What Really Happened in the Equifax Hack?

• Attackers first exploited the unpatched Apache Struts CVE-2017-5638 vulnerability on May 13, 2017, gaining remote code execution on Equifax's web portal.
• They installed web shells, moved laterally across internal networks, and began harvesting data within days, as detailed in the Reuters timeline analysis.
• From mid‑May through late July the attackers exfiltrated personal information of roughly 147 million US consumers, plus additional UK and Canadian records.
• Equifax's security team did not detect the breach until July 29, 2017, when a routine alert triggered an investigation, according to the NIST post‑incident report.
• The company publicly disclosed the Equifax breach on September 7, 2017, prompting regulatory action and the remediation steps covered in later sections.

The Apache Struts flaw that let attackers in was a remote‑code‑execution vulnerability in Struts 2 (Apache Struts CVE‑2017‑5638). It let a malicious Content‑Type header inject OGNL expressions into the Jakarta multipart parser, giving anyone who could reach the vulnerable endpoint the ability to execute arbitrary Java code on the server. The vulnerability was disclosed on March 7 2017 and a patch was released the same day, but Equifax failed to apply it to its public web portal.

Attackers exploited the unpatched Struts component by sending crafted file‑upload requests to the portal in mid‑May 2017, uploading a web shell that granted them system‑level access. That foothold enabled the later lateral movement described in the next section. For full technical details see the Apache Struts CVE‑2017‑5638 advisory.

The attackers broke in through the unpatched Apache Struts CVE-2017-5638 flaw, then used a series of internal moves to reach the databases that held the personal files.

1. Exploit the Struts flaw - They sent a crafted request that executed arbitrary commands on the public‑facing web server. (Apache Struts CVE‑2017‑5638 details)
2. Drop a webshell - A lightweight backdoor (often 'ChinaChopper') was written to the web root, giving the attackers a persistent remote console.
3. Enumerate the internal network - Using the webshell they ran 'net view' and 'nbtstat' to map servers, shares, and Active Directory trust relationships.
4. Harvest credentials - They scraped configuration files, leveraged Windows Credential Editor, and dumped LSASS memory to steal service‑account passwords and Kerberos tickets.
5. Pivot to the database tier - Stolen credentials allowed Windows admin logons to the SQL Server host; the attackers opened SQL Management Studio and ran 'SELECT * FROM dbo.ConsumerFile' to dump raw credit‑report tables.
6. Move laterally with native tools - PsExec, PowerShell Remoting, and WMI were used to copy the webshell to backup and file‑share servers, expanding their foothold.
7. Access archival data stores - On the backup servers they located compressed archives of legacy consumer files, then extracted them to a staging directory.
8. Exfiltrate in chunks - Custom scripts zipped 10 GB batches, then sent them via HTTPS to an external C2 server, avoiding bandwidth spikes that might trigger alerts.
9. Maintain multiple backdoors - Additional webshells and scheduled tasks were created, rotating encryption keys to stay hidden for months.

These steps explain how the attackers moved from a single web‑application flaw to unfettered access to the Equifax breach data, setting the stage for the detection failures discussed next.

Equifax failed to spot the breach for months because its security monitoring and patch‑management processes were broken, leaving the Apache Struts CVE‑2017‑5638 exploit invisible to its defenses. The company's logging architecture was fragmented, alerts were routed to overloaded analysts, and no centralized SIEM correlated suspicious activity across the network.

Moreover, the patch for the Struts flaw sat uninstalled on critical web servers, so attackers could move laterally without triggering a traditional vulnerability scanner. These gaps let malicious traffic sit in the environment for weeks before anyone noticed.

• Unpatched Apache Struts vulnerability remained live on public‑facing servers
• Log collection was decentralized; no real‑time correlation of events
• Alert fatigue caused critical intrusion alerts to be ignored or dismissed
• Lack of file‑integrity monitoring let hidden web shells persist undetected
• Network segmentation was weak, allowing attackers to pivot freely across systems

For a deep dive, see the U.S. Senate report on the Equifax breach.

The below content will be converted to HTML following it's exact instructions:

• The attackers exfiltrated the core personal identifiers - full Social Security numbers, dates of birth, and current home addresses - for about 147 million U.S. consumers (Equifax breach notice).
• They also stole driver's‑license numbers and, where available, passport numbers, providing government‑issued IDs.
• Partial credit‑card data - including card numbers, expiration dates, and CVVs - were taken for roughly 209,000 consumers.
• Disputed credit‑report files were accessed, exposing employment history, income details, and other financial statements.
• Email addresses and phone numbers were harvested, enabling phishing and social‑engineering attacks.

Equifax announced the breach weeks after attackers had already stolen data, then rolled out a remediation package that introduced fresh vulnerabilities.

• Delayed public disclosure: breach occurred May‑July 2017, but Equifax waited until September 7 2017 to tell the public.
• Failure to patch Apache Struts CVE‑2017‑5638 promptly, despite a security bulletin issued months earlier.
• Launched a self‑service portal that required victims to enter Social Security numbers, creating a new attack surface.
• Did not encrypt the compromised personal data at rest, contradicting industry best practices.
• Provided free credit‑monitoring through Experian, but enrollment demanded the very SSN that had been exposed.
• Website for claim filing crashed under traffic, leaving many without assistance.
• Communicated inconsistent information about what data was stolen, confusing consumers and regulators.
• Offered no automatic credit freeze; victims had to request it manually, extending exposure time.

These missteps amplified the fallout and set the stage for the massive legal battles covered in the next section.

