Skip to content
CBCyber Breaches
Search
Vulnerability exploitResolved

Equifax data breach

An unpatched Apache Struts vulnerability let attackers exfiltrate Social Security numbers, dates of birth, addresses, and driver's license numbers for 147 million U.S., U.K., and Canadian consumers.

Part of campaignchinese big four pii collection
Victim
Equifax
Loss
$1.38B
records
147.9M
users
147.9M
SectorFinance
CountryUnited StatesUnited KingdomCanada
Threat actorChinese PLA Unit 54th Research Institute (DOJ attribution)
Named attackersEquifax PLA officers (Wu, Wang, Xu, Liu)
CVECVE-2017-5638

On 7 September 2017, the U.S. credit bureau Equifax disclosed that attackers had exfiltrated personal information on roughly 148 million consumers β€” nearly half the adult population of the United States β€” over a 76-day intrusion that began with a single unpatched Apache Struts server.

What happened

In March 2017, the Apache Software Foundation published CVE-2017-5638, a remote code execution flaw in Apache Struts 2. Equifax's internal security team was notified within 48 hours but did not patch the consumer-dispute portal (onlinedisputes.equifax.com) that ran on it. On 13 May 2017, attackers exploited the unpatched flaw, planted webshells, and began running database queries.

Over 76 days, the intruders executed more than 9,000 queries against Equifax's internal databases, exfiltrating data in small enough chunks to avoid attention. They were aided by a lapsed TLS certificate on an internal network-monitoring appliance β€” once it expired, Equifax could not decrypt and inspect outbound traffic, blinding it to the exfiltration in progress.

Detection came almost by accident on 29 July 2017 when an administrator renewed the certificate. Within 24 hours, Equifax saw the queries and began incident response.

Impact

  • 147.9 million people in the U.S., 15.2 million in the U.K., and 8,000+ in Canada had names, Social Security numbers, dates of birth, addresses, and (for a subset) driver's license numbers exposed.
  • For 209,000 people, credit card numbers were also stolen.
  • Equifax's reported total cost: over $1.38 billion, including the $700 million FTC + state attorney general settlement in 2019.
  • The CEO, CIO, and CISO all resigned within weeks; the U.S. House Oversight Committee's post-mortem report concluded the breach was "entirely preventable."

Attribution

In February 2020, the U.S. Department of Justice unsealed indictments against four members of the Chinese People's Liberation Army's 54th Research Institute. The DOJ assessed that the operation was a state-sponsored intelligence collection effort against the U.S. credit bureau, not financially-motivated criminal activity. None of the indicted personnel were extradited.

Why it matters

Equifax remains the canonical case for vulnerability-management failure at scale: a single un-patched perimeter system, a months-long dwell time, and a monitoring blind spot turned a known fix into the largest U.S. PII breach of the decade. It also reshaped U.S. regulatory expectations β€” the NYDFS Cybersecurity Regulation and subsequent state laws explicitly require timely patching of known critical vulnerabilities on internet-facing systems, with Equifax's timeline as the negative example in every training deck.

Financial impact

Reported costs in USD

Total reported loss
1.38B
USD Β· $1,380,000,000
  • Business loss$380.0M
  • Remediation$300.0M
  • Fines & settlements$700.0M

Timeline

  1. Apache Software Foundation publicly discloses CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2.

  2. Equifax's internal CERT receives notice of the vulnerability but the patch is not applied to its consumer-dispute portal.

  3. Attackers exploit CVE-2017-5638 on Equifax's dispute portal and gain a foothold.

  4. Over 76 days, attackers run more than 9,000 queries against internal databases and exfiltrate data on roughly 148 million people.

  5. Equifax detects the breach after renewing an expired TLS certificate on a network monitoring device, restoring inspection of encrypted traffic.

  6. Equifax publicly discloses the breach. Stock drops 35% over the following days.

  7. Equifax settles with the FTC, CFPB, and 50 U.S. states/territories for up to $700 million.

  8. U.S. DOJ indicts four members of China's People's Liberation Army for the intrusion.

Sources

  1. ftc.govhttps://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
  2. justice.govhttps://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking
  3. oig.equifax.comhttps://oig.equifax.com/2017-cybersecurity-incident-final-report-october-22-2018/
  4. gao.govhttps://www.gao.gov/products/gao-18-559

Related incidents