Equifax: How a Missed Patch and an Expired Certificate Exposed 147 Million People

Historical Case Studies
Written By graham hart

Historical Case Studies

Some breaches are sophisticated. Attackers spend months developing custom tools, chaining together obscure exploits, and outsmarting brilliant defenders. The Equifax breach was not one of those.

Equifax is interesting precisely because it wasn't clever. Nearly every step that let attackers walk away with the personal data of about 147 million Americans came down to ordinary security work that simply didn't get done. That's what makes it such a good story to learn from: almost nothing here required a genius. It required someone to apply a patch, renew a certificate, and not store passwords in plain text. Those things didn't happen, and the result was one of the largest and most damaging breaches in history.

Let's break it down.

What Happened?

In early March 2017, a serious vulnerability was discovered in Apache Struts, a popular piece of open-source software used to build web applications. Equifax, like thousands of other companies, used Struts to run some of its public-facing websites - including its online dispute portal, the place where consumers go to challenge errors on their credit reports.

The vulnerability was disclosed publicly on March 7, 2017, and the people who maintain Struts released a fix the same day. The next day, the U.S. Department of Homeland Security specifically warned Equifax (and the other major credit bureaus, to be fair) about it. On March 9, Equifax's own staff sent an internal email telling administrators to patch any affected systems.

And then... the dispute portal didn't get patched.

A few days later, Equifax ran scans meant to find any systems still exposed to this flaw. The scans came back clean, but they were wrong. The vulnerable server was missed.

Around mid-May 2017, attackers found that unpatched server and walked right in. Over the next two and a half months, they quietly moved deeper into Equifax's network, found a treasure trove of unprotected passwords, and used them to reach dozens of databases full of sensitive consumer records. They pulled the data out slowly, in small encrypted chunks, to avoid drawing attention.

Equifax didn't notice any of this until July 29, 2017, and the reason they finally did notice is one of the best lessons in this entire story (more on that below). By then the attackers had been inside for roughly 76 days. Equifax publicly announced the breach on September 7, 2017.

The stolen data included Social Security numbers, birth dates, addresses, and driver's license numbers, plus credit card numbers for a couple hundred thousand people. This is the worst possible category of data to lose, for a reason we'll get to.

Concepts Explained

Before going further, let's define the handful of terms that make this story make sense.

Vulnerability and CVE. A vulnerability is a weakness in software that an attacker can take advantage of. When a new one is found, it gets a public ID number so everyone can refer to the same thing — that's a CVE, short for Common Vulnerabilities and Exposures. The Equifax flaw was CVE-2017-5638. Think of a CVE number like a case file number: it's how the entire security industry tracks and talks about a specific problem.

Remote Code Execution (RCE). This is one of the most dangerous types of vulnerability. Remote means the attacker doesn't need to be physically near the machine, they can do it over the internet. Code execution means they can make the machine run commands of their choosing. Put them together and an attacker can essentially take control of a server from anywhere in the world. The Struts flaw was an RCE, and it didn't even require a username or password to exploit. An attacker just had to send a specially crafted web request.

Patch and patch management. A patch is an update that fixes a known flaw. Patch management is the ongoing process of tracking which patches exist, deciding how urgent each one is, applying them, and confirming the fix actually worked. It's unglamorous, and it's also one of the single most important things a security/IT team does.

Lateral movement. Getting into a network is just step one for an attacker. Lateral movement is what they do next: using their initial foothold to spread sideways to other systems, hunting for more valuable data and access. A well-defended network slows this down. Equifax's did not.

Data exfiltration. This is the act of stealing data by sending copies of it out of the network to a location the attacker controls. The word to remember is "out" — exfiltration is data leaving where it shouldn't.

Defense in depth. This is the idea that you should never rely on a single security measure to stop an attacker. Instead, you layer multiple, independent defenses, so that if one fails, another is still standing. Think of it like a bank: the front door lock, the vault, the cameras, and the guard are all separate barriers. Equifax is what the absence of this looks like, once attackers got past the outer wall, there were no meaningful layers behind it, so a single break-in became total access. 

Why It Matters

There's a reason the Equifax breach is still discussed years later, and it isn't just the size.

Most people chose to do business with the companies that have lost their data. You signed up for the store loyalty card; you opened the bank account. But almost nobody chooses to be in Equifax's files. Credit bureaus collect data about you whether you've heard of them or not, because lenders report to them. So when Equifax lost the data of 147 million people, the overwhelming majority of those people had no direct relationship with the company and no say in how their information was protected.