Equifax breach triggered a cascade of legal actions that still affect the 147 million victims. In 2019 the Federal Trade Commission secured a $700 million settlement that funds free credit‑monitoring for a year and provides a free credit freeze on demand. Simultaneously 49 states and the District of Columbia reached a $425 million agreement covering additional consumer relief, while a nationwide class‑action added $125 million for out‑of‑pocket losses and statutory damages FTC and state settlement details.

All three deals require Equifax to improve security, submit to regular audits, and certify that its systems no longer rely on the vulnerable Apache Struts CVE‑2017‑5638 flaw highlighted earlier.

If you were exposed, you can enroll in the free credit‑monitoring program by visiting Equifax's dedicated portal, which will also issue a free identity‑theft protection kit and instructions for placing a free credit freeze.

The settlements allow claims for direct costs such as fraudulent charges, legal fees, and lost wages, capped at $10,000 per consumer under state law. Claims must be filed within the deadline set by each settlement - typically two years from the notice date - so act promptly to secure the compensation you're entitled to. Ongoing litigation may yield additional payouts, but the current settlements already provide the primary consumer remedies.

Equifax's architecture placed all consumer files in a single, flat data lake that any internal application could query without granular permission checks. The network lacked proper segmentation, so the same credentials that accessed the web portal also unlocked the back‑office data warehouse. Legacy batch jobs ran with admin privileges long after the Apache Struts CVE‑2017‑5638 patch should have been applied, and logging was disabled for routine maintenance, leaving no audit trail of who accessed what.

Those design choices turned the Apache Struts exploit into a highway rather than a side door. Once attackers breached the web server, the unsegmented network let them hop straight to the full data lake, pull every record, and erase traces because logging was off. The shared admin accounts meant no additional credential theft was needed to reach the deepest stores, so the breach grew from a few files to the 147 million records exposed between May and July 2017. This amplification set the stage for the criminal monetization described in the next section.

The below content will be converted to HTML following it's exact instructions:

• Criminals turned the stolen Equifax breach data into cash by selling raw files, bundling full‑stack packages, and offering identity‑theft‑as‑a‑service on underground markets; raw files typically sold per 1,000 records. Dark Web markets sell Equifax data
• They packaged SSNs, DOBs, and credit‑card numbers into 'full‑stack' bundles that also included dispute letters and synthetic‑ID kits, attracting buyers who wanted a ready‑made fraud kit. Full‑stack Equifax data bundles
• Fraud rings used the SSNs to open new credit lines, creating synthetic identities that easily passed automated underwriting checks. FTC warnings on synthetic identity fraud
• Phishers injected harvested personal details into spear‑phishing emails, dramatically raising response rates and harvesting additional credentials. Phishing campaigns use Equifax data
• Some sellers advertised 'identity‑theft‑as‑a‑service,' providing step‑by‑step instructions, pre‑filled forms, and laundering channels for a fee. Identity theft as a service

Freeze your credit, monitor accounts, change passwords, enroll in identity protection, and report fraud promptly.

1. Place a credit freeze on all three bureaus - contact Equifax, Experian, and TransUnion online or by phone. A freeze stops new credit lines from opening without your PIN, buying you time while you assess damage.
2. Set up free fraud alerts - log onto FTC's identity theft resources and add a 90‑day alert to your file. This forces lenders to verify your identity before issuing credit.
3. Change every password linked to personal data - use unique, long passphrases for email, banking, and any site where you reused the compromised Social Security number or birth date. Enable two‑factor authentication wherever possible.
4. Enroll in a reputable credit‑monitoring service - many offers tied to the Equifax breach provide free credit‑report updates and breach‑specific alerts. If you decline the free option, choose a service with daily monitoring and identity‑theft insurance.
5. Report suspicious activity immediately - file a report with the FTC, your local law‑enforcement agency, and the affected financial institution. Keep a written log of dates, contacts, and case numbers for future reference.

The Equifax breach still puts you at risk, so you need long‑term credit monitoring, a solid fraud‑alert strategy, and a clear recovery plan.

• Enroll in the free monitoring tier funded by the settlement; it covers up to 10 years of credit‑report alerts, dark‑web scans, and identity‑theft insurance.
• Add a fraud alert with any bureau; it forces lenders to verify your identity before opening new accounts.
• Freeze your credit (or lock it) at Equifax, TransUnion, and Experian; a freeze can't be lifted without your PIN, which stops unauthorized inquiries.
• File an FTC Identity Theft Report and use the step‑by‑step recovery guide at IdentityTheft.gov.
• Keep the breach‑notification letter, settlement notice, and any case numbers; they prove you're a covered victim if you need to dispute charges.
• Review each of your three credit reports at least once a year; the free annual reports are still available at AnnualCreditReport.com.
• If your tax return is compromised, file for a free extension and request an Identity Protection Pin from the IRS; the settlement also covers up to three free tax‑return preparations.

Staying on top of alerts, freezes, and the official recovery steps eliminates most lingering threats from the 2017 Apache Struts CVE‑2017‑5638 breach.

Investigators still can't prove several critical details about the Equifax breach, even after the 2019 indictment tied the attack to a Chinese state‑sponsored group.

• The exact number of records copied beyond the 147 million confirmed victims.
• Whether any Equifax employee knowingly or unknowingly facilitated the intrusion.
• Precise timestamps for each lateral‑movement step inside the network after the Apache Struts CVE‑2017‑5638 exploit.
• The final storage locations where the stolen files were uploaded after leaving the command‑and‑control servers linked to the Chinese hacking group.
• Direct evidence that the attackers themselves sold or monetized the data, rather than passing it to other criminal actors.

For attribution details, see the U.S. Department of Justice indictment linking the breach to APT10/PLA Unit 61398.