The rules for commercial use of open-source software can vary. Generally speaking, open-source software is built collaboratively by developers inside companies, academia and even hobbyists, and is available for free or at a low cost. Different types of Apache software are widely used all over the world.
• The breach involved a public website application. The company said the breach occurred in a public website application where consumers could dispute the accuracy of credit information collected by the company. The company said it noticed suspicious traffic to the application on July 29 and took the application offline the next day. It then patched the vulnerability in the application and put the application back online.
• Equifax is making personnel changes following the hack. On Friday, Equifax said its chief information officer, Susan Mauldin, and its chief security officer, David Webb, were retiring. The company said the changes were “effective immediately.”
What We Don’t Know
• It is not clear why the company’s security methods failed to stop the attack. Equifax said that it was aware of the vulnerability two months earlier and worked to patch the bug then. It is not clear why this patch was unsuccessful, and the company said that it may release additional information as its investigation into the incident continues.
Avivah Litan, a security analyst with the research firm Gartner, said that the bug alone was not to blame. “You have to have layered security controls,” Ms. Litan said. “You have to assume that your prevention methods are going to fail.”
• The perpetrators of the Equifax breach have not been identified. A group of hackers calling themselves the “PastHole Hacking Team” has claimed responsibility, and threatened to release the data if their ransom demand of 600 Bitcoin — roughly $2.5 million — was not met. In posts and communications with security researchers, members of the team claimed they were able to garner far more data than they expected when they targeted Equifax.
• That doesn’t mean this group of hackers was really responsible. Intelligence officials and security analysts in private industry said that while it is far too early to say definitively who breached Equifax, the leading theory is that the company was hit by a nation-state or hackers operating on a nation-state’s behalf. They point to the sheer scale of theft, which most likely would have required a heightened degree of sophistication to pull off without being detected.
Other security experts said it would be smart to consider motivation and intent. “Are cybercriminals going to try and sell circa 150 million records in dark web auctions? That’s nearly half the population of the United States,” said Thomas Boyden, president of GRA Quantum, a company that specialized in cyberattack incident response. “Are there standard cybercriminals out there with the purchasing power for that type of data?”
Still, the detailed personal and financial information collected by a company like Equifax can be resold on the so-called Deep Web. It is much more valuable than credit card numbers, because it has a longer life span and can be used to access all kinds of other information, like bank accounts, loan details and medical records.
• Have these hackers struck before? Mr. Boyden and others said that the breach had many parallels with previous breaches of personal information by nation-states and their contractors. Such government-affiliated hackers compile giant databases of stolen information to see if there is material that can be used for espionage or perhaps even blackmail. Using data-sifting technologies, they comb through massive collections of information to find useful material.
Continue reading the main story