It gets worse. You can change a stolen password in thirty seconds. You cannot change your Social Security number, your date of birth, or your history of past addresses. These are permanent identifiers, and they're exactly what's used to verify your identity when you apply for credit, file taxes, or open accounts. Once that information is loose, the risk doesn't expire. That's why this breach is considered so severe: the harm is effectively permanent, and it landed on people who never agreed to take on the risk.

What Defenders Would See

Here's where it gets useful for anyone learning the defensive side, because Equifax had the tools to catch this - they just weren't working.

To spot data being stolen, many organizations inspect the traffic leaving their network. The catch is that most web traffic today is encrypted (the "S" in HTTPS). Encryption is great for privacy, but it also means a monitoring tool can't read what's inside the traffic unless it first decrypts it, inspects it, and re-encrypts it. To do that decryption, the monitoring device needs a valid digital certificate, essentially a credential that lets it act as a trusted middleman.

At Equifax, that certificate had expired. Roughly ten months before the breach. For all that time, the monitoring system couldn't decrypt the traffic, so it simply stopped inspecting it. The attackers' theft of millions of records, encrypted and trickled out in small pieces, looked like perfectly ordinary HTTPS traffic. Nobody was watching the one place the theft was visible.

On July 29, 2017, an administrator finally renewed the expired certificate. The moment traffic inspection switched back on, the monitoring tool immediately lit up with suspicious activity. The same activity that had been happening for over two months. The breach wasn't detected by a brilliant analyst noticing something subtle. It was detected because a tool that had essentially been switched off got switched back on.

So if you imagine sitting in Equifax's security operations center, the painful truth is that for 76 days there was almost nothing to see, not because the attack was invisible, but because the tools meant to catch it were basically blind. 

A few other things a defender would have wanted to notice, and didn't: the attackers found login credentials stored in plain, unencrypted text sitting on internal systems. Those passwords were the keys that let them reach roughly 51 separate databases. Strong defenders assume attackers will get an initial foothold and design the inside of the network to make the next steps hard - segmented networks, encrypted secrets, alerts on unusual database queries (Defense in Depth). Equifax's interior was soft, so one foothold turned into near-total access.

Lessons Learned

Strip away the headlines and you get a short, practical checklist that applies to organizations of every size:

1. Patching is a process, not an event. Equifax knew about the flaw, was warned about it by the government, and even told its own staff to fix it. The breakdown was in execution and verification. Knowing about a patch means nothing until it's applied to every affected system and someone confirms it. A scan that says "you're fine" is only as good as its accuracy, and Equifax's scan missed the vulnerable server entirely.

2. Your security tools need their own maintenance. A monitoring system that isn't working is arguably worse than no monitoring at all, because it creates false confidence. Certificates expire on a schedule, and not tracking those expiration dates prevented a brilliant tool from doing its job for the better part of a year.

3. Assume the perimeter will fail, and harden the inside. Once attackers were in, almost nothing slowed them down. Storing passwords in plain text and letting one compromised system reach dozens of databases turned a single point of entry into a catastrophe. Network segmentation and properly protected credentials are what contain a breach instead of letting it spread.

4. Detection time is everything. The damage scales with how long an attacker goes unnoticed. Seventy-six days is an eternity. The faster you detect, the less an intruder can take.

Plain English Summary

Equifax had a known hole in one of its websites. A fix for that hole was available (and the company was even specifically warned to install it) but the fix never made it onto the vulnerable server, and a faulty scan failed to catch the mistake. Attackers found the hole, climbed in, and discovered the company had left its passwords lying around in plain text, which let them roam freely and reach the databases holding everyone's personal information.

They then spent more than two months quietly stealing that data, and nobody noticed - not because the theft was invisible, but because the security system meant to watch for it had been silently switched off by an expired certificate. The instant someone fixed the certificate, the alarms went off.

The core lesson is humbling: this wasn't beaten by an unstoppable hacker. It was the predictable result of ordinary security maintenance not getting done. Patch your systems and verify it worked, keep your security tools alive and healthy, don't store passwords in plain text, and assume that someday someone will get in - then make sure the inside of your house is just as secure as the outside.

Equifax eventually agreed to a settlement of up to $700 million with U.S. regulators and states, and in 2020 the U.S. charged four members of a Chinese military research unit in connection with the attack. One lasting upside for consumers: the breach helped make free nationwide credit freezes mandatory.

graham hart
Previous

SolarWinds: When the Update You're Supposed to Trust Is the Attack
Next

Chrome Just Made Your Stolen Cookies Useless to Hackers