Equifax Data Breach
The Equifax data breach stands as one of the most consequential data security failures in United States history.
Continue your mission
The Equifax data breach stands as one of the most consequential data security failures in United States history.
# Equifax Data Breach
The Equifax data breach stands as one of the most consequential data security failures in United States history. Discovered on July 29, 2017, and publicly disclosed on September 7, 2017, the breach exposed personally identifiable information for 147 million Americans, approximately 45 percent of the U.S. population. The stolen data included Social Security numbers, dates of birth, home addresses, driver's license numbers, and 209,000 credit card numbers. Unlike stolen passwords that users can change, Social Security numbers are permanent identifiers. The damage is irreversible for every individual whose record was taken.
Equifax is one of the three major U.S. consumer credit reporting agencies, which means its databases contain among the most concentrated collections of sensitive personal financial data in existence. The breach was not the result of a novel or sophisticated attack technique. Attackers exploited a known vulnerability with a publicly available patch that had been available for more than two months before exploitation began. The root cause was an organizational failure to apply a patch on schedule, compounded by a 76-day detection gap that allowed attackers to move freely across 51 internal database tables before anyone noticed.
The U.S. Department of Justice attributed the breach to four members of China's People's Liberation Army Unit 61398 and indicted them in February 2020, framing the operation as state-sponsored economic espionage. The $700 million settlement with the Federal Trade Commission and Consumer Financial Protection Bureau in 2019 was the largest ever imposed for a data breach at that time.
Scale: 147 million individuals affected. 51 database tables accessed. 76 days of undetected attacker presence. $700 million in regulatory settlement. Four PLA indictments.
The Equifax breach followed a clear, preventable sequence. Every step after the initial vulnerability disclosure represented a decision point where the breach could have been stopped.
March 7, 2017: CVE-2017-5638 Disclosed and Patched
The Apache Software Foundation published CVE-2017-5638, a critical remote code execution vulnerability in the Apache Struts web application framework. The CVSS score was 10.0, the maximum severity rating. Apache released a patch on the same day. The vulnerability existed in the Jakarta Multipart parser and allowed an attacker to execute arbitrary commands on the server by sending a malformed Content-Type header in an HTTP request. No authentication was required. The attacker needed only network access to the vulnerable application.
March 8-10, 2017: Internal Notification Sent, Not Acted Upon
Equifax's security team received internal notification of CVE-2017-5638. The Equifax security policy required patching critical vulnerabilities within 48 hours. The Apache Struts component ran on Equifax's ACIS (Automated Consumer Interview System), the company's online dispute portal, a public-facing application that processed consumer inquiries about their credit reports. Despite the 48-hour policy and the CVSS 10.0 severity rating, the patch was not applied. The Senate investigation found that a scan run after the internal notification failed to identify the vulnerable system because the scanner was misconfigured and not covering the full application inventory.
May 13, 2017: Initial Exploitation
Attackers, later identified as PLA Unit 61398 operatives, exploited CVE-2017-5638 on the ACIS portal. Sixty-six days had passed since the patch was available. The exploit required no credentials. The attackers sent a single malformed HTTP request and received a remote shell on the ACIS server. Initial access took seconds.
May 13 to July 29, 2017: 76 Days of Undetected Access
Over 76 days, the attackers conducted a methodical lateral movement campaign through Equifax's internal network. The Senate investigation documented the following progression:
The attackers used the ACIS server as a foothold to pivot internally. They discovered unencrypted credentials stored in configuration files on the ACIS system, which provided access to additional internal resources. They moved laterally through the network, identifying database servers that housed consumer credit data.
Equifax's network lacked adequate internal segmentation. The ACIS web server, a public-facing application, had network connectivity to internal database servers containing sensitive financial data. There was no architectural separation that would have contained the breach to the initial compromise point.
The attackers ran approximately 9,000 queries across 51 database tables. Each query exfiltrated records in batches, and the data was compressed and encrypted before exfiltration to disguise it as normal encrypted outbound traffic. Equifax's SSL inspection was not functioning correctly at the time, which meant encrypted outbound traffic was not being inspected and the exfiltration went undetected.
The attackers used 20 different countries as proxy exit points to obscure the origin of their traffic. Commands were routed through compromised infrastructure in multiple jurisdictions simultaneously.
July 29, 2017: Discovery
An Equifax security analyst noticed suspicious outbound traffic on the network. Investigation revealed the breach. The ACIS application and compromised systems were isolated on July 30.
September 7, 2017: Public Disclosure
Equifax publicly disclosed the breach 39 days after internal discovery, which was within the regulatory timeframe but drew significant public criticism given the scale of the exposure.
The Equifax breach is the canonical case study for patch management failure. CVE-2017-5638 was not a zero-day. It was not an advanced persistent threat technique that required nation-state resources to develop. It was a publicly known, fully patched vulnerability that attackers found still running in production two months after the fix was available.
Several dimensions make this breach instructive beyond the patch failure itself.
The data stolen is permanently sensitive. A compromised password can be reset. A compromised Social Security number cannot. The 147 million individuals whose SSNs were stolen carry permanent exposure. Their records appear on dark web marketplaces indefinitely. The harm compounds over years as the data is used in identity theft, synthetic identity fraud, and targeted social engineering campaigns.
The 76-day mean time to detect (MTTD) represents a control failure, but it also represents a performance that beat the industry average. The Ponemon Institute's 2017 Cost of Data Breach Study placed the industry average MTTD at 197 days. Equifax's 76-day detection gap was actually below average for the period. This context does not excuse the failure. It reveals the state of the industry: attackers routinely operate inside corporate networks for months before detection, and the organizations being breached consider 76 days a reasonable outcome.
The SSL inspection failure created a blind spot that was invisible to defenders until after the breach. Equifax believed its network inspection controls were functioning. They were not. The gap between assumed security posture and actual security posture allowed the exfiltration to proceed without triggering any alert.
The regulatory and legal consequences reshaped how organizations assess breach liability. The $700 million settlement included $300 million for a consumer credit monitoring fund, $175 million in state penalties, and $100 million in civil penalties to the CFPB. Both the CISO and CIO resigned. No criminal charges were brought against U.S. executives. The four PLA members indicted face no realistic prospect of extradition. The practical accountability for the breach fell almost entirely on consumers who received credit monitoring services of limited value as compensation for permanent identity exposure.
The Equifax breach maps across four PDM domains, each representing a distinct control failure that, if addressed, would have broken the attack chain at a different point.
VSD: Vulnerability and Surface Defense (Initial Access)
The Continuous Surface Reduction (CSR) methodology requires treating every exposed application component as a surface to be measured, tracked, and reduced. CVE-2017-5638 affected Apache Struts, a component integrated into Equifax's public-facing dispute portal. The CSR mandate is that external attack surfaces must be continuously inventoried and every component in those surfaces must be tracked against the current vulnerability landscape.
Equifax's scanner misconfiguration meant the ACIS system was not in the active scan scope. The component ran unpatched because it did not appear in the inventory that drove the patching workflow. CSR addresses this through continuous discovery, not periodic scanning. If the ACIS system had been part of an always-current asset inventory with automated patch state tracking, the 48-hour patch policy would have generated an escalation when no patch confirmation was recorded against the CVE.
Mission VSD-R02 (external attack surface discovery) would have identified the ACIS portal and enumerated its component stack, placing the Apache Struts version in the asset record before any exploitation occurred. Mission VSD-B02 (patch management implementation) provides the workflow infrastructure to track CVE-to-asset relationships and enforce remediation SLAs with automated escalation. Mission VSD-H01 (vulnerability remediation SLA enforcement) closes the loop by confirming patch application and flagging overdue items for leadership attention.
TID: Threat Intelligence and Defense (Detection)
The Predictive Defense Intelligence (PDI) methodology mandates that detection capability must be commensurate with the threat landscape. A 76-day dwell time is not a detection failure at a single moment. It is 76 days of repeated failure to generate a meaningful alert from 9,000 database queries, lateral movement across dozens of servers, and continuous encrypted exfiltration.
A functioning SIEM with tuned detection rules would have flagged the behavioral anomalies that the attacker generated: a web application server initiating direct connections to internal database servers, large data volumes being compressed and transmitted over encrypted channels to foreign exit nodes, and database query patterns inconsistent with normal application behavior.
Mission TID-B01 (SIEM deployment) establishes the logging infrastructure required to capture the events that would have exposed the attacker. Mission TID-H01 (detection rule tuning for lateral movement) builds the specific signatures that lateral movement from a web tier to a data tier triggers. Mission TID-H02 (threat hunting) provides the proactive capability to look for attacker indicators even when automated detection has not fired, which is the exact scenario Equifax faced for 76 days.
DPS: Data Protection and Sovereignty (Impact)
The Sovereign Data Protocol (SDP) methodology classifies data by sensitivity and enforces access controls and encryption proportional to that classification. One hundred forty-seven million SSNs, dates of birth, and credit records represent some of the most sensitive data any organization can hold. The SDP mandate is that data of this classification must be encrypted at rest, with access limited to specific authenticated processes, and with all access logged and audited.
Equifax's databases were not encrypted at rest. The ACIS web server had network-level access to internal database servers containing consumer financial records, a connectivity pattern inconsistent with a least-privilege architecture. Unencrypted credentials stored in ACIS configuration files allowed the attacker to authenticate to those databases with legitimate credentials, generating no authentication anomaly to alert on.
Mission DPS-R01 (data classification) would have identified the SSN and financial record databases as requiring the highest protection tier. Mission DPS-B03 (database access controls) implements the network segmentation, authentication requirements, and access logging that would have both restricted the attacker's lateral movement and generated audit trails sufficient for detection.
RGA: Risk Governance and Assurance (Consequences)
The Perpetual Compliance Assurance (PCA) methodology treats compliance as a continuous operational state, not an annual certification event. Equifax held compliance certifications for multiple frameworks during the breach period. Compliance certification did not translate to control effectiveness. The SSL inspection gap, the scanner misconfiguration, and the 48-hour patch SLA that existed only on paper represent the difference between a compliance posture and an operational security posture.
Mission RGA-R01 (regulatory landscape mapping) establishes the complete picture of applicable regulatory obligations and the controls required to demonstrate adherence. Mission RGA-B02 (compliance program development) builds the operational machinery that keeps controls functioning, not just documented.
A patch with a CVSS 10.0 rating and a public fix is not a threat to analyze. It is a work order to execute. Every hour a known critical vulnerability runs in a public-facing application is an hour an attacker can use. The Equifax timeline shows that sophisticated threat actors are monitoring vulnerability disclosures and moving quickly. Two months of exposure time is not a narrow window. It is an extended invitation.
The asset you do not know about is the one that gets you. The scanner misconfiguration that excluded ACIS from patch scope is a consequence of incomplete asset inventory. You cannot patch what you have not inventoried. Asset discovery must be continuous, automated, and cover the full perimeter, including legacy systems, third-party components, and applications that predate current security programs.
Encrypted exfiltration is not invisible if you inspect it. The attackers encrypted data before transmission. Equifax's SSL inspection was not functioning. The intersection of those two facts created the exfiltration path. SSL/TLS inspection at the network perimeter is a foundational control specifically designed for this scenario.
A 76-day dwell time beats the industry average. The industry average is a crisis. MTTD measured in months means attackers are winning. Detection programs need to be calibrated against the threat actor behavioral patterns that actually appear in networks: lateral movement from application tier to data tier, large outbound transfers, database query volumes inconsistent with application behavior.
Sensitive data must be protected as if the perimeter has already failed. Encryption at rest, least-privilege database access, and network segmentation between application and data tiers are not advanced controls. They are baseline controls that would have reduced the impact of a breach even when initial access prevention and detection both failed.
Data classification is the process of organizing data into categories based on its sensitivity, regulatory requirements, and business value, then applying appropriate protection controls to each category.
Patch management is the operational process of identifying, testing, deploying, and verifying software updates (patches) that fix security vulnerabilities, correct bugs, and improve functionality across an organization's technology environment.
Threat hunting is the proactive, analyst-driven search for threats that have evaded automated detection systems.
Written by Evan Morgan
Found an issue? Help improve this article.