The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme

  • Equifax's data breach on Sept. 7, 2017, stunned markets and American consumers, but where the data of those 143 million people disappeared to has remained a mystery.
  • CNBC talked to experts, intelligence officials, dark web data "hunters" and Equifax to discover where they expect the data has gone, and what it is being used for.
  • The prevailing theory today is that the data was stolen by a nation-state for spying purposes, not by criminals looking to cash in on stolen identities.
Richard Smith, former chairman and CEO of Equifax Inc., testifies before House Energy and Commerce hearing on "Oversight of the Equifax Data Breach: Answers for Consumers" on Capitol Hill in Washington, October 3, 2017.
Kevin Lamarque | Reuters
Richard Smith, former chairman and CEO of Equifax Inc., testifies before House Energy and Commerce hearing on "Oversight of the Equifax Data Breach: Answers for Consumers" on Capitol Hill in Washington, October 3, 2017.

On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.

It was the consumer data security scandal of the decade. The information included Social Security numbers, driver's license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.

Then, something unusual happened. The data disappeared. Completely.

CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.

But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.

But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.

One data hunter dives in

The missing Equifax data has been a 17-month-long obsession for Jeffrey, a cybersecurity analyst at one of the world's largest banks. To him, it represents a sort of professional Lost City of Atlantis or Holy Grail.

Jeffrey is not the analyst's real name. He asked to remain anonymous because he was not authorized to speak to the media. He also asked that his bank remain anonymous, because he's one of such a narrow pool of a specific type of employee that even the name of his bank could be used to identify him.

Jeffrey is a "hunter" on the bank's "hunt team," and his job is searching for data on the dark web or darknet — a set of web sites that can only be accessed with special software that protects the user's anonymity. The dark web can be used for many purposes, but most prominently serves as the internet's underground black market, where criminals buy, sell and trade credit card data, personal information and criminal services.

Jeffrey trolls the dark web for stolen personal data that looks like it might be brand new, especially if it looks like it might belong to customers of the bank or its rivals. He is often one of the first to know that another company has been breached, and his team is often among the first to inform the victims that their systems have been breached.

So Jeffrey was surprised when he learned about the Equifax breach at the same time as everybody else, when the company announced it to the world.

Stolen consumer information usually goes up for sale immediately after a company is hacked, he explains. Criminals aim for speed so they can sell the data before a company's tripwires ever detect it was stolen. The longer they wait, the more likely the victims and the institutions will make changes to render the data useless. This is especially true with credit card numbers, which can quickly be canceled once fraudulent charges start cropping up on them. Or when Social Security numbers — like those stolen in the Equifax breach — start getting flagged for fraud.

Equifax said it had first identified the attack in July, and it may have started even earlier than that. Jeffrey said he had occasionally seen data for sale from the credit reporting bureaus, other banks and organizations that deal in credit scores, like mortgage servicers. But he had never seen any data that looked like it had come from Equifax on any criminal forum.

"Of course I thought this data was stolen by criminals. Even if there's [a nation-state] behind it, this is really valuable stuff, and the criminals and nation-state stuff can be really mixed. Or, a nation-state would sell it just to save face. This level of data is worth a lot more than most," Jeffrey recalls thinking at the time.

Jeffrey had only recently started his career as a hunter, but he was sure he'd find something on Equifax. He hunted at work, and he hunted at home. He asked his friends. He bothered people he met online.

He made no progress.

Jeffrey was not alone.

"We have been working very closely with authorities — federal authorities, state authorities — as well as our partners and customers, and our own very advanced threat intelligence team," Jamil Farshchi, the chief information security officer of Equifax, told CNBC.

"We are all working to be able to consistently determine whether this data is out there and whether it has ever been out there. And at this time there has been absolutely no indication, whatsoever, that the data has been disclosed, that it has been used or that it has been offered for sale."

Two leading theories

As soon as the investigation started, in September 2017, stakeholders had lots of theories about who stole the data and why. Those theories eventually grouped into two sides.

Jeffrey, who formerly served in law enforcement, tends to see the world in shades of criminals versus cops. Like most other people with this kind of background, he believed the data was stolen by criminals and was not turning up for sale on the dark web because the hackers feared that the data was too hot, and that law enforcement would immediately catch them — like the thief who stole the Mona Lisa.

The other theory, favored by investigators with an intelligence background, focused on intelligence officers working for a foreign nation-state.

As several independent investigations wound down, the experts following the case came to a general consensus that split the middle. The breach probably started with a low-level criminal who exploited a vulnerability in Equifax's defenses but was not experienced or capable enough to do more damage by moving further throughout the company. This criminal then sought help via the criminal underground and shared or sold information about the vulnerability. The buyer was probably a proxy for the Russian or Chinese government.

That buyer used far more sophisticated tools and techniques to hack deeper into Equifax's databases and exfiltrate — an industry term for "steal" that implies moving huge amounts of data undetected — the now-infamous terabytes of consumer credit information.

One former senior intelligence official with direct knowledge of the Equifax investigation summarized the prevailing expert opinion on how the foreign intelligence agency is using the data. (This person asked to speak on the condition of anonymity because he isn't authorized in his current role to speak to media.)

First, he said, the foreign government is probably combining this information with other stolen data, then analyzing it using artificial intelligence or machine learning to figure out who's likely to be — or to become — a spy for the U.S. government. He pointed to other data breaches that focused on information that could be useful for identifying spies, such as a 2015 breach of the Office of Personnel Management, which processes the lengthy security clearance applications for U.S. government officials.

Second, credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government, influencers or, for lower-level employees, data thieves or informants. In particular, the credit information can be used to identify people in key positions who have significant financial problems and could be compromised by bribes or high-paying jobs, the former official said. Financial distress is one of the most common reasons people commit espionage.

The Equifax data provides information that could identify people who aren't even in these positions of influence yet, he said, and could be valuable for years to come.

About that credit freeze

If this leading theory is right, the only people who needed to worry about the Equifax breach were people in sensitive government positions or with lots of access, influence and power: future senators, overseas CIA officers, people who oversee U.S. corporate data centers or senior financial executives of technology companies, for instance.

The fevered advertisements that urged consumers to check whether their data had been compromised and take numerous steps to freeze it and monitor it turns out to have been unnecessary for this breach — at least so far.

Still, Farshchi said credit freezes and monitoring services are still the best way to determine whether personal data has been stolen or your identity misused. Experts outside Equifax have long agreed.

As for Jeffrey, he said he and many of his contemporaries will continue hunting for the data, probably on their own time. About once a week, he says, he gets up early with a cup of coffee and sets his sights on his usual dark web haunts with Equifax in mind.

Knowing that an intelligence agency probably has the data, he said he's also reading the news more often. He looks for stories about bribery, graft, spies being caught or politicians suddenly spouting rhetoric in defense of hostile nations where they hadn't before.

"I think I'm going to be watching some news feed some day a decade from now and see that some politician is trying to do some crazy deal with some country we supposedly don't like," he wrote via secured text message. "And I'm really going to wonder: am I finally looking at the Equifax data after all this time?"