It’s been a year since hackers broke through security into the Equifax database – one of the world’s largest credit agencies – exposing the personal data of more than 143 million people. This put credit card accounts, credit histories, social security numbers, and other personally-identifiable financial information into the hands of criminals.

The way the crooks used the dark web both before and after demonstrates the key role the dark web plays in the criminal world. The scammers freely shared hacking tools, bought and sold the data, exploited the victims, and then did it all over again.

The Equifax Hack:  The Timeline

In March 2017, security experts noticed a flaw in Apache server software, a common software used by major companies and financial institutions. The flaw could be used to gain unauthorized access to the servers. The Apache Struts software flaw was fixed on March 6 and companies were notified to apply the patch to fix the problem. Equifax, however, appeared not to apply the patch.

Here’s the first path through the dark web: Hackers learned of the patch and created a hacking tool, an updated version of malware inserted into penetration testing software Metasploit, and distributed it on the dark web.

TIMELINE_VERSION 2

Within days, the hacking tool had spread far and wide. Scammers in the U.S., China, Russia, Hong Kong, the Netherlands, and other foreign countries had started the attacks on high profile websites. Two months later, Equifax had yet to install the patch. This let hackers unleash the malware into Equifax servers.

The system was breached. The data was stolen and that led to the second time the dark web came into play.  The stolen data was bundled and sold. Having the information out in the hands of state actors, organized crime, and individuals was bad enough.  But things didn’t end there.

The crooks took it further by targeted individual victims. Because they had information only the financial institutions should have, they were able to trick people into giving them even more information. This information was sold again on the third trip through the dark web. It opened the door to financial fraud, Medicare and Healthcare fraud, and more.

Cyber security experts say we may never know how many people have been victimized.

The Cost Is Staggering

Equifax reports they have already spent more than $87 million dollars to try to clean up the problem.  That doesn’t count what they may be liable for in defending lawsuits from potential victims. Experts say the total price tag for the company may be in the $300 million dollar range.  In the days after the hack, the value of the company’s stock dropped $4 billion.

More than 15.4 million people are the victims of identity theft each year.  During that time period, thieves stole more than $16 billion dollars in ID theft, according to Javelin Strategy & Research.