What Was the Equifax Cybersecurity Incident?

• The Equifax breach exposed personal data of about 147 million Americans after attackers slipped in through an unpatched Apache Struts flaw (CVE‑2017‑5638) and stayed hidden from May to July 2017.
• Attackers exploited the Struts vulnerability in Equifax's web portal, bypassed authentication, and moved laterally across internal servers.
• They harvested Social Security numbers, birth dates, addresses, driver's‑license numbers and some credit‑card details.
• Equifax discovered the intrusion in late July, began internal investigations, and publicly disclosed the breach on September 7 2017.
• This snapshot sets up the detailed breach timeline below and explains why the ensuing response failed, as covered in later sections.

The Equifax breach unfolded from a first intrusion in early May 2017 to a public disclosure on September 7 2017.

1. May 13 2017 - Initial exploit - Attackers used the unpatched Apache Struts CVE‑2017‑5638 flaw to run malicious code on Equifax's web portal.
2. May 30 2017 - Persistence - Web shells were installed, giving attackers ongoing access to the internal network.
3. June 2 2017 - Lateral movement - Credential dumping and privilege escalation let the attackers explore database servers.
4. July 29 2017 - Data exfiltration - Over several weeks personal data - including Social Security numbers, birth dates and addresses - were copied to external locations.
5. August 2 2017 - Internal detection - Equifax's security team identified anomalous traffic but did not contain the breach promptly.
6. September 7 2017 - Public disclosure - Equifax announced the incident, confirming that roughly 147 million individuals were affected. Details are documented in the FTC Equifax breach timeline.

(See the next section 'how attackers broke into Equifax's systems' for technical depth.)

Attackers first entered the Equifax breach through a publicly exposed web portal that ran an outdated Apache Struts framework. By sending a specially crafted request that exploited the unpatched CVE‑2017‑5638 vulnerability, they executed remote code and installed a backdoor on the application server in early May 2017.

With that foothold they harvested legitimate credentials, jumped to internal systems, and accessed the databases that stored personal data. Weak network segmentation and insufficient logging let the actors linger until July, siphoning data from roughly 147 million records. The next section dives deeper into the specific Struts flaw that made the initial break possible.

Attackers entered the Equifax breach through an unpatched Apache Struts vulnerability, identified as CVE-2017-5638 remote code execution flaw, which let them run arbitrary code on the public‑facing web portal.

• The flaw resides in the Struts2 Jakarta Multipart parser; a crafted Content‑Type header triggers code execution.
• Equifax's web servers missed the March 2017 security patch, leaving the flaw active throughout May‑July 2017.
• Attackers sent malicious requests, gained a foothold, then pivoted to internal databases storing personal data.
• The persistence of the unpatched component enabled the prolonged intrusion that was only disclosed in September 2017.

Attackers walked away with the core identifiers that power credit and government services.

• Full legal name
• Social Security number
• Date of birth
• Residential address
• Driver's license number (where available)
• Credit‑card numbers and expiration dates (about 209,000 records)
• Dispute documents such as insurance claims and utility bills

With that mix of IDs, fraudsters could open new accounts, file false tax returns, or impersonate victims, a theme we'll unpack in the next section.

The below content will be converted to HTML following it's exact instructions:
Approximately 147 million people had their data exposed during the Equifax breach. The figure comes from the settlement documents released after the incident and reflects all U.S. consumers whose records were compromised, plus a smaller number of Canadians and British residents.

These individuals lost personal data such as Social Security numbers, birth dates and addresses to the attackers. According to the official Equifax breach report, the breach affected roughly 147 million consumers, setting the stage for the next section on how Equifax handled the breach and where it failed.

Equifax announced a public response - including a dedicated website, free credit‑monitoring subscriptions, and a $700 million settlement - but it faltered in critical areas such as timely notification, root‑cause remediation, and transparent communication.

Equifax's failures began with the unpatched Apache Struts CVE‑2017‑5638 flaw that let attackers linger from May to July 2017, yet the company did not apply the September 2017 patch until weeks after the intrusion was discovered.

It delayed public disclosure until September, leaving roughly 147 million people unaware of the exposure of personal data for months; its breach‑response portal leaked additional information, and the offered monitoring services were tied to confusing enrollment processes. These missteps amplified consumer mistrust and set the stage for the real‑world fraud tactics described in the next section. FTC overview of the Equifax breach settlement

Criminals turned the stolen personal data from the Equifax breach into cash and fraud almost immediately. They used Social Security numbers, birth dates, and addresses to fabricate identities, hijack accounts, and sell the information online.

• Opened new credit cards and loans under victims' names, using SSNs to pass verification.
• Filed fraudulent tax‑return claims and unemployment benefits, cashing checks before detection.
• Created synthetic identities by mixing real and fabricated data, then used them for merchant accounts and loan programs.
• Purchased the full data set on dark‑web markets for $1‑$5 per record, as detailed in the FTC report on identity theft.
• Conducted credential‑stuffing attacks on banking and e‑commerce sites, exploiting reused passwords tied to the stolen profiles.

Equifax paid a total of $700 million to settle the breach, covering consumer restitution, state penalties, and a federal fine.

The settlement broke down into $425 million for affected consumers - free credit monitoring, identity‑theft protection, and cash payments for verified claims - $175 million to the Federal Trade Commission and $100 million to state attorneys general, plus a share for legal costs.

That financial fallout underscores why the next section explains exactly what you should do if your personal data was exposed, from credit freezes to fraud alerts.FTC Equifax settlement details

If your personal data was exposed in the Equifax breach, act quickly to protect your identity.

1. Freeze all three major credit files with Experian, TransUnion, and Equifax; a freeze prevents new accounts from opening without your consent.
2. Enroll in the free credit monitoring offered after the Equifax breach; the service alerts you to suspicious activity and provides identity‑theft insurance.
3. Change passwords, PINs, and security questions for any account that uses your Social Security number or other stolen details; use a unique, strong password for each site.
4. Install reputable anti‑malware software and run a full scan; attackers often use stolen data to deliver phishing or ransomware.
5. Review bank, credit‑card, and medical statements weekly; flag any unauthorized charges or new accounts immediately.
6. Report confirmed fraud to the Federal Trade Commission and consider filing a police report; documentation helps clear your name and supports future claims.

Six security lessons businesses must learn from the Equifax breach are:

• Patch every known vulnerability immediately - the attackers exploited the unpatched Apache Struts CVE‑2017‑5638 flaw, giving them foothold for months.
• Maintain an up‑to‑date asset inventory - unknown servers let the breach linger; knowing every system lets you prioritize defenses.
• Segment networks and restrict lateral movement - attackers moved freely across Equifax's flat architecture; isolation limits damage.
• Implement continuous monitoring and rapid alerting - anomalous traffic went unnoticed for weeks; real‑time detection shortens dwell time.
• Test and rehearse an incident‑response plan - Equifax's public disclosure lagged months, eroding trust; a practiced plan speeds containment and communication.
• Vet and secure third‑party components - the vulnerable Struts library originated from a vendor; enforce security standards across the supply chain.