Equifax, one of the United most reputable and well-known credit reporting agencies, plays an essential role in the global economy by gathering and analyzing personal financial information to help financial institutions and financiers make informed decisions about giving loans. Equifax holds sensitive data on more than 800 million individuals and 88 million businesses worldwide, including customer names, ages, residences, dates of birth, government-issued identification numbers, and credit card details. This information is used to determine a person’s creditworthiness and is often essential for participating in modern society, as credit checks are necessary for employment, renting or buying a home, and buying or leasing a car, meaning consumers often have little choice but to share their information.
In 2017, Equifax experienced one of the most impactful and damaging data breaches ever recorded in cybersecurity history. This breach exposed the personal data of approximately 147.9 million Americans, along with some residents of Canada and the UK, representing over 40% of the U.S. adult population. The compromised data included sensitive details like Social Security Numbers (SSNs), location addresses, dates of birth, and credit card numbers. The breach exposed customers to the risk of identity theft and threatened their financial holdings.
How the Attack Happened
The Equifax data breach was caused by a combination of technical vulnerabilities and organizational failures. The primary technical factor was a flaw in the popular Apache Struts 2 Java framework. This specific vulnerability, identified as S2-045 (CVE-2017-5638), allowed an attacker to inject code into an HTTP request’s “Content-Type” header, which the web server would then execute.
Apache rolled out a patch to fix this vulnerability on March 7, 2017. The U.S. Computer Emergency Readiness Team (US-CERT), a division within the Department of Homeland Security, notified Equifax of the software flaw on March 8, and an alert was distributed to 400 Equifax employees by the Global Threats and Vulnerability Management (GTVM) team. The vulnerability was assigned the highest possible criticality score, a 10, by the National Institute of Standards and Technology (NIST).
Unfortunately, Equifax did not implement this critical patch in a timely manner. Officials stated that on March 10, 2017, unknown individuals scanned Equifax’s systems for this specific vulnerability. They found a vulnerable server hosting Equifax’s online dispute portal, a web-based application allowing individuals to upload documents to dispute inaccuracies in their credit report.
Initial access was gained on March 10, 2017. Attackers were able to pivot to other servers within the network starting May 13, 2017, due to a lack of proper network segmentation. After reaching other machines, they discovered plaintext credentials that unlocked access to additional servers. From May through July 2017, hackers accessed multiple Equifax databases containing personal information. They executed roughly 9,000 queries in total.
The attackers used several techniques to hide their activity, including using encrypted communication channels already connected to the online dispute portal to send queries and commands and extract data. They also deployed multiple backdoors known as web shells. Equifax had network monitoring tools designed to decrypt, analyze, and re-encrypt data, but these tools did not work because of an expired TLS/SSL certificate. As a result, encrypted traffic was not inspected, giving Equifax zero visibility into the type of data leaving their network, allowing the attackers to blend in with regular network activity and remain on the network undetected for nearly two months.
Investigations by the FBI, FTC, and CFPB, along with a detailed report from the Senate’s Homeland Security Permanent Subcommittee on Investigations (PSI), concluded that the breach was likely preventable and outlined Equifax’s history of lax cybersecurity practices. The consensus was that Equifax was responsible for the loss of PII through negligence. Factors contributing to this negligence included the lack of a comprehensive IT Asset Inventory (meaning they didn’t know where all instances of Apache Struts were located), failure to follow their own patch management policy (which mandated patching critical vulnerabilities within 48 hours), inconsistent communication within IT/Security teams, and the failure to maintain cybersecurity technologies like the SSL certificate.
Investigators believe the attack was likely the work of Chinese state-sponsored hackers as part of a government operation to collect American data, potentially to build dossiers on US government officials and intelligence officers for potential manipulation. The U.S. Department of Justice charged four members of the Chinese military with the attack on February 10, 2020.
Handling the Incident and Aftermath
The hacking issue was discovered on July 29, 2017, when Equifax renewed the expired SSL certificate and immediately noticed suspicious activity. The company promptly fixed the security weaknesses the hackers manipulated. Equifax retained law firm King and Spalding LLP, which enlisted Mandiant, a cybersecurity research firm, to investigate the breach.
Equifax’s public response was widely criticized. The company waited six weeks after discovering the breach to issue a public announcement on September 7, 2017. Their initial attempts to notify customers via a stand-alone domain, equifaxsecurity2017.com, were met with suspicion as the domain style resembled phishing attacks. To make matters worse, Equifax’s official social media accounts mistakenly directed users to a different, incorrect domain. Most controversially, the original language on the eligibility website required users to waive their right to sue the firm and agree to mandatory arbitration to check if their data was compromised. This was eventually updated, but the New York State Attorney General condemned the language and initiated an investigation.
