Equifax Data Breach
A failure to patch a known Apache Struts vulnerability exposed the personal data of 147 million Americans — including Social Security numbers — in one of the largest breaches in history.
Background
Equifax is one of the three major US consumer credit reporting agencies, holding sensitive financial and personal data on hundreds of millions of people. Despite being a custodian of highly sensitive data, their patch management processes failed catastrophically.
The Attack
Attackers exploited CVE-2017-5638, a critical Apache Struts vulnerability that had been publicly disclosed and patched two months before the breach. Equifax had failed to apply the patch. The attackers spent 76 days inside Equifax's network undetected, making around 9,000 data queries that exfiltrated 147 million records including names, Social Security numbers, birth dates, addresses, and driver's license numbers.
Response
Equifax discovered the breach in July 2017 and publicly disclosed it in September 2017, weeks after discovery. The delayed disclosure itself became a major controversy. The company brought in incident response teams, notified law enforcement, and offered free credit monitoring to affected consumers. Four senior executives sold stock before the public disclosure, triggering an SEC insider trading investigation.
Outcome
Equifax paid $575 million in an FTC settlement — the largest ever for a data breach at the time. The CEO, CTO, and CSO all resigned. Four members of China's People's Liberation Army were indicted in connection with the attack. The breach permanently damaged Equifax's reputation and led to sweeping calls for data broker regulation.
Key Takeaways
- Patch critical vulnerabilities immediately — a 2-month lag is inexcusable
- Network segmentation would have dramatically limited the data exfiltrated
- Certificate expiration caused security monitoring to go blind for 19 months
- Delayed breach disclosure compounds reputational and regulatory damage
- Data minimization — don't collect or retain data you don't need
How to Prevent This
All guidesTreat CVSS 9.0+ vulnerabilities as a 72-hour emergency, not a scheduled task
Equifax's catastrophic breach was caused by a vulnerability that had a published patch available 78 days before attackers exploited it. The Apache Struts vulnerability had a CVSS score of 10.0 — the maximum. At that severity, every day of delay is a calculated risk exposure. Establish a clear policy: CVSS 9.0 and above triggers an emergency patching process with a maximum 72-hour window from discovery to production deployment. Lower severities follow a normal cycle. This distinction alone would have prevented the Equifax breach.
Classify data before storing it — you cannot protect what you have not categorised
The Equifax breach was catastrophic partly because Equifax had accumulated sensitive data on hundreds of millions of people who never chose to interact with them — Social Security numbers, birth dates, and financial histories — without a clear retention policy. Data classification assigns sensitivity levels (public, internal, confidential, restricted) and triggers corresponding controls: encryption requirements, access logging, retention limits, and disposal procedures. Before storing any data, ask: what is it, how sensitive is it, who needs it, and when can we delete it? Only store what you genuinely need, encrypted appropriately for its classification.