- Equifax’s data breach on Sept. 7, 2017, stunned markets and American consumers, but where the data of those 143 million people disappeared to has remained a mystery.
- CNBC talked to experts, intelligence officials, dark web data “hunters” and Equifax to discover where they expect the data has gone, and what it is being used for.
- The prevailing theory today is that the data was stolen by a nation-state for spying purposes, not by criminals looking to cash in on stolen identities.
On Sept. 7, 2017, the world heard an alarming announcement from credit ratings giant Equifax: In a brazen cyberattack, somebody had stolen sensitive personal information from more than 140 million people, nearly half the population of the U.S.
It was the consumer data security scandal of the decade. The information included Social Security numbers, driver’s license numbers, information from credit disputes and other personal details. CEO Richard Smith stepped down under fire. Lawmakers changed credit freeze laws and instilled new regulatory oversight of credit ratings agencies.
Then, something unusual happened. The data disappeared. Completely.
CNBC talked to eight experts, including data “hunters” who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.
But none of them knows where the data is now. It’s never appeared on any hundreds of underground websites selling stolen information. Security experts haven’t seen the data used in any of the ways they’d expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.
But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.