Equifax — 147 Million Americans Exposed

The Incident

On September 7, 2017, Equifax — one of the three major consumer credit reporting agencies in the United States — disclosed that attackers had accessed personal data of approximately 147 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card numbers.

The Root Cause

The breach was not caused by a sophisticated zero-day exploit. It was caused by three independent failures, any one of which, addressed, would have prevented the breach:

Failure 1: Unpatched known vulnerability. The Apache Struts web framework had a critical remote code execution vulnerability (CVE-2017-5638) disclosed on March 7, 2017. A patch was available the same day. Equifax did not apply the patch. Attackers exploited it on May 13, 2017 — 67 days after the patch was available.

Failure 2: Expired SSL certificate on monitoring tool. Equifax used an SSL/TLS inspection device to monitor network traffic for suspicious activity. The SSL certificate on this device had expired 19 months earlier. Because the certificate was expired, the device could not decrypt and inspect outbound traffic. The attackers' data exfiltration went undetected for 76 days.

Failure 3: Unencrypted sensitive data. The personal data was stored without encryption at rest. Once the attackers had access to the database, the data was immediately usable.

Why It Matters

The Equifax breach is the clearest demonstration that cybersecurity failures are typically not a single mistake — they are the alignment of multiple independent failures, each of which was individually preventable, each of which was individually the responsibility of someone who should have caught it. A known patch, unapplied. An expired certificate, unrenewed. Unencrypted data, unprotected.