.png)
Equifax Data Breach 2017
Breach Summary
The Equifax breach of 2017 exposed the personal information of 147 million Americans — including Social Security numbers, birth dates, addresses, and driver's license numbers — making it the most consequential identity data breach in US history. The breach was caused by a known vulnerability for which a patch had been available for two months.
What Happened
Between May 13 and July 30, 2017, attackers accessed 48 Equifax databases through the Apache Struts vulnerability. The breach was discovered July 29 when Equifax's security team observed suspicious traffic. The 76-day dwell time allowed comprehensive data access across Equifax's consumer data repositories. Public disclosure on September 7, 2017 triggered one of the largest consumer notification events in history and immediate congressional scrutiny.
Attack Vector Detail
Attackers exploited CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts, a web application framework embedded in Equifax's ACIS (Automated Consumer Interview System) portal. The vulnerability was publicly disclosed March 7, 2017. A patch was immediately available. Equifax's security team received the advisory and sent internal communications requiring patching. The specific Equifax instance was not identified in the patching sweep. Exploitation began May 13, 2017 — 67 days after the patch was available.
Once inside, attackers conducted reconnaissance over 76 days, ultimately accessing 48 databases containing consumer data. Data exfiltration proceeded in encrypted channels that Equifax's SSL inspection tool — which had been disabled due to an expired certificate — could not inspect. The expired certificate had been unnoticed for 19 months.
Breach Pattern Timeline
March 7, 2017
Apache Software Foundation discloses CVE-2017-5638, a critical Apache Struts2 remote code execution vulnerability. Patches available same day.
March 9, 2017
Equifax security team is notified internally of the vulnerability but the patch is not applied to the consumer dispute portal — the system that becomes the breach entry point.
May 13, 2017
Attackers exploit the unpatched Apache Struts vulnerability on Equifax's online dispute portal. Initial access gained.
May 13 - July 30, 2017
Attackers operate inside Equifax for 76 days undetected, exfiltrating data via 9,000+ queries against Equifax databases. SSL inspection certificate had expired 19 months earlier, blinding network monitoring.
July 29, 2017
Equifax internal security finally detects suspicious traffic after renewing the expired SSL certificate.
September 7, 2017
Equifax publicly discloses the breach: 143 million Americans affected (later revised upward to 147.9 million). Stock drops 13% next day. CEO Richard Smith retires September 26.
September 8, 2017
Reporting reveals three Equifax executives sold $1.8 million in shares between breach discovery and public disclosure. SEC and DOJ investigations open. Charges later filed against former CIO Jun Ying for insider trading.
July 22, 2019
FTC, CFPB, and 50 state attorneys general announce $575M-$700M settlement — the largest data breach settlement in U.S. history at the time.
February 10, 2020
U.S. DOJ indicts four members of China's PLA Unit 54th Research Institute for the Equifax breach. First major U.S. attribution of consumer data theft to Chinese military intelligence.
2018-2024
Class action settlement payments processed for affected consumers. Equifax executes multi-year cybersecurity transformation, reportedly spending $1.4+ billion on remediation, technology, and program rebuild.
Total impact: 147.9 million Americans affected (44% of U.S. population), $1.4 billion+ in remediation costs, $575-700M consumer settlement, four PLA officers indicted, foundational precedent for patch management SLA accountability.
Executive Lessons
Equifax established four executive-level lessons. First, credit bureau data is among the most sensitive personal data category because it aggregates SSNs, financial history, and identity data for almost the entire adult population. Second, a known critical vulnerability unpatched for two months enabled a breach of national scale — patch management is a board-level risk management issue, not an IT operations detail. Third, the $700 million FTC settlement and the CEO's congressional testimony established that board-level accountability for cybersecurity failures is real. Fourth, the post-breach stock price impact and class action litigation demonstrated that breach financial consequences extend well beyond remediation costs.
Related Reading
Private Equity Implications
For PE-backed financial services, healthcare, and any company holding consumer PII at scale, the Equifax breach established that patch management failure producing a data breach creates existential liability. The $1.4 billion total cost exceeded Equifax's annual earnings. Any PE portfolio company holding sensitive consumer data at comparable scale should have patch management maturity, SSL inspection, and monitoring capability as baseline security requirements — not aspirational goals.