Between May and July 2017, attackers exploited an unpatched Apache Struts
vulnerability (CVE-2017-5638) in Equifax’s consumer dispute portal to
exfiltrate the Social Security numbers, birth dates, addresses, and driver’s
license numbers of 147 million Americans-nearly half the U.S. population.
The breach went undetected for 76 days due to an expired SSL inspection
certificate. In July 2019, Equifax agreed to a settlement of up to $700 million
with the FTC, CFPB, and all 50 state attorneys general, making it the largest
data breach settlement in U.S. history at the time.
## Key Facts
- .**What:** Unpatched Apache Struts vulnerability exploited for 76 days.
- .**Who:** 147 million Americans with Equifax credit records.
- .**Data Exposed:** SSNs, birth dates, addresses, and driver's license numbers.
- .**Outcome:** $700M FTC settlement and $1B mandatory security spend.
## What Was Exposed
- .Social Security numbers for approximately 147.9 million U.S. consumers
- .Full names, dates of birth, and home addresses tied to credit bureau records
- .Driver’s license numbers for an estimated 17.6 million individuals
- .Credit card numbers for approximately 209,000 consumers
- .Dispute documents containing personally identifiable information for 182,000 consumers
- .Additional partial datasets affecting consumers in the United Kingdom and Canada
- .Internal Equifax credentials and system architecture details harvested during lateral movement
The nature of the stolen data made this breach uniquely devastating. Social
Security numbers are effectively permanent identifiers in the United
States-unlike credit card numbers, they cannot be easily replaced.
Combined with dates of birth, addresses, and driver’s license numbers,
the stolen dataset constituted a comprehensive identity theft toolkit for
147 million people.
The data was sufficient to open fraudulent credit accounts, file false tax
returns, obtain fraudulent medical care, and compromise virtually any
identity-verification process that relies on knowledge-based authentication.
For millions of Americans, the Equifax breach permanently undermined
the viability of SSN-based identity verification.
## Technical Failure Chain
The breach originated through CVE-2017-5638, a critical remote code execution
vulnerability in the Apache Struts web application framework. The Apache
Software Foundation disclosed the vulnerability and released a patch on
March 7, 2017. The U.S. Department of Homeland Security’s US-CERT
issued an alert about the vulnerability the same day.
Equifax’s internal security team circulated a notification on March 9, 2017,
instructing administrators to apply the patch within 48 hours. The patch was
never applied to the consumer dispute portal. An automated vulnerability scan
conducted on March 15, 2017, failed to identify the vulnerable Struts instance
because the scan did not cover the specific server hosting the dispute
application.
Attackers began exploiting the vulnerability on May 13, 2017, gaining an
initial foothold in the web-facing application server. From this entry point,
the attackers moved laterally through Equifax’s network over the following
76 days. They discovered unencrypted credentials stored in configuration files,
which granted them access to 48 additional databases containing consumer
personal information.
The attackers exfiltrated data in small, encrypted batches to avoid triggering
data loss prevention alerts. The intrusion went undetected for so long in
part because an SSL inspection device, responsible for monitoring encrypted
traffic leaving the network, had been inactive since January 2016.
An SSL certificate required for the device to decrypt and inspect outbound
traffic had expired 19 months earlier, and no one had renewed it. When the
certificate was finally renewed on July 29, 2017, the device immediately
flagged suspicious encrypted traffic to external IP addresses. Equifax
discovered the breach that same day.
## Insider Trading and Disclosure Controversy
The 40-day window between Equifax’s internal discovery of the breach on
July 29 and public disclosure on September 7 became the subject of intense
scrutiny. During this period, three Equifax executives-the Chief Financial
Officer, the President of U.S. Information Solutions, and the President of
Workforce Solutions-sold shares of Equifax stock worth a combined
$1.8 million.
The executives claimed they were unaware of the breach when they made the
trades. The SEC and DOJ investigated the transactions, and in March 2018,
a former Equifax executive was charged with insider trading. Jun Ying,
Equifax’s former Chief Information Officer for U.S. Information Solutions,
was convicted and sentenced to four months in federal prison for trading
on material nonpublic information about the breach.
The insider trading dimension of the Equifax breach reinforced the connection
between cybersecurity incidents and securities law, a connection the SEC
would formalize with its 2023 cybersecurity disclosure rules.
## Regulatory Analysis
The Equifax enforcement action was pursued jointly by the Federal Trade
Commission, the Consumer Financial Protection Bureau, and the attorneys
general of all 50 states plus the District of Columbia and Puerto Rico.
The combined regulatory response established precedents that continue to
shape U.S. data security enforcement.
