Equifax's $700 Million Lesson: How One Unpatched Bug Exposed 147 Million People
In 2017, Equifax failed to patch a publicly disclosed vulnerability for months. The result: personal data on roughly 147 million people exposed, congressional hearings, a Justice Department indictment of foreign state hackers, and a settlement of up to $700 million β a case study in why basic security hygiene is existential.
Equifax knew about a critical, publicly disclosed software vulnerability and did not patch it everywhere for more than two months, even after an internal email reportedly told administrators to fix it within 48 hours. That lapse let attackers walk in through the company's own online dispute portal, operate undetected for 76 days because a security certificate had been left expired for nearly a year, and quietly copy the financial identity of roughly 147 million people. The bill: a settlement of up to $700 million, a Justice Department indictment of foreign state hackers, a criminal conviction of one of Equifax's own executives, and congressional scrutiny few companies survive.
What happened
Equifax is one of the three major U.S. credit bureaus, holding financial and identity data β Social Security numbers, birth dates, addresses, credit histories β on nearly every adult in the country. On March 7, 2017, the Apache Software Foundation publicly disclosed CVE-2017-5638, a critical remote-code-execution flaw in Apache Struts, the open-source web framework running part of Equifax's online dispute portal, and released a patch the same day, per Apache's own statement (news.apache.org). Per the U.S. House Oversight Committee's investigative report, Equifax's security team circulated an internal email on March 9 instructing administrators to apply the patch within 48 hours β but it was not applied to every affected system.
By March 10, both security researchers and attackers were already scanning the internet for unpatched servers, per timelines compiled from contemporaneous security reporting. Equifax's own account places the intrusion's start around mid-May 2017, when attackers exploited the still-unpatched Struts instance on the dispute portal to gain a foothold. A scan Equifax ran on March 15 specifically to find systems vulnerable to this flaw failed to catch the exposed server β the Government Accountability Office's 2018 report (GAO-18-559) found Equifax's patching process was reactive and depended on scans and alerts that, here, simply did not work.
For roughly two and a half months the intruders moved laterally through the network, eventually finding database credentials stored in plain text and using them to query systems holding consumer records, per the GAO report and congressional testimony. They went uncaught partly because a certificate used to inspect encrypted traffic had expired about ten months earlier and was never renewed, leaving that channel effectively unmonitored. Equifax says it discovered the breach on July 29, 2017, after finally renewing the expired certificate and spotting the suspicious traffic it had been missing all along, then shut the intrusion down the next day β 76 days after it began.
Equifax waited until September 7, 2017 β about six weeks after discovery β to disclose the breach publicly. The company's own disclosures put the final tally at approximately 147.9 million people in the U.S., plus an estimated 15.2 million UK residents and roughly 19,000 Canadians, with exposed data including names, Social Security numbers, dates of birth, addresses, some driver's license numbers, and about 209,000 credit card numbers. Equifax's stock dropped roughly 13% the day after disclosure and kept falling in the weeks that followed. Its Chief Information Officer and Chief Security Officer departed within about a week; CEO Richard Smith retired on September 26, 2017.
The fallout went beyond bad headlines. In March 2019, former Equifax business-unit CIO Jun Ying was convicted of insider trading for selling stock after privately concluding the company had been breached but before public disclosure; he was sentenced to four months in prison plus restitution and a fine, per DOJ and SEC records β another employee, Sudhakar Reddy Bonthu, had already pleaded guilty to related insider trading in 2018. In February 2020, the DOJ indicted four members of China's People's Liberation Army for carrying out the intrusion, calling it one of the largest known thefts of personal data by state-sponsored hackers (justice.gov). And on July 22, 2019, Equifax reached a global settlement with the FTC, the CFPB, and 48 states, D.C., and Puerto Rico worth up to $700 million β at least $575 million guaranteed, including roughly $300 million (expandable to $425 million) for consumer compensation and credit monitoring, $175 million to the states, and a $100 million CFPB penalty (ftc.gov).
The mistake, dissected
Strip away the scale and the zeros, and the technical root cause is almost mundane: Equifax knew about a specific, named, patchable vulnerability and failed to patch every system running it, for more than two months, despite an internal directive to fix it within 48 hours. That is not an exotic zero-day or an unstoppable supply-chain attack β those descriptors belong to the actors who exploited the hole, not to the hole itself. The initial failure was ordinary patch management, the least glamorous job in security.
What turned a missed patch into a catastrophe was everything around it that also failed. The vulnerability scan meant to catch exactly this gap didn't find the exposed server, so nobody got a second warning. Databases holding sensitive records were reachable from the compromised web-facing system because of weak network segmentation, turning a single foothold into access to the crown jewels. Credentials to those databases were stored in plain text, so attackers needed no further effort once they found one. And the certificate that would have let security tools inspect outbound traffic had been expired for the better part of a year, so months of exfiltration triggered no alarms. The GAO's assessment was blunt: identification, detection, segmentation, and data governance all failed at once.