The breach led to significant financial repercussions for Equifax. The estimated total cost of the data breach exceeds $600 million initially, but the firm estimates the total cost will reach $1.35 billion, considering response costs, new technology implementation, and data protection improvements. Equifax had a cybersecurity insurance policy covering $125 million, which they maxed out.
As part of a global settlement in July 2019, Equifax agreed to pay a minimum of $575 million and a maximum of $700 million to resolve allegations from the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. The FTC alleged violations of the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to maintain a comprehensive information security program. The settlement included up to $425 million for affected consumers ($300M initially, plus up to $125M for out-of-pocket losses), $175 million to states, and $100 million to the CFPB.
Compensation offered to consumers included free credit monitoring services (up to 10 years total) and compensation for time and money spent recovering from identity theft (up to $20,000 in out-of-pocket losses and up to 20 hours at $25/hour for recovery time). Consumers could also claim a maximum of $125 if they already had credit monitoring services, in lieu of free monitoring. However, this cash payout was criticized as insufficient; with millions of claims, the actual payout per person was estimated to be around $7. Critics also argued that the claims process was complicated, potentially reducing the number of successful claims.
The breach severely damaged Equifax’s reputation and eroded public trust. The stock price dropped significantly, and Moody’s downgraded Equifax’s financial rating. CEO Richard Smith, CSO Susan Mauldin, and CIO David Webb resigned in the aftermath. Furthermore, former CIO Jun Ying and former manager Sudhakar Reddy Bonthu were sentenced for insider trading, having sold stock before the breach was publicly announced.
Following the breach, federal agencies like the IRS, SSA, and USPS responded independently, assessing Equifax’s security, modifying contracts, communicating with the public, and changing identity-proofing procedures to prevent fraud and adverse effects on their own activities. Congress also passed legislation allowing consumers to place free credit freezes and one-year fraud alerts on their accounts. However, comprehensive reform bills addressing CRA cybersecurity and compensation have not advanced.
In response to the breach, Equifax made significant changes, including overhauling its IT systems and implementing stronger security measures. They embarked on a three-year digital transformation to become a cloud-native credit reporting company, viewing this as the optimal path to enhance security and drive innovation. A key driver was selecting Google Cloud due to its advanced security posture, including a nine-layer, zero-trust architecture and the use of advanced machine learning to automatically detect and neutralize threats.
Lessons Learned and Best Practices
The Equifax data breach provides critical lessons for any organization handling sensitive data:
- Prompt Patching is Non-Negotiable: The breach was successful because a known vulnerability with a publicly available patch was not applied. Organizations must prioritize timely security upgrades and maintain rigorous patch management policies.
- Maintain Comprehensive IT Asset Inventory: Equifax’s inability to locate instances of the vulnerable software hampered their ability to patch it quickly. Knowing exactly what software and hardware are running on the network is fundamental to effective security.
- Implement Robust Network Segmentation: Attackers were able to move laterally throughout the network due to insufficient segmentation. Dividing the network into isolated zones limits the impact of a breach.
- Monitor Security Certificates: An expired SSL certificate prevented Equifax from inspecting encrypted traffic, allowing attackers to exfiltrate data undetected. Ensure all security infrastructure components, including certificates, are current and functional.
- Strengthen Access Controls (Zero Trust): Lax authorization protocols allowed hackers to remain active and download data for months. Implementing zero-trust principles, granular access control, real-time authorization, and multifactor authentication restricts user (and attacker) access to only what is necessary and enables quicker detection of unusual activity.
- Prioritize Cybersecurity at All Levels: The breach highlights the repercussions of failing to make cybersecurity a top priority for executives and IT management.
- Ensure Effective Communication and Follow-Up: Inconsistent communication about vulnerability remediation statuses contributed to the failure to patch. Clear protocols for reporting, escalating, and verifying remediation are essential.
- Develop and Test Incident Response Plan: Equifax’s delayed public notification and initial confusing communication strategy were heavily criticized. A well-defined, tested plan for detecting, responding to, and communicating about breaches is vital.
- Recognize Sensitive Data Requires Heightened Protection: Given the critical nature of PII and the severe consequences of its loss, organizations holding such data have a heightened responsibility and must invest in advanced security practices.
The Equifax breach served as a stark reminder that even large, well-known companies are susceptible to cyberattacks and must remain vigilant in protecting critical data. It underscored the ethical responsibilities of companies handling sensitive consumer information, particularly regarding negligence, transparency, and just compensation for harm. The incident prompted increased scrutiny from regulatory bodies and influenced discussions around stricter data protection laws. While Equifax has made significant investments in its security infrastructure and cloud transformation post-breach, the incident’s scale and impact serve as a crucial case study in the fundamental importance of cybersecurity basics and modern security architectures.
