Equifax warned personal data was exposed, did nothing: report

FILE - This July 21, 2012, file photo shows Equifax Inc., offices in Atlanta. Equifax has taken down one of its web pages after reports that another part of its website had been hacked as well. The news comes as Equifax continues to deal with the aftermath of hackers breaking into its system earlier in 2017 which allowed the personal information of 145.5 million Americans to be accessed or stolen. (AP Photo/Mike Stewart, File) — Mike Stewart/Associated Press
FILE – This July 21, 2012, file photo shows Equifax Inc., offices in Atlanta. Equifax has taken down one of its web pages after reports that another part of its website had been hacked as well. The news comes as Equifax continues to deal with the aftermath of hackers breaking into its system earlier in 2017 which allowed the personal information of 145.5 million Americans to be accessed or stolen. (AP Photo/Mike Stewart, File)

By Ethan Baron | ebaron@bayareanewsgroup.com | Bay Area News Group

PUBLISHED: October 26, 2017 at 12:57 p.m. | UPDATED: October 26, 2017 at 2:56 p.m.

Months before the historic data breach of credit-reporting titan Equifax that saw criminal hackers steal private personal data of nearly half the U.S. population, the company was warned it was open to such an attack, according to a new report.

It had taken just three hours for a security researcher probing Equifax’s systems to find a vulnerability that exposed the personal data of millions of Americans and the credit card numbers of more than 200,000, according to the report.

This, the researcher said, was six months before the data breach in which the most private and highly valued personal data — including names, Social Security numbers, addresses and dates of birth — of more than 145 million Americans was stolen.

The researcher accessed the data through an Equifax website that was “completely exposed to anyone on the internet,” according to the report in tech site Motherboard.

“It displayed several search fields, and anyone—with no authentication whatsoever—could force the site to display the personal data of Equifax’s customers,” according to the researcher.

The researcher, who was not named out of professional concerns, said they could’ve downloaded the data of every Equifax customer in 10 minutes, according to Motherboard.

“I’ve seen a lot of bad things, but not this bad,” the researcher told the site. “I definitely think I’m not the only one who found it.”

Motherboard said it had been shown multiple sets of the data that was accessed.

Equifax did not immediately respond to a request from this news organization for comment. It told Motherboard it did not speak publicly about internal security operations.

After finding the problem in December, the researcher warned Equifax immediately, providing downloaded data of hundreds of thousands of Americans as evidence of the company’s system flaws, Motherboard reported Oct. 26.

“It should’ve been fixed the moment it was found,” the researcher reportedly told the tech website. “It would have taken them five minutes.”

Instead, it took six months for Equifax to patch the vulnerability, Motherboard reported.

The company has said it believes the hackers were in its systems from May 13 through July 30. It didn’t fix the problem identified by the researcher until June, according to Motherboard.

It’s not clear whether the identified vulnerability, or other openings, were exploited by the hackers, but the researcher believes there were “maybe dozens” of breaches to Equifax’s databases.