Anatomy of a Breach

Anatomy of a Breach: Equifax — 147 Million Americans Exposed Through an Unpatched Apache Struts Vulnerability

> series: anatomy_of_a_breach —— part: 105 —— target: equifax —— americans: 147,000,000 —— vulnerability: apache_struts —— patch_delay: 2_months<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2017 14 min read
data-breach equifax 147-million apache-struts ssn credit-bureau patching series
Breach #105

147 million Social Security numbers. Through a vulnerability patched two months earlier.

On 7 September 2017, Equifax disclosed that attackers had accessed the personal data of approximately 147 million Americans — nearly half the US population — through its consumer dispute resolution portal. The stolen data included names, Social Security numbers, dates of birth, addresses, and in some cases driver's licence numbers and credit card numbers. The breach had been active from May to July 2017 — 78 days of undetected access to the most sensitive financial data in the country.

The attack exploited CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts — the web application framework powering Equifax's dispute portal. The vulnerability had been publicly disclosed and patched on 6 March 2017. Equifax did not apply the patch. The attackers exploited it two months later, in May 2017 — the same month WannaCry struck. Equifax's CEO, CIO, and CSO all departed. The company ultimately agreed to a $700 million settlement with the FTC — the largest data breach settlement in US history at the time.

The Patching Failure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The same lesson. The ninth year of this series. Still not learned.

CVE-2017-5638 was disclosed and patched on 6 March 2017. Equifax was breached in May. Under Cyber Essentials Danzell's 14-day patching mandate, the vulnerability should have been patched by 20 March — two months before the attackers exploited it. The Equifax breach, like WannaCry (59 days) and Sony PSN (known vulnerabilities), was a patching failure — a known vulnerability, with an available patch, not applied in time.

Patch Available for Two Months
The Apache Struts patch was available for over two months before the breach. Equifax's internal security team had sent a notice to apply the patch — but it was not applied to the vulnerable system. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies missing patches across your entire estate, ensuring nothing is missed.
Expired SSL Certificate Hid the Breach
Equifax had deployed SSL inspection tools to monitor encrypted traffic for signs of data exfiltration — but the certificate on the inspection device had expired 19 months earlier and had not been renewed, disabling the monitoring. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides continuous monitoring with alert management that detects disabled or expired security controls.
147 Million SSNs Without Encryption
Social Security numbers — the most sensitive personal identifiers in the US system — were stored without encryption in the database behind the vulnerable web application. <a href="/penetration-testing/web-application">Application testing</a> and <a href="/penetration-testing/infrastructure">infrastructure testing</a> assess data-at-rest encryption.
$700 Million Settlement
The FTC settlement — $700 million including consumer restitution — was the largest data breach settlement in history. Under UK GDPR, the penalty could have been 4% of global turnover. For UK organisations handling financial data, the Equifax case demonstrates the existential financial risk of patching failures. <a href="/cyber-essentials">Cyber Essentials</a> provides the patching framework that prevents these outcomes.
The Systemic Failure

A credit bureau that could not protect the data it demanded citizens provide.

Equifax was not just any company — it was a credit reporting agency that citizens were effectively required to provide their most sensitive data to (through credit applications, employment checks, and financial services). The breach raised fundamental questions about the security obligations of organisations that hold data not by customer choice but by systemic necessity. The OPM breach (2015) raised similar questions about government data custodians.

For UK organisations, the Equifax breach reinforced every lesson of this nine-year series: patch promptly (Cyber Essentials Danzell — 14 days), encrypt sensitive data at rest, monitor continuously (SOC in a Box), and maintain incident response capability (UK Cyber Defence). Our web application testing identifies the Apache Struts, Spring, and other framework vulnerabilities that the Equifax attackers exploited. Because if a credit bureau cannot protect 147 million Social Security numbers, no organisation can assume its data is safe without tested, verified controls.

Patch. Test. Monitor.

147 million SSNs. An unpatched web framework. $700 million settlement. Have you patched your web applications?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds missing patches. <a href="/penetration-testing/web-application">Web application testing</a> identifies framework vulnerabilities. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching.

Commission a Web Application Test Next: Bad Rabbit + KRACK
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 December 2017

Anatomy of a Breach: 2017 Year in Review — The Year Cyber Went Nuclear

Breach #108 and the 2017 finale. The year WannaCry brought the NHS to its knees, NotPetya caused $10 billion in global damage, Equifax lost 147 million Social Security numbers through an unpatched web framework, the Shadow Brokers released the NSA's EternalBlue exploit that powered both attacks, Vault 7 exposed the CIA's arsenal, KRACK broke Wi-Fi, Uber was caught covering up a 57-million-record breach, and the UK Parliament was compromised through weak passwords. The most consequential year in cybersecurity history — and the year this series reached article #100.

data-breach year-in-review
14 min read
All Posts Get in Touch