**FTC Act Section 5:** The FTC charged Equifax with unfair and
deceptive practices under Section 5 of the FTC Act. The unfairness claim
centered on Equifax’s failure to implement reasonable security measures
despite collecting and storing the most sensitive categories of personal
data. The deception claim focused on Equifax’s public statements about
its data security practices, which materially overstated the company’s
actual security posture.
The FTC’s complaint detailed specific failures including the unpatched
vulnerability, expired SSL certificate, lack of network segmentation, and
storage of unencrypted credentials-each of which contradicted Equifax’s
published security representations.
**GLBA Safeguards Rule:** As a financial institution under the
Gramm-Leach-Bliley Act, Equifax was subject to the FTC’s Safeguards Rule,
which requires implementation of a comprehensive information security
program. The Safeguards Rule mandates risk assessments, employee training,
oversight of service providers, and regular testing of security controls.
Equifax’s failure to patch a critical vulnerability within the instructed
48-hour window, combined with the 19-month expired SSL certificate and
absence of network segmentation between the web portal and core databases,
constituted clear violations of the Safeguards Rule’s requirements for
reasonable security safeguards.
**State Breach Notification Laws:** The breach triggered notification
obligations under the data breach notification statutes of all 50 states,
the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands.
Equifax’s 40-day delay between discovery (July 29) and public disclosure
(September 7) drew scrutiny, particularly given the insider stock sales
during this window.
**Settlement Terms:** The comprehensive settlement required Equifax to
pay up to $700 million total: a $175 million payment to the 50-state
coalition, a $100 million civil penalty to the CFPB, and a consumer
restitution fund of up to $425 million.
Beyond financial penalties, the settlement imposed a mandatory minimum spend
of $1 billion on information security over a five-year period, annual
third-party security assessments for 20 years, and personal certification
of compliance by Equifax’s CEO and CISO. The behavioral requirements
represented a significant expansion of the FTC’s approach to data security
enforcement, moving from general injunctions to prescriptive security mandates.
**Criminal Attribution:** In February 2020, the U.S. Department of
Justice indicted four members of the Chinese People’s Liberation Army
for conducting the Equifax hack. The indictment charged the PLA hackers
with computer fraud, economic espionage, and wire fraud. While the
defendants remain at large, the attribution underscored the national
security dimension of the breach and the strategic value of comprehensive
personal data to state intelligence operations.
## What Should Have Been Done
**Patch Management with Verification:** The fundamental failure was a
known, critical vulnerability that went unpatched for 76 days despite clear
internal and external warnings. Effective patch management requires not only
distribution of patch notifications but verification that patches have been
applied. Automated vulnerability scanning must cover all internet-facing
assets, and scan coverage gaps must be identified and remediated through
comprehensive asset inventories.
**Certificate Lifecycle Management:** The expired SSL inspection
certificate that blinded Equifax’s network monitoring for 19 months
represents a systemic failure in certificate lifecycle management.
Automated certificate monitoring and renewal processes should ensure
that no security-critical certificate expires without triggering immediate
escalation. The fact that a fundamental network security control was
inoperative for over a year without detection reveals a broader absence
of security control validation and health monitoring.
**Network Segmentation:** The attackers were able to pivot from a web
application server to 48 backend databases because Equifax’s network
architecture permitted lateral movement with minimal restriction. Proper
segmentation would have contained the breach to the dispute portal server,
dramatically reducing the scope of data exposure.
**Credential Management:** Unencrypted database credentials stored in
application configuration files gave the attackers the keys to Equifax’s
entire consumer data infrastructure. Secrets management systems, hardware
security modules, and just-in-time credential provisioning eliminate the
risk of credential theft through file system access. No production system
should store database credentials in plaintext configuration files.
**Data Minimization:** Equifax retained 14 years of dispute-related
personal information in directly accessible databases. Organizations must
regularly evaluate the necessity of retaining sensitive personal data and
implement automated data lifecycle policies that purge or archive data
beyond its useful retention period. The volume of exposed data would have
been significantly smaller with proper data minimization practices.
**Insider Trading Controls:** Organizations must implement trading
blackout procedures that activate immediately upon discovery of a material
cybersecurity incident. All senior executives should be notified of trading
restrictions before any investigation details are circulated, and pre-clearance
requirements for executive stock transactions should be mandatory.
The Equifax breach exposed the Social Security numbers of nearly half
the American population because a single known vulnerability went unpatched
for 76 days, a security certificate expired unnoticed for 19 months, and
network segmentation was functionally nonexistent. The resulting $700 million
settlement and mandatory $1 billion security investment established the
benchmark for U.S. data breach enforcement. For any organization holding
sensitive consumer data, the Equifax case is a standing reminder that basic
security hygiene failures can produce consequences of historic proportions.