Introduction
In the summer of 2017, Equifax — one of the three major credit reporting agencies in the United States — suffered a data breach so catastrophic it rewrote the playbook on corporate cybersecurity negligence. The personal information of 147 million Americans was exposed. That's nearly half the country. Names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card numbers — all harvested by attackers who exploited a single unpatched vulnerability that had a fix available for months.
This wasn't a sophisticated nation-state attack. This wasn't a zero-day exploit nobody saw coming. This was a well-known Apache Struts vulnerability — CVE-2017-5638 — with a patch released in March 2017. Equifax didn't apply it. The breach went undetected for 76 days.
What Happened
Apache Struts is a popular open-source framework for building Java web applications. On March 6, 2017, a critical remote code execution vulnerability was disclosed and patched. The vulnerability allowed attackers to execute arbitrary commands on servers running unpatched versions of the framework simply by sending a specially crafted HTTP request.
Equifax had multiple servers running Apache Struts. Despite the severity of the vulnerability — it scored a perfect 10.0 on the CVSS scale — the company failed to patch the affected systems. Their internal vulnerability scanning tools even flagged the issue, but the alerts were lost in organizational chaos.
On May 13, 2017, attackers began exploiting the vulnerability. They gained access to Equifax's online dispute portal and, from there, moved laterally through the network. They discovered credentials stored in plaintext that gave them access to additional databases. Over the next 76 days, they exfiltrated massive volumes of personal data, using encrypted channels to avoid detection.
Equifax's SSL certificate used for inspecting encrypted traffic had expired 19 months earlier. When it was finally renewed on July 29, 2017, security analysts immediately noticed the suspicious encrypted traffic. The breach was discovered the next day — July 30, 2017.
The Impact
The numbers are staggering: 147.9 million Americans affected, plus additional victims in Canada and the United Kingdom. The exposed data included 145.5 million Social Security numbers, 99 million addresses, 20.3 million phone numbers, 17.6 million driver's license numbers, and 209,000 credit card numbers.
The fallout was immediate and severe. Equifax's stock price plummeted 35% in the week following the public disclosure. CEO Richard Smith, CIO David Webb, and CSO Susan Mauldin all resigned. Multiple congressional hearings were held. The FTC launched an investigation.
In 2019, Equifax agreed to a settlement of up to $700 million — at the time, the largest data breach settlement in history. This included $425 million in consumer restitution, $175 million to states, and $100 million in fines to the CFPB. Four Chinese military hackers were later indicted for the breach, though extradition remains unlikely.
How to Protect Yourself
The Equifax breach is a textbook lesson in why patch management isn't optional — it's existential. If you run any internet-facing infrastructure, every day a critical patch sits unapplied is a day you're gambling with your entire organization.
For individuals, the reality is grim: you can't control how corporations handle your data. But you can freeze your credit with all three bureaus (Equifax, Experian, TransUnion), monitor your accounts for suspicious activity, use unique passwords with a password manager, and enable two-factor authentication everywhere possible.
For organizations, the lessons are clear: automate patch management, don't store credentials in plaintext, monitor SSL certificates, segment your networks, and actually respond to security alerts when your own tools flag vulnerabilities.
The Bigger Picture
The Equifax breach exposed a fundamental problem with how we handle personal data at scale. A company most people never chose to do business with held their most sensitive information — and protected it with the digital equivalent of a screen door. The breach didn't happen because of brilliant attackers. It happened because of cascading negligence: an unpatched server, plaintext credentials, an expired SSL certificate, and a culture that treated security as someone else's problem.
Seven years later, millions of Americans are still dealing with the consequences. And Equifax? They're still in business, still collecting data, still one of the three agencies that determine your creditworthiness. The breach changed everything — and nothing at all.
