The recent hack of Equifax, in which the personal data of at least 143 million Americans was compromised, still doesn’t have a culprit despite the best efforts of security experts. But a timeline is starting to emerge: It begins when a researcher stumbled upon a security flaw in the Apache Struts (who names these things?) software system. He alerted that software firm, which in turn told their customers and sent out a fix. Equifax apparently missed the update, but the hacker community sure didn’t. They allegedly started swarming the web for any companies that hadn’t fixed the flaw. According to Bloomberg, on March 10, hackers were able to start digging into an Equifax server in Atlanta. The hack escalated over the following months, when the first group of hackers handed over the operation to a more “sophisticated team” who really dug into the data.
According to Bloomberg, that hand-off is one of several signs that the hack was done by “state-sponsored pros,” with some fingers pointing at China. This wouldn’t be the first time Chinese agents hacked into U.S. systems: Both health insurer Anthem Inc. and the U.S. Office of Personnel Management had security breaches that were ultimately blamed on Chinese hackers. Not everyone is convinced, though. Some think it wasn’t China, but a different nation (perhaps the one that hacked states’ voting equipment?) while Mandiant, which Equifax hired to investigate the breach, said it didn’t have enough data to identify either the attackers or their country of origin.
Bloomberg took a comprehensive look at the timeline of the hack, its discovery, and Equifax’s lackadaisical response. One warning: Don’t read the story on a new computer, because it’s infuriating enough to make you want to punch the screen.