The 2017 Equifax breach exposed the personal data of 147 million Americans, including Social Security numbers, birth dates, addresses, and driver’s license numbers. It remains one of the most consequential data breaches in history.
The Attack Vector
Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) that had been publicly disclosed and patched two months before the breach. Equifax failed to apply the patch, leaving their web application vulnerable to remote code execution.
# The vulnerability allowed attackers to execute arbitrary commands
# through crafted Content-Type HTTP headers
curl -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)}" targetTimeline of Failure
The breach went undetected for 76 days. During this time, attackers exfiltrated data through 9,000 queries across 265 days of access. The company’s SSL certificate for their intrusion detection tool had expired 19 months earlier, blinding their security monitoring.
Regulatory Aftermath
Equifax agreed to a $700 million settlement with the FTC, including up to $425 million in consumer restitution. The breach directly led to the passage of new data protection regulations across multiple states and accelerated GDPR enforcement in Europe.
Lessons for Today
The Equifax breach teaches us that patch management is not optional. Organizations must implement automated vulnerability scanning, maintain current SSL certificates, and establish clear incident response procedures. The cost of prevention is always less than the cost of a breach.