Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2017breachCorporation

Equifax — 147 Million Americans Exposed

Attackers exploited a known, patched Apache Struts vulnerability to access personal data of 147 million Americans — names, SSNs, birth dates, addresses, and driver's license numbers.

2 min read
Root Cause

Apache Struts vulnerability (CVE-2017-5638) had a patch available for two months before the breach. Equifax failed to apply it. An expired SSL certificate on a network monitoring tool meant exfiltration traffic went uninspected for 76 days. Sensitive data was not encrypted at rest.

Aftermath

CEO, CIO, and CSO all departed. $700+ million in settlements. Led to Congressional hearings and accelerated discussion of federal data privacy legislation. Became the canonical example of 'three independent failures aligning.'

The Incident

On September 7, 2017, Equifax — one of the three major consumer credit reporting agencies in the United States — disclosed that attackers had accessed personal data of approximately 147 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card numbers.

The Root Cause

The breach was not caused by a sophisticated zero-day exploit. It was caused by three independent failures, any one of which, addressed, would have prevented the breach:

Failure 1: Unpatched known vulnerability. The Apache Struts web framework had a critical remote code execution vulnerability (CVE-2017-5638) disclosed on March 7, 2017. A patch was available the same day. Equifax did not apply the patch. Attackers exploited it on May 13, 2017 — 67 days after the patch was available.

Failure 2: Expired SSL certificate on monitoring tool. Equifax used an SSL/TLS inspection device to monitor network traffic for suspicious activity. The SSL certificate on this device had expired 19 months earlier. Because the certificate was expired, the device could not decrypt and inspect outbound traffic. The attackers' data exfiltration went undetected for 76 days.

Failure 3: Unencrypted sensitive data. The personal data was stored without encryption at rest. Once the attackers had access to the database, the data was immediately usable.

Why It Matters

The Equifax breach is the clearest demonstration that cybersecurity failures are typically not a single mistake — they are the alignment of multiple independent failures, each of which was individually preventable, each of which was individually the responsibility of someone who should have caught it. A known patch, unapplied. An expired certificate, unrenewed. Unencrypted data, unprotected.

Techniques
unpatched vulnerabilityexpired certificateunencrypted data