Between May and July 2017, attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) in Equifax’s consumer dispute portal to exfiltrate the Social Security numbers, birth dates, addresses, and driver’s license numbers of 147 million Americans-nearly half the U.S. population. The breach went undetected for 76 days due to an expired SSL inspection certificate.
Key Facts
- WhatUnpatched Apache Struts vulnerability exploited for 76 days.
- Who147 million Americans with Equifax credit records.
- Data ExposedSSNs, birth dates, addresses, and driver's license numbers.
- Outcome$700M FTC settlement and $1B mandatory security spend.
What Was Exposed
- Social Security numbers for approximately 147.9 million U.S. consumers
- Full names, dates of birth, and home addresses tied to credit bureau records
- Driver’s license numbers for an estimated 17.6 million individuals
- Credit card numbers for approximately 209,000 consumers
- Dispute documents containing personally identifiable information for 182,000 consumers
- Additional partial datasets affecting consumers in the United Kingdom and Canada
- Internal Equifax credentials and system architecture details harvested during lateral movement
The nature of the stolen data made this breach uniquely devastating. Social Security numbers are effectively permanent identifiers in the United States-unlike credit card numbers, they cannot be easily replaced.
Combined with dates of birth, addresses, and driver’s license numbers, the stolen dataset constituted a comprehensive identity theft toolkit for 147 million people.
The data was sufficient to open fraudulent credit accounts, file false tax returns, obtain fraudulent medical care, and compromise virtually any identity-verification process that relies on knowledge-based authentication.
For millions of Americans, the Equifax breach permanently undermined the viability of SSN-based identity verification.
Technical Failure Chain
The breach originated through CVE-2017-5638, a critical remote code execution vulnerability in the Apache Struts web application framework. The Apache Software Foundation disclosed the vulnerability and released a patch on March 7, 2017. The U.S. Department of Homeland Security’s US-CERT issued an alert about the vulnerability the same day.
Equifax’s internal security team circulated a notification on March 9, 2017, instructing administrators to apply the patch within 48 hours. The patch was never applied to the consumer dispute portal. An automated vulnerability scan conducted on March 15, 2017, failed to identify the vulnerable Struts instance because the scan did not cover the specific server hosting the dispute application.
Attackers began exploiting the vulnerability on May 13, 2017, gaining an initial foothold in the web-facing application server. From this entry point, the attackers moved laterally through Equifax’s network over the following 76 days. They discovered unencrypted credentials stored in configuration files, which granted them access to 48 additional databases containing consumer personal information.
The attackers exfiltrated data in small, encrypted batches to avoid triggering data loss prevention alerts. The intrusion went undetected for so long in part because an SSL inspection device, responsible for monitoring encrypted traffic leaving the network, had been inactive since January 2016.
An SSL certificate required for the device to decrypt and inspect outbound traffic had expired 19 months earlier, and no one had renewed it. When the certificate was finally renewed on July 29, 2017, the device immediately flagged suspicious encrypted traffic to external IP addresses. Equifax discovered the breach that same day.
Insider Trading and Disclosure Controversy
The 40-day window between Equifax’s internal discovery of the breach on July 29 and public disclosure on September 7 became the subject of intense scrutiny. During this period, three Equifax executives-the Chief Financial Officer, the President of U.S. Information Solutions, and the President of Workforce Solutions-sold shares of Equifax stock worth a combined $1.8 million.
The executives claimed they were unaware of the breach when they made the trades. The SEC and DOJ investigated the transactions, and in March 2018, a former Equifax executive was charged with insider trading. Jun Ying, Equifax’s former Chief Information Officer for U.S. Information Solutions, was convicted and sentenced to four months in federal prison for trading on material nonpublic information about the breach.
The insider trading dimension of the Equifax breach reinforced the connection between cybersecurity incidents and securities law, a connection the SEC would formalize with its 2023 cybersecurity disclosure rules.
Regulatory Analysis
The Equifax enforcement action was pursued jointly by the Federal Trade Commission, the Consumer Financial Protection Bureau, and the attorneys general of all 50 states plus the District of Columbia and Puerto Rico.
The combined regulatory response established precedents that continue to shape U.S. data security enforcement.
