Incident Responsecritical

Equifax Breach Response: 78 Days to Patch, 40 Days to Disclose, $700M in Fines

Equifax knew about the Apache Struts vulnerability (CVE-2017-5638) for 78 days before attackers exploited it. After the breach was discovered, they waited 40 days to disclose it publicly and set up a breach notification website with its own security problems.

Equifax·2017·2 min read

Background

Equifax held credit data on virtually every American adult. The Apache Struts 2 vulnerability (CVE-2017-5638) was disclosed in March 2017 with a CVSS score of 10.0 — the maximum possible severity. Equifax's IT team was notified of the vulnerability but failed to patch the 35 internet-facing Struts applications affected.

The Attack

The Struts vulnerability was exploited from May 13 to July 30, 2017. Attackers made 9,000 queries that went undetected because SSL inspection was not enabled on the affected systems. Equifax discovered the breach on July 29, 2017 — noticing suspicious outbound traffic after their SSL certificate had been expired for 19 months, which had been preventing encrypted traffic inspection. The breach was confirmed on July 30. Equifax did not notify the public until September 7, 2017 — 40 days after confirmation.

Response

Equifax's incident response made a bad situation catastrophic: the breach notification website (equifaxsecurity2017.com) was a newly registered domain that looked like a phishing site and triggered browser warnings; the company tweeted the wrong domain link multiple times; their credit monitoring offer required victims to waive legal rights; and the website had its own security vulnerabilities. The CEO, CIO, and CSO all resigned within weeks.

Outcome

Equifax paid $700 million in FTC settlements, plus $575 million in additional settlements — the largest data breach settlement in history at the time. The 78-day patch window, the SSL certificate failure that prevented detection, and the 40-day disclosure delay each independently constituted clear failures.

Key Takeaways

  1. Critical severity vulnerabilities (CVSS 10.0) must be patched within days — a 78-day window for the most severe possible rating is negligent
  2. Expired SSL certificates are not just compliance issues — they can prevent security monitoring from functioning
  3. Breach notification websites must be on the company's own domain and must themselves be secure
  4. The 40-day gap between breach confirmation and public disclosure violated both ethical norms and emerging legal requirements

How to Prevent This

All guides
intermediate

Establish a breach notification timeline before a breach occurs — not during one

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US state breach notification laws require notification within 30–72 hours in many states. Equifax waited 40 days after confirming their breach before public disclosure. Uber concealed their breach for 13 months. Both paid enormous financial and reputational penalties for the delay. Know your notification obligations before an incident: which regulators must be notified, within what timeframe, what information must be included, and who in your legal team has authority to approve the notification. Draft template notifications in advance.

See: Equifax Breach ResponseIncident Response
patch delaydisclosure delaySSL certificateApache StrutsFTC settlement

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2019high

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

2 min readIncident Response