Digital Fallout: The Keepers of Your Secrets

Show Notes

It starts with a strange letter in the mail. A car loan you never applied for. A credit card you don't own. A digital ghost is quietly living your life, and you have no idea how it got the keys. When you turn to one of the silent guardians of your financial identity for help, you find only chaos, confusion, and a company that seems to be a danger to itself.

This week on Digital Fallout, we tell the true story of one of history's most catastrophic data breaches. It's a tale of staggering corporate negligence, a botched public response that became a dark comedy, and a 76-day silent heist where the identities of 147 million people were stolen.

What happens when the keepers of our most valuable secrets simply forget to lock the door?

Show Notes: Sources

This story was pieced together from numerous public records, government reports, and in-depth investigative journalism. For those who want to learn more about the 2017 Equifax breach, these are the key sources we consulted:

• The official report from the U.S. Government Accountability Office (GAO) titled "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach," which provides a definitive timeline and analysis of the failures.
• Federal Trade Commission (FTC) public statements and court filings related to the landmark global settlement with Equifax.
• In-depth reporting from security journalist Brian Krebs (KrebsOnSecurity), who meticulously covered the botched response, including the fake phishing sites promoted by Equifax's own Twitter account.
• Technical explainers from outlets like WIRED magazine that broke down the Apache Struts vulnerability and how it was exploited.
• Ongoing coverage of the corporate and financial fallout from The New York Times and The Wall Street Journal during September and October 2017.
• The public testimony of former Equifax CEO Richard Smith before the U.S. House Committee on Energy and Commerce, where many of the internal failures were brought to light.

Chapters

• 0:00: Introduction to Digital Fallout
• 1:54: Sarah's Mortgage Nightmare Begins
• 3:16: Equifax Announces the Breach
• 4:42: The Untold Story: How Hackers Got In
• 6:15: The Devastating Impact and Aftermath
• 7:08: Episode Conclusion

Transcript

Speaker 1: 0:44

Hi, welcome back to Privacy, Please. I'm Cameron Ivey, and this is the second episode of our series, Digital Fallout. Before we begin, the story you're about to hear is a true story based on extensive public reporting. We've dramatized certain elements to bring the story to life. For a full list of our resources, please see the show notes. With that being said, let's get into the story. Let's get into the story.

Speaker 1: 1:10

Have you ever had the strange feeling, that prickle on the back of your neck that tells you something is wrong, A feeling that someone somewhere knows something about you they shouldn't? For a 32-year-old woman from Ohio named Sarah, that feeling began in the summer of 2017. Sarah and her husband had been saving for years to buy their first house. They had good jobs, they paid down their debts and their credit scores were pristine. They were finally ready. In late August, they walked into their bank to get pre-approved for a mortgage, a moment they had been dreaming about for years. The loan officer typed their information into the computer. He looked at his screen, looked back at them and then he had five words that made Sarah's blood run cold I'm sorry, I've been denied. Confused, Sarah asked why. The loan officer explained that her credit report showed a brand new car loan taken out in her name just three weeks prior from a dealership in California. Sarah had never been to California. She hadn't bought a car. It was the first sign that a digital ghost was now living her life.

Speaker 1: 2:32

While Sarah was frantically trying to prove that she was in fact herself, a press release went out that shook the country. One of the nation's three great credit bureaus the silent keepers of our financial identities announced that they had been the victim of a cybersecurity incident. They didn't say much more. The announcement was vague, clinical. They assured the public they had the situation under control and directed everyone to a special website to see if they had been affected. But when people like Sarah visited the site, the mystery only deepened. The website looked amateurish. It asked for the last six digits of your social security number, which felt like walking into a trap. Worse, the website itself seemed to be guessing. It would tell a person they were likely impacted one day and not impacted the next. And then came the truly absurd. The company's own official Twitter account, trying to be helpful, began sending its scared and confused customers to the wrong website, A fake phishing site that a security researcher had set up to prove a point. The very institution that held the keys to their financial kingdom was now leading them astray, but the public still didn't know the full story. They didn't know it was stolen. The institution that held the keys to their financial kingdom was now leading them astray, but the public still didn't know the full story. They didn't know it was stolen and they didn't know how the thieves got in.

Speaker 1: 3:58

Behind the scenes, a team of digital investigators was piecing together the timeline, and what they found was chilling. The intrusion hadn't just happened. It had been going on for months. They discovered that back in March, a known vulnerability in a common piece of web software had been announced to the world. A patch was issued. It was a simple fix, but for some reason, at this one company, the memo was ignored. The patch never applied. It was the equivalent of a bank being told about a faulty lock and then leaving the door wide open for the entire summer, and for 76 days, from mid-May to the end of July, hackers had walked right through the open door. They roamed the company's network completely undetected, mapping out the databases, locating the most sensitive information and then slowly, methodically siphoning it all out.

Speaker 1: 4:54

And when the investigators finally determined what exactly had been taken. They understood the true scale of this disaster. This wasn't just usernames and passwords. The thieves had taken the crown, jewels Names, birthdates, addresses, driver's license numbers and, in most cases, social security numbers Everything someone would need to become you. And who were the victims? The company's final analysis revealed that the number was 147 million people, nearly half of the entire adult population of the United States.

Speaker 1: 5:31

This was not a sophisticated, state-of-the-art hack that no one could have prevented.

Speaker 1: 5:36

This was a catastrophic failure of the most basic security practices A failure to perform a single routine software update, A failure to notice that nearly half of the country's most sensitive data was walking right out the front door for two and a half months. It was a breach of trust so profound, so complete, that it changed the landscape of privacy forever. For people like Sarah, the mystery car loan was just the beginning of a lifelong battle to protect her own identity. The mystery car loan was just the beginning of a lifelong battle to protect her own identity. The damage was permanent and the name of this silent guardian, the keeper of secrets that failed. Its one single duty was Equifax. That brings us to the end of this episode of Digital Fallout. Thank you so much to the journalists and researchers who meticulously documented the failures and fallout of this historic breach. For a list of our primary sources, please check out the show notes. Until next time, everyone, thank you so much for tuning in to Privacy, Please, and stay curious and safe out there. No-transcript.