Equifax — 147M consumer record breach

On 13 March 2017 the Apache Software Foundation published an advisory and patch for CVE-2017-5638, a remote-code-execution flaw in the Struts 2 web framework. Equifax’s incident response team circulated the advisory internally and asked the relevant teams to apply the patch. The dispute resolution portal that Equifax operated for consumers — built on Struts 2 — was not patched. On 13 May, attackers exploited the flaw, gained a shell on the portal, and began moving through the Equifax estate. They remained for 76 days, exfiltrating data from 51 internal databases through a compromised user account, before traffic anomalies surfaced when an expired SSL certificate on a network monitoring tool was renewed and previously invisible egress traffic became visible. The breach was disclosed publicly on 7 September.

The data lost included names, dates of birth, US Social Security numbers, addresses and driver’s licence numbers for 147 million Americans, plus partial credit-card data on 209,000 individuals and dispute-document images for 182,000. Approximately 15 million UK consumers and 19,000 Canadian consumers were also affected. The total settlement cost reached approximately $1.4 billion, including a $700 million Federal Trade Commission settlement and a class action that produced credit monitoring and cash-payment options for affected consumers. Equifax’s CIO and CSO retired within weeks of the disclosure; the CEO retired before the end of September 2017.

In February 2020 the US Department of Justice indicted four members of China’s People’s Liberation Army 54th Research Institute — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei — for the intrusion, alleging they were state-sponsored military hackers using Equifax’s data for intelligence purposes rather than financial fraud. The lack of fraud spikes in the Equifax records on the dark market in the months after the breach is consistent with that attribution: typical criminal exfiltrations surface within weeks. The Equifax data has not, to public knowledge, appeared on identity-theft markets at all.

Defender takeaway: the Struts patch was not unknown to Equifax’s security team — it had been circulated and assigned. The control failure was that there was no enforced asset inventory connecting the patch advisory to the portal that needed it. This is the most expensive variant of “patching is a process, not an event” anyone has yet paid for. The downstream lesson, beyond patch governance, is that 76 days of unobserved exfiltration through 51 databases happened on a network where the data-stores supporting a public-internet portal sat in the same trust zone as the back-office credit-history archive. Network segmentation, strict identity-based access controls between application tiers, and outbound-traffic anomaly detection that does not rely on TLS inspection certificates being current would each have caught this. None did.