FTC Act Section 5: The FTC charged Equifax with unfair and deceptive practices under Section 5 of the FTC Act. The unfairness claim centered on Equifax’s failure to implement reasonable security measures despite collecting and storing the most sensitive categories of personal data. The deception claim focused on Equifax’s public statements about its data security practices, which materially overstated the company’s actual security posture.
The FTC’s complaint detailed specific failures including the unpatched vulnerability, expired SSL certificate, lack of network segmentation, and storage of unencrypted credentials-each of which contradicted Equifax’s published security representations.
GLBA Safeguards Rule: As a financial institution under the Gramm-Leach-Bliley Act, Equifax was subject to the FTC’s Safeguards Rule, which requires implementation of a comprehensive information security program. The Safeguards Rule mandates risk assessments, employee training, oversight of service providers, and regular testing of security controls.
Equifax’s failure to patch a critical vulnerability within the instructed 48-hour window, combined with the 19-month expired SSL certificate and absence of network segmentation between the web portal and core databases, constituted clear violations of the Safeguards Rule’s requirements for reasonable security safeguards.
State Breach Notification Laws: The breach triggered notification obligations under the data breach notification statutes of all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.
Equifax’s 40-day delay between discovery (July 29) and public disclosure (September 7) drew scrutiny, particularly given the insider stock sales during this window.
Settlement Terms: The comprehensive settlement required Equifax to pay up to $700 million total: a $175 million payment to the 50-state coalition, a $100 million civil penalty to the CFPB, and a consumer restitution fund of up to $425 million.
Beyond financial penalties, the settlement imposed a mandatory minimum spend of $1 billion on information security over a five-year period, annual third-party security assessments for 20 years, and personal certification of compliance by Equifax’s CEO and CISO. The behavioral requirements represented a significant expansion of the FTC’s approach to data security enforcement, moving from general injunctions to prescriptive security mandates.
Criminal Attribution: In February 2020, the U.S. Department of Justice indicted four members of the Chinese People’s Liberation Army for conducting the Equifax hack. The indictment charged the PLA hackers with computer fraud, economic espionage, and wire fraud. While the defendants remain at large, the attribution underscored the national security dimension of the breach and the strategic value of comprehensive personal data to state intelligence operations.
What Should Have Been Done
Patch Management with Verification: The fundamental failure was a known, critical vulnerability that went unpatched for 76 days despite clear internal and external warnings. Effective patch management requires not only distribution of patch notifications but verification that patches have been applied. Automated vulnerability scanning must cover all internet-facing assets, and scan coverage gaps must be identified and remediated through comprehensive asset inventories.
Certificate Lifecycle Management: The expired SSL inspection certificate that blinded Equifax’s network monitoring for 19 months represents a systemic failure in certificate lifecycle management.
Automated certificate monitoring and renewal processes should ensure that no security-critical certificate expires without triggering immediate escalation. The fact that a fundamental network security control was inoperative for over a year without detection reveals a broader absence of security control validation and health monitoring.
Network Segmentation: The attackers were able to pivot from a web application server to 48 backend databases because Equifax’s network architecture permitted lateral movement with minimal restriction. Proper segmentation would have contained the breach to the dispute portal server, dramatically reducing the scope of data exposure.
Credential Management: Unencrypted database credentials stored in application configuration files gave the attackers the keys to Equifax’s entire consumer data infrastructure. Secrets management systems, hardware security modules, and just-in-time credential provisioning eliminate the risk of credential theft through file system access. No production system should store database credentials in plaintext configuration files.
Data Minimization: Equifax retained 14 years of dispute-related personal information in directly accessible databases. Organizations must regularly evaluate the necessity of retaining sensitive personal data and implement automated data lifecycle policies that purge or archive data beyond its useful retention period. The volume of exposed data would have been significantly smaller with proper data minimization practices.
Insider Trading Controls: Organizations must implement trading blackout procedures that activate immediately upon discovery of a material cybersecurity incident. All senior executives should be notified of trading restrictions before any investigation details are circulated, and pre-clearance requirements for executive stock transactions should be mandatory.
The Equifax breach exposed the Social Security numbers of nearly half the American population because a single known vulnerability went unpatched for 76 days, a security certificate expired unnoticed for 19 months, and network segmentation was functionally nonexistent. The resulting $700 million settlement and mandatory $1 billion security investment established the benchmark for U.S. data breach enforcement. For any organization holding sensitive consumer data, the Equifax case is a standing reminder that basic security hygiene failures can produce consequences of historic proportions.