.png)
Equifax Data Breach 2017
Breach Summary
The Equifax breach of 2017 exposed the personal information of 147 million Americans — including Social Security numbers, birth dates, addresses, and driver's license numbers — making it the most consequential identity data breach in US history. The breach was caused by a known vulnerability for which a patch had been available for two months.
What Happened
Between May 13 and July 30, 2017, attackers accessed 48 Equifax databases through the Apache Struts vulnerability. The breach was discovered July 29 when Equifax's security team observed suspicious traffic. The 76-day dwell time allowed comprehensive data access across Equifax's consumer data repositories. Public disclosure on September 7, 2017 triggered one of the largest consumer notification events in history and immediate congressional scrutiny.
Attack Vector Detail
Attackers exploited CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts, a web application framework embedded in Equifax's ACIS (Automated Consumer Interview System) portal. The vulnerability was publicly disclosed March 7, 2017. A patch was immediately available. Equifax's security team received the advisory and sent internal communications requiring patching. The specific Equifax instance was not identified in the patching sweep. Exploitation began May 13, 2017 — 67 days after the patch was available.
Once inside, attackers conducted reconnaissance over 76 days, ultimately accessing 48 databases containing consumer data. Data exfiltration proceeded in encrypted channels that Equifax's SSL inspection tool — which had been disabled due to an expired certificate — could not inspect. The expired certificate had been unnoticed for 19 months.
Breach Pattern Timeline
March 7, 2017
Apache Software Foundation discloses CVE-2017-5638, a critical Apache Struts2 remote code execution vulnerability. Patches available same day.
March 9, 2017
Equifax security team is notified internally of the vulnerability but the patch is not applied to the consumer dispute portal — the system that becomes the breach entry point.
May 13, 2017
Attackers exploit the unpatched Apache Struts vulnerability on Equifax's online dispute portal. Initial access gained.
May 13 - July 30, 2017
Attackers operate inside Equifax for 76 days undetected, exfiltrating data via 9,000+ queries against Equifax databases. SSL inspection certificate had expired 19 months earlier, blinding network monitoring.
July 29, 2017
Equifax internal security finally detects suspicious traffic after renewing the expired SSL certificate.
September 7, 2017
Equifax publicly discloses the breach: 143 million Americans affected (later revised upward to 147.9 million). Stock drops 13% next day. CEO Richard Smith retires September 26.
September 8, 2017
Reporting reveals three Equifax executives sold $1.8 million in shares between breach discovery and public disclosure. SEC and DOJ investigations open. Charges later filed against former CIO Jun Ying for insider trading.
July 22, 2019
FTC, CFPB, and 50 state attorneys general announce $575M-$700M settlement — the largest data breach settlement in U.S. history at the time.
February 10, 2020
U.S. DOJ indicts four members of China's PLA Unit 54th Research Institute for the Equifax breach. First major U.S. attribution of consumer data theft to Chinese military intelligence.
2018-2024
Class action settlement payments processed for affected consumers. Equifax executes multi-year cybersecurity transformation, reportedly spending $1.4+ billion on remediation, technology, and program rebuild.
Total impact: 147.9 million Americans affected (44% of U.S. population), $1.4 billion+ in remediation costs, $575-700M consumer settlement, four PLA officers indicted, foundational precedent for patch management SLA accountability.
Executive Lessons
Equifax established four executive-level lessons. First, credit bureau data is among the most sensitive personal data category because it aggregates SSNs, financial history, and identity data for almost the entire adult population. Second, a known critical vulnerability unpatched for two months enabled a breach of national scale — patch management is a board-level risk management issue, not an IT operations detail. Third, the $700 million FTC settlement and the CEO's congressional testimony established that board-level accountability for cybersecurity failures is real. Fourth, the post-breach stock price impact and class action litigation demonstrated that breach financial consequences extend well beyond remediation costs.
Related Reading
Private Equity Implications
For PE-backed financial services, healthcare, and any company holding consumer PII at scale, the Equifax breach established that patch management failure producing a data breach creates existential liability. The $1.4 billion total cost exceeded Equifax's annual earnings. Any PE portfolio company holding sensitive consumer data at comparable scale should have patch management maturity, SSL inspection, and monitoring capability as baseline security requirements — not aspirational goals.
How Cloudskope Can Help
Frequently Asked Questions
What was the Equifax data breach?
A 2017 breach affecting approximately 147 million Americans, attributed by U.S. DOJ indictment to Chinese People's Liberation Army officers. Attackers exploited an unpatched Apache Struts vulnerability in Equifax's online dispute portal, exfiltrating Social Security numbers, dates of birth, addresses, and driver's license numbers — among the most sensitive PII combinations possible.
How did the Equifax breach happen?
Attackers exploited CVE-2017-5638, a critical Apache Struts vulnerability for which Apache had released a fix on March 7, 2017. Equifax did not patch the vulnerability before initial compromise on May 13, 2017. Attackers operated inside Equifax's network for 76 days, until July 30, 2017, before detection — exfiltrating data continuously throughout that period.
How much did the Equifax breach cost?
Direct costs exceeded $1.4 billion. The 2019 settlement with the FTC, CFPB, and 50 state attorneys general totaled $575-700 million depending on consumer claim volume. Equifax reported $1.7 billion in cumulative breach-related expenses through 2020. The CEO, CIO, and CSO all departed in the weeks following public disclosure.
Who was responsible for the Equifax breach?
In February 2020, the U.S. Department of Justice indicted four members of the Chinese People's Liberation Army (Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei) for the Equifax breach. The DOJ characterized the operation as part of China's broader effort to acquire bulk personal data of Americans for intelligence purposes.
What does the Equifax breach mean for executives?
Equifax established that unpatched known vulnerabilities are the regulatory baseline failure. The FTC settlement specifically cited Equifax's failure to patch a vulnerability for which a fix was publicly available. Vulnerability management is not an operational discipline that can be deprioritized; it is a foundational control whose absence produces specific regulatory and reputational consequences when exploited.