On September 7, 2017, Equifax — one of the three major U.S. consumer credit reporting agencies — announced a data breach that exposed the personal information of approximately 147.9 million people. The breach was caused by the exploitation of a known vulnerability in Apache Struts, an open-source web application framework. What made this incident extraordinary was not just its scale, but the fact that a patch for the vulnerability had been publicly available for months before Equifax was attacked. The Equifax breach stands as a defining example of how third-party software risk and patch management failures can have catastrophic consequences.
The Vulnerability: CVE-2017-5638
On March 6, 2017, the Apache Software Foundation disclosed CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts 2. The vulnerability existed in the Jakarta Multipart parser and allowed attackers to execute arbitrary commands on affected servers by sending specially crafted HTTP requests. The vulnerability received a CVSS score of 10.0 — the maximum possible severity rating. A patch was released the same day the vulnerability was disclosed.
Equifax used Apache Struts to power its online dispute portal, a public-facing web application where consumers could file disputes about information on their credit reports. Despite being notified of the vulnerability through US-CERT advisories and internal channels, Equifax failed to apply the patch to the affected system.
The Breach Timeline
According to the U.S. Government Accountability Office (GAO) report published in August 2018, attackers first exploited the unpatched Apache Struts vulnerability on May 13, 2017 — more than two months after the patch became available. The attackers maintained access to Equifax systems for approximately 76 days before the intrusion was discovered on July 29, 2017.
| Timeline Event | Date |
|---|---|
| Apache Struts patch released (CVE-2017-5638) | March 6, 2017 |
| Equifax internal notification to patch | March 9, 2017 |
| Attackers exploit unpatched system | May 13, 2017 |
| Equifax discovers breach | July 29, 2017 |
| Public disclosure | September 7, 2017 |
During those 76 days, the attackers queried databases containing personal information, exfiltrating data in small increments to avoid detection. The GAO report noted that Equifax's SSL certificate for inspecting encrypted traffic on the dispute portal had expired in January 2016 and was not renewed until July 29, 2017 — the same day the breach was discovered. This meant that encrypted exfiltration traffic went uninspected for approximately 19 months.
What Was Exposed
The breach compromised sensitive personal information for 147.9 million individuals, including:
- Social Security numbers
- Dates of birth
- Home addresses
- Driver's license numbers (for approximately 10.9 million people)
- Credit card numbers (for approximately 209,000 consumers)
- Dispute documents with personal identifying information
Consequences and Settlement
The fallout was extensive. Equifax Chairman and CEO Richard Smith resigned on September 