Ross played down the prospect of an agreement being reached at the G-20 meeting in Osaka on June 28-29.Paris Airshowread more
Boeing is scrambling to restore confidence in the 737 Max from regulators, customers and the flying public.Paris Airshowread more
Heavy rains caused unprecedented delays in planting this year and contributed to record floods across the central United States.Agricultureread more
Elon Musk, the CEO of Tesla and SpaceX, tweeted early on Monday morning that he "just deleted" his Twitter account.Marketsread more
Pfizer said on Monday it had agreed to acquire Array Biopharma for $10.64 billion, which will grant it access to its cancer drugs.Biotech and Pharmaceuticalsread more
Huawei CEO and founder Ren Zhengfei said that the Chinese tech company will report revenues of around $100 billion in 2019 and 2020, which would be flat growth versus 2018.Technologyread more
Bitcoin leapt across the $9,000 mark on Sunday, boosted by reports that Facebook is soon set to launch its own cryptocurrency.Cryptocurrencyread more
Although Cook did not mention companies by name, his commencement speech in Silicon Valley's backyard mentioned data breaches, privacy violations, and even made reference to...Technologyread more
In the survey, 66% of Democratic primary voters say they'd be enthusiastic or comfortable about Biden as their nominee to take on President Trump in the 2020 election. Just...Politicsread more
Target's registers were down on Saturday for several hours preventing customers from checking out.Retailread more
Organizers claimed that nearly 2 million Hong Kong protesters took to the streets Sunday in a rally to demand the city's top official resign a day after she suspended — but...China Politicsread more
On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.
It was the consumer data security scandal of the decade. The information included Social Security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.
Then, something unusual happened. The data disappeared. Completely.
CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.
But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.
But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.
The missing Equifax data has been a 17-month-long obsession for Jeffrey, a cybersecurity analyst at one of the world's largest banks. To him, it represents a sort of professional Lost City of Atlantis or Holy Grail.
Jeffrey is not the analyst's real name. He asked to remain anonymous because he was not authorized to speak to the media. He also asked that his bank remain anonymous, because he's one of such a narrow pool of a specific type of employee that even the name of his bank could be used to identify him.
Jeffrey is a "hunter " on the bank's "hunt team," and his job is searching for data on the dark web or darknet — a set of web sites that can only be accessed with special software that protects the user's anonymity. The dark web can be used for many purposes, but most prominently serves as the internet's underground black market, where criminals buy, sell and trade credit card data, personal information and criminal services.
Jeffrey trolls the dark web for stolen personal data that looks like it might be brand new, especially if it looks like it might belong to customers of the bank or its rivals. He is often one of the first to know that another company has been breached, and his team is often among the first to inform the victims that their systems have been breached.
So Jeffrey was surprised when he learned about the Equifax breach at the same time as everybody else, when the company announced it to the world.
Stolen consumer information usually goes up for sale immediately after a company is hacked, he explains. Criminals aim for speed so they can sell the data before a company's tripwires ever detect it was stolen. The longer they wait, the more likely the victims and the institutions will make changes to render the data useless. This is especially true with credit card numbers, which can quickly be canceled once fraudulent charges start cropping up on them. Or when Social Security numbers — like those stolen in the Equifax breach — start getting flagged for fraud.
Equifax said it had first identified the attack in July, and it may have started even earlier than that. Jeffrey said he had occasionally seen data for sale from the credit reporting bureaus, other banks and organizations that deal in credit scores, like mortgage servicers. But he had never seen any data that looked like it had come from Equifax on any criminal forum.
"Of course I thought this data was stolen by criminals. Even if there's [a nation-state] behind it, this is really valuable stuff, and the criminals and nation-state stuff can be really mixed. Or, a nation-state would sell it just to save face. This level of data is worth a lot more than most," Jeffrey recalls thinking at the time.
Jeffrey had only recently started his career as a hunter, but he was sure he'd find something on Equifax. He hunted at work, and he hunted at home. He asked his friends. He bothered people he met online.
He made no progress.
Jeffrey was not alone.
"We have been working very closely with authorities — federal authorities, state authorities — as well as our partners and customers, and our own very advanced threat intelligence team," Jamil Farshchi, the chief information security officer of Equifax, told CNBC.
"We are all working to be able to consistently determine whether this data is out there and whether it has ever been out there. And at this time there has been absolutely no indication, whatsoever, that the data has been disclosed, that it has been used or that it has been offered for sale."
As soon as the investigation started, in September 2017, stakeholders had lots of theories about who stole the data and why. Those theories eventually grouped into two sides.
Jeffrey, who formerly served in law enforcement, tends to see the world in shades of criminals versus cops. Like most other people with this kind of background, he believed the data was stolen by criminals and was not turning up for sale on the dark web because the hackers feared that the data was too hot, and that law enforcement would immediately catch them — like the thief who stole the Mona Lisa.
The other theory, favored by investigators with an intelligence background, focused on intelligence officers working for a foreign nation-state.
As several independent investigations wound down, the experts following the case came to a general consensus that split the middle. The breach probably started with a low-level criminal who exploited a vulnerability in Equifax's defenses but was not experienced or capable enough to do more damage by moving further throughout the company. This criminal then sought help via the criminal underground and shared or sold information about the vulnerability. The buyer was probably a proxy for the Russian or Chinese government.
That buyer used far more sophisticated tools and techniques to hack deeper into Equifax's databases and exfiltrate — an industry term for "steal" that implies moving huge amounts of data undetected — the now-infamous terabytes of consumer credit information.
One former senior intelligence official with direct knowledge of the Equifax investigation summarized the prevailing expert opinion on how the foreign intelligence agency is using the data. (This person asked to speak on the condition of anonymity because he isn't authorized in his current role to speak to media.)
First, he said, the foreign government is probably combining this information with other stolen data, then analyzing it using artificial intelligence or machine learning to figure out who's likely to be — or to become — a spy for the U.S. government. He pointed to other data breaches that focused on information that could be useful for identifying spies, such as a 2015 breach of the Office of Personnel Management, which processes the lengthy security clearance applications for U.S. government officials.
Second, credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government, influencers or, for lower-level employees, data thieves or informants. In particular, the credit information can be used to identify people in key positions who have significant financial problems and could be compromised by bribes or high-paying jobs, the former official said. Financial distress is one of the most common reasons people commit espionage.
The Equifax data provides information that could identify people who aren't even in these positions of influence yet, he said, and could be valuable for years to come.
If this leading theory is right, the only people who needed to worry about the Equifax breach were people in sensitive government positions or with lots of access, influence and power: future senators, overseas CIA officers, people who oversee U.S. corporate data centers or senior financial executives of technology companies, for instance.
The fevered advertisements that urged consumers to check whether their data had been compromised and take numerous steps to freeze it and monitor it turns out to have been unnecessary for this breach — at least so far.
Still, Farshchi said credit freezes and monitoring services are still the best way to determine whether personal data has been stolen or your identity misused. Experts outside Equifax have long agreed.
As for Jeffrey, he said he and many of his contemporaries will continue hunting for the data, probably on their own time. About once a week, he says, he gets up early with a cup of coffee and sets his sights on his usual dark web haunts with Equifax in mind.
Knowing that an intelligence agency probably has the data, he said he's also reading the news more often. He looks for stories about bribery, graft, spies being caught or politicians suddenly spouting rhetoric in defense of hostile nations where they hadn't before.
"I think I'm going to be watching some news feed some day a decade from now and see that some politician is trying to do some crazy deal with some country we supposedly don't like," he wrote via secured text message. "And I'm really going to wonder: am I finally looking at the Equifax data after all this time?"