternoon.

By comparison, the state’s commercial insurance market is much more fragmented.

“In the commercial market, the top-10 account for only about 55% of the market (with the largest two writers including Hartford Financial Services and Travelers),” it said.

Just keep in mind this effects the whole country.