The crisis has sent shock waves through the industry, spooked consumers and sparked investigations.

On March 8, researchers at Cisco Systems Inc. reported an online security flaw that allowed hackers to break into servers around the internet. Cisco urged users to upgrade their systems immediately with a newly issued fix. Equifax Inc. was among the companies using the flawed software. On Friday, it said its technology experts at the time worked to identify and patch vulnerable systems. In late July, though, Atlanta-based Equifax discovered suspicious traffic on its system—and found the same security flaw still existed in some areas. The company’s security staff again addressed the problem, according to Equifax, but by then it was too late.

From about mid-May to July 30, hackers ransacked vast troves of information at the credit-reporting company. The breach potentially exposed about 143 million Americans’ personal information, including names, addresses, dates of birth and Social Security numbers. The revelations have shaken the company, as well as confidence in a linchpin of the financial system, and triggered a federal criminal investigation. Much remains unknown about the hack attack and how it burrowed so deeply inside the company.

The Equifax hack has stunned many consumers, who are suddenly aware of their own vulnerability to what was long considered a necessary but largely opaque part of the country’s financial plumbing. More than 11.5 million people have signed up for credit-monitoring offered by Equifax in response to the cyberattack. Other people have frozen their credit reports with Equifax and rivals TransUnion and Experian PLC.

Although investigators are still grappling with who might be behind the Equifax break-in, the scale of the breach, sophistication of the hack and nature of the stolen data all point toward a state-sponsored actor, says a person familiar with the investigation.

More From The Wall Street Journal (subscription required):