None of these were exotic disciplines. Patch within a defined SLA and verify closure; run scanners that cover your real asset inventory; segment sensitive data stores from public-facing services; never store credentials in plain text; keep certificates current. This is the basic hygiene checklist every security team is supposed to run, not a hard problem. The breach happened not because Equifax lacked sophistication, but because routine, individually survivable oversights lined up at once, inside a system holding the identity data of most U.S. adults.
Why smart founders fall for it
Founders rarely skip patching because they're careless; they skip it because patching competes for the same hours as the feature due Friday, and a hypothetical breach feels less urgent than a real deadline. Vulnerability scanners create a false sense of coverage β if the tool didn't flag it, the reasoning goes, it must be fine β even though scanners routinely miss systems they were never configured to see. Security work is also invisible when it succeeds: nobody celebrates the breach that didn't happen, so budget drifts toward whatever is visible instead. Equifax was not a scrappy startup; it was a decades-old, heavily regulated public company with a dedicated security organization, and it still let a known, patchable bug sit for months. The warning for smaller companies: headcount doesn't automatically produce security discipline β specific, enforced processes do.
The principle
The lesson generalizes far beyond credit bureaus: the data you hold is a liability from the moment you collect it, and the routine, unglamorous parts of security β patching, credential hygiene, certificate renewal, network segmentation β are what stand between a disclosed vulnerability and a catastrophic breach. A single missed patch is rarely fatal alone; what turns it into an existential event is the absence of backstops that should have caught it β verified scanning, least-privilege access, encrypted-traffic inspection, and a patching SLA enforced rather than merely emailed. Compliance checkboxes and security theater do not protect you; verified, tested controls do.
How to avoid it
You don't need Equifax's budget to avoid Equifax's mistake β you need a short list of controls that are actually verified in practice, not just written down in a policy document.
| Control | What Equifax got wrong | What to do instead |
|---|---|---|
| Patch SLA | Patch ordered βwithin 48 hoursβ but never verified as applied everywhere | Track every patch to closure with an owner and a deadline; don't close the ticket on βemail sentβ |
| Vulnerability scanning | Scan ran on schedule but didn't cover the affected system | Validate scanner coverage against your real, current asset inventory, not an assumed one |
| Network segmentation | Public-facing web server had a path to sensitive databases | Isolate systems holding regulated data behind their own access boundary |
| Credential storage | Database credentials found stored in plain text | Use a secrets manager; encrypt and rotate credentials by default |
| Certificate & monitoring hygiene | SSL-inspection certificate expired for ~10 months, unnoticed | Alert automatically on certificate expiry; monitor encrypted traffic continuously |
| Incident response drills | 76 days elapsed between intrusion and detection | Run regular detection and tabletop drills so gaps like this surface before attackers find them |
Frequently Asked Questions
Was the Equifax breach caused by a sophisticated, unpreventable attack?
No. According to the U.S. Government Accountability Office's 2018 report (GAO-18-559), the attackers exploited a vulnerability for which a public patch had been available since March 7, 2017 β three days before exploitation is believed to have begun. The GAO traced the failure to Equifax's own reactive patch-management process and gaps in detection, segmentation, and data governance, not to an unpreventable zero-day.
How much did the Equifax breach ultimately cost the company?
The most-cited figure is the July 22, 2019 global settlement with the FTC, the CFPB, and 48 states, D.C., and Puerto Rico, worth up to $700 million, with at least $575 million guaranteed β including a consumer compensation and credit-monitoring fund, payments to the states, and a $100 million CFPB penalty, according to the FTC's press release. That figure does not include separate state or foreign regulatory penalties, litigation costs, or Equifax's own remediation spending, so the true all-in cost is widely reported as higher than the headline number.
Did anyone face personal legal consequences for the breach?
Yes, on two separate fronts. In February 2020 the U.S. Department of Justice indicted four members of the Chinese military for carrying out the intrusion. Separately, former Equifax business-unit CIO Jun Ying was convicted of insider trading for selling stock after privately concluding the company had been breached but before the public disclosure, and was sentenced to four months in prison, restitution, and a fine, according to DOJ and SEC records; another Equifax employee, Sudhakar Reddy Bonthu, pleaded guilty to related insider trading in 2018.
Sources
This case study draws on the Federal Trade Commission's July 22, 2019 press release announcing the Equifax settlement (ftc.gov); the U.S. Government Accountability Office's 2018 report βData Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach,β GAO-18-559 (gao.gov); the U.S. Department of Justice's February 2020 announcement of the indictment of four Chinese military members and its press release on Jun Ying's sentencing for insider trading (justice.gov); the Apache Software Foundation's own statement on the Struts vulnerability (news.apache.org); and the Wikipedia summary of the 2017 Equifax data breach timeline, cross-checked against contemporaneous reporting. Figures are rounded and hedged where sources vary.
A patch that takes an afternoon to apply is cheap. The same patch, skipped for two months on a system holding the identity of 147 million people, is a $700 million lesson in why boring security hygiene is the whole job.
β alokknight Engineering
