In 2017, consumer credit reporting agency Equifax suffered one of the largest data breaches in history, exposing extensive personal information on nearly 150 million Americans (and in countless thousands of additional cases, credit-card numbers and scans of driver’s licenses, social security cards, and other identity documents). Congressional investigators later found the incident was the result of massive incompetence on Equifax’s part, but who exactly penetrated the company’s systems for months remains a mystery.
The good news? The data does not appear to be being sold to cybercriminals online. The bad news? There is still no indication of where it might be. It could be being stored somewhere discretely by hackers, or it could have been quietly sold off to someone whose interests in it are non-financial, like a foreign intelligence agency.
According to a Wednesday report by CNBC, eight experts “including data ‘hunters’ who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation, and consultants who helped support it” have never seen any indication that the Equifax materials ended up on online black markets for stolen data. Nor has any of the data been used for cybercrime, at least in any manner that has been detected, CNBC reported the experts said.
One anonymous cybersecurity analyst at a major bank (“Jeffrey”) told CNBC that such stolen data usually moves quickly online, as the longer it is known to have been compromised, the less useful it is—many victims as well as financial institutions will have taken steps to safeguard against possible fraud. The analyst said there was no indication anyone had sought to sell the Equifax data on underground internet destinations:
“Of course I thought this data was stolen by criminals. Even if there’s [a nation-state] behind it, this is really valuable stuff, and the criminals and nation-state stuff can be really mixed. Or, a nation-state would sell it just to save face. This level of data is worth a lot more than most,” Jeffrey recalls thinking at the time.
Equifax spokesperson Jamil Farshchi told CNBC that the company is working with state and federal authorities as well as their own cybersecurity team, but that “at this time there has been absolutely no indication, whatsoever, that the data has been disclosed, that it has been used, or that it has been offered for sale.”
According to CNBC, Jeffrey initially believed that the data was stolen by criminals and that the hackers believed it was simply too hot to flip without attracting the unwelcome attention of law enforcement. However, CNBC said that “investigators with an intelligence background” came to a consensus that the data was likely stolen by a criminal, but instead bought by a proxy of a foreign nation-state like Russia or China.
One “former senior intelligence official with direct knowledge of the Equifax investigation” told CNBC on the condition of anonymity that there could be two uses for the data. First, the data could be paired with other stolen data via “artificial intelligence or machine learning” to identify people in the U.S. government who are or could be spies. The second, which seems much more plausible, is that the stolen information could help tell a foreign power who in the U.S. government is facing personal financial problems and thus could be susceptible to bribery.
This isn’t the first time the Equifax breach has been rumored to be tied to some kind of intelligence operation. Hackers involved in the breach used techniques resembling those used previously by state-sponsored hackers, according to a 2017 Bloomberg report, and in 2018 the Wall Street Journal reported that Equifax had once feared Chinese espionage targeting confidential business information.
This is all based on anonymous sources, and the CNBC report does not assert that the suspected espionage is anything but a theory—which in and of itself is slightly concerning. Well over a year later, no one knows where all that sensitive financial information went.