Background
Equifax Inc. is one of three major consumer credit reporting agencies in the United States, collecting and storing credit and financial data on hundreds of millions of consumers. As a credit bureau, it was subject to FCRA, the GLBA Safeguards Rule, PCI DSS, and applicable state breach notification laws.
In 2017, Equifax suffered a data breach exposing the personal records of 147 million individuals. Total financial impact exceeded $1.38 billion.
The Technical Environment
Equifax operated consumer-facing web applications built on the Apache Struts framework. One was ACIS — the Automated Consumer Interview System — a portal for consumers to dispute credit report errors.
Key technical conditions at the time of the breach:
- Apache Struts running an unpatched version with a publicly known critical vulnerability.
- Sensitive data including Social Security Numbers stored without encryption at rest.
- The ACIS portal had unrestricted network-level access to 51 internal databases beyond its functional scope.
- A vulnerability scanning tool had an expired SSL certificate, making it blind to HTTPS traffic for 19 months.
- No network segmentation between the internet-facing portal and internal data infrastructure.
- No DLP or behavioral alerting configured to detect anomalous data exfiltration.
The Incident Timeline
March 7, 2017
Apache Software Foundation publicly discloses CVE-2017-5638 — a remote code execution vulnerability. CVSS 10.0. Patch released same day. US-CERT issues urgent advisory two days later.
March 15, 2017
Equifax security team sends internal email directing IT staff to patch all vulnerable Apache Struts instances within 48 hours. No tracking system, no named ownership, no verification mechanism.
March 17, 2017
Equifax runs an automated vulnerability scan. The scanning tool's SSL certificate had expired — it had been blind for 19 months. ACIS remains unpatched and undetected.
May 13, 2017
78 days after the patch was publicly available, attackers begin exploiting CVE-2017-5638 against the ACIS portal.
May 13 – July 29, 2017
Attackers move laterally through the internal network. They access 51 internal databases. 147 million records exfiltrated — full names, SSNs, dates of birth, addresses, credit card numbers — all stored unencrypted. No alert fires for 78 days.
July 29, 2017
A security analyst detects anomalous network traffic. External forensics firm Mandiant engaged August 2.
July 29 – September 7, 2017
Three Equifax executives, including the CFO, sell approximately $1.8 million in company stock. No trading blackout policy was triggered upon incident declaration.
September 7, 2017
Equifax publicly discloses the breach — 40 days after internal discovery. Most US state breach notification laws require disclosure within 30 to 72 hours.
2019
FTC, CFPB, and 50 state attorneys general reach a settlement of up to $700 million. 10 years of free credit monitoring for affected US consumers.
January 2020
US Department of Justice indicts four members of China's People's Liberation Army in connection with the attack.
Governance Questions
- Why was a CVSS 10.0 vulnerability with a publicly available patch left unaddressed for 78 days on an internet-facing system?
- Why was patch compliance tracked via email with no automated verification or escalation mechanism?
- Why was the vulnerability scanning tool not periodically validated — and how did an expired SSL certificate go undetected for 19 months?
- Why did the ACIS portal have unrestricted network access to 51 internal databases beyond its functional requirement?
- Why was sensitive data including Social Security Numbers stored without encryption at rest?
- Why were no DLP or behavioural detection controls configured to identify 78 days of bulk data exfiltration?
- Why did 40 days elapse between internal discovery and public disclosure?
- Why was no trading blackout policy triggered when a material cybersecurity incident was declared internally?