It starts with a strange letter in the mail. A car loan you never applied for. A credit card you don't own. A digital ghost is quietly living your life, and you have no idea how it got the keys. When you turn to one of the silent guardians of your financial identity for help, you find only chaos, confusion, and a company that seems to be a danger to itself.
This week on Digital Fallout, we tell the true story of one of history's most catastrophic data breaches. It's a tale of staggering corporate negligence, a botched public response that became a dark comedy, and a 76-day silent heist where the identities of 147 million people were stolen.
What happens when the keepers of our most valuable secrets simply forget to lock the door?
Show Notes: Sources
This story was pieced together from numerous public records, government reports, and in-depth investigative journalism. For those who want to learn more about the 2017 Equifax breach, these are the key sources we consulted:
- The official report from the U.S. Government Accountability Office (GAO) titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," which provides a definitive timeline and analysis of the failures.
- Federal Trade Commission (FTC) public statements and court filings related to the landmark global settlement with Equifax.
- In-depth reporting from security journalist Brian Krebs (KrebsOnSecurity), who meticulously covered the botched response, including the fake phishing sites promoted by Equifax's own Twitter account.
- Technical explainers from outlets like WIRED magazine that broke down the Apache Struts vulnerability and how it was exploited.
- Ongoing coverage of the corporate and financial fallout from The New York Times and The Wall Street Journal during September and October 2017.
- The public testimony of former Equifax CEO Richard Smith before the U.S. House Committee on Energy and Commerce, where many of the internal failures were brought to light.
Episode Transcript
Hi, welcome back to Privacy, Please.
I'm Cameron Ivey, and this isthe second episode of our series
, Digital Fallout.
Before we begin, the storyyou're about to hear is a true
story based on extensive publicreporting.
We've dramatized certainelements to bring the story to
life.
For a full list of ourresources, please see the show
notes.
With that being said, let's getinto the story.
(00:21):
Let's get into the story.
Have you ever had the strangefeeling, that prickle on the
back of your neck that tells yousomething is wrong, A feeling
that someone somewhere knowssomething about you they
shouldn't?
For a 32-year-old woman fromOhio named Sarah, that feeling
(00:49):
began in the summer of 2017.
Sarah and her husband had beensaving for years to buy their
first house.
They had good jobs, they paiddown their debts and their
credit scores were pristine.
They were finally ready.
In late August, they walkedinto their bank to get
pre-approved for a mortgage, amoment they had been dreaming
(01:12):
about for years.
The loan officer typed theirinformation into the computer.
He looked at his screen, lookedback at them and then he had
five words that made Sarah'sblood run cold I'm sorry, I've
been denied.
Confused, Sarah asked why.
The loan officer explained thather credit report showed a
brand new car loan taken out inher name just three weeks prior
(01:34):
from a dealership in California.
Sarah had never been toCalifornia.
She hadn't bought a car.
It was the first sign that adigital ghost was now living her
life.
While Sarah was franticallytrying to prove that she was in
fact herself, a press releasewent out that shook the country.
(01:55):
One of the nation's three greatcredit bureaus the silent
keepers of our financialidentities announced that they
had been the victim of acybersecurity incident.
They didn't say much more.
The announcement was vague,clinical.
They assured the public theyhad the situation under control
(02:16):
and directed everyone to aspecial website to see if they
had been affected.
But when people like Sarahvisited the site, the mystery
only deepened.
The website looked amateurish.
It asked for the last sixdigits of your social security
number, which felt like walkinginto a trap.
Worse, the website itselfseemed to be guessing.
(02:37):
It would tell a person theywere likely impacted one day and
not impacted the next.
And then came the truly absurd.
The company's own officialTwitter account, trying to be
helpful, began sending itsscared and confused customers to
the wrong website, A fakephishing site that a security
researcher had set up to prove apoint.
(02:58):
The very institution that heldthe keys to their financial
kingdom was now leading themastray, but the public still
didn't know the full story.
They didn't know it was stolen.
The institution that held thekeys to their financial kingdom
was now leading them astray, butthe public still didn't know
the full story.
They didn't know it was stolenand they didn't know how the
thieves got in.
Behind the scenes, a team ofdigital investigators was
piecing together the timeline,and what they found was chilling
(03:21):
.
The intrusion hadn't justhappened.
It had been going on for months.
They discovered that back inMarch, a known vulnerability in
a common piece of web softwarehad been announced to the world.
A patch was issued.
It was a simple fix, but forsome reason, at this one company
, the memo was ignored.
(03:42):
The patch never applied.
It was the equivalent of a bankbeing told about a faulty lock
and then leaving the door wideopen for the entire summer, and
for 76 days, from mid-May to theend of July, hackers had walked
right through the open door.
They roamed the company'snetwork completely undetected,
mapping out the databases,locating the most sensitive
(04:04):
information and then slowly,methodically siphoning it all
out.
And when the investigatorsfinally determined what exactly
had been taken.
They understood the true scaleof this disaster.
This wasn't just usernames andpasswords.
The thieves had taken the crown, jewels Names, birthdates,
(04:25):
addresses, driver's licensenumbers and, in most cases,
social security numbersEverything someone would need to
become you.
And who were the victims?
The company's final analysisrevealed that the number was 147
million people, nearly half ofthe entire adult population of
the United States.
(04:47):
This was not a sophisticated,state-of-the-art hack that no
one could have prevented.
This was a catastrophic failureof the most basic security
practices A failure to perform asingle routine software update,
A failure to notice that nearlyhalf of the country's most
sensitive data was walking rightout the front door for two and
(05:07):
a half months.
It was a breach of trust soprofound, so complete, that it
changed the landscape of privacyforever.
For people like Sarah, themystery car loan was just the
beginning of a lifelong battleto protect her own identity.
The mystery car loan was justthe beginning of a lifelong
battle to protect her ownidentity.
The damage was permanent andthe name of this silent guardian
(05:38):
, the keeper of secrets thatfailed.
Its one single duty was Equifax.
That brings us to the end ofthis episode of Digital Fallout.
Thank you so much to thejournalists and researchers who
meticulously documented thefailures and fallout of this
historic breach.
For a list of our primarysources, please check out the
show notes.
Until next time, everyone,thank you so much for tuning in
(05:59):
to Privacy, Please, and staycurious and safe out there.
No-transcript.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!