// overview
What happened
On March 7, 2017, the Apache Foundation disclosed CVE-2017-5638 — a remote code execution vulnerability in Apache Struts 2's Jakarta Multipart parser. Equifax's internal security team circulated an email instructing IT to patch affected systems within 48 hours. The patch was not applied to a public-facing consumer dispute portal.
On May 13, 2017, attackers exploited the unpatched Struts vulnerability and gained shell access. Over the next 76 days they moved laterally through Equifax's network, used unencrypted credentials stored in plaintext on a file share, and exfiltrated detailed credit records of 147.9 million Americans, 15.2 million British, and roughly 19,000 Canadians.
Internal monitoring failed because an expired SSL certificate on a network inspection appliance had not been renewed for 19 months — meaning encrypted exfiltration traffic was never inspected. The intrusion was finally detected on July 29, 2017, after the certificate was renewed and the appliance immediately flagged the traffic.
Equifax disclosed the breach publicly on September 7, 2017. Three executives, including the CFO, sold roughly $1.8 million in stock between the internal discovery and public disclosure (later cleared of insider trading). The CEO retired with $90 million in compensation. In 2020 the DOJ indicted four officers of the Chinese People's Liberation Army 54th Research Institute. Equifax settled with the FTC and state attorneys general for up to $700 million.
// timeline
How it unfolded
Mar 7, 2017
Apache discloses CVE-2017-5638 in Struts 2.
Mar 8–9, 2017
Equifax internal email instructs IT to patch within 48 hours.
May 13, 2017
Attackers exploit unpatched portal; persistent access established.
May 13 – Jul 29, 2017
76 days of undetected exfiltration.
Jul 29, 2017
Expired SSL inspection certificate renewed; exfiltration traffic detected.
Sep 7, 2017
Public disclosure; consumer outrage at clumsy enrollment site.
Jul 22, 2019
$700M FTC settlement announced.
Feb 10, 2020
DOJ indicts four PLA officers for the intrusion.
// damage
Impact and scale
Equifax held detailed credit data on people who never consented to be its customers — credit bureaus collect data passively from lenders. The breach exposed roughly 56 percent of US adults to permanent identity-theft risk. Three Equifax executives sold $1.8 million in stock in the window between internal discovery and public disclosure, drawing SEC scrutiny.
// affected
Who was hit
- 147.9 million US consumers (~56% of US adults)
- 15.2 million UK consumers
- Roughly 19,000 Canadian consumers
- Equifax shareholders (~35% stock-price drop in week of disclosure)
// lessons
Key takeaways
- Asset inventory is non-negotiable: you cannot patch what you do not know you operate.
- Network inspection appliances with expired certificates are silent failure modes — monitor your monitors.
- Plaintext credentials on file shares turn one shell into the keys to the kingdom.
- Credit bureaus hold data on people who never opted in; the policy debate about data brokers traces directly to this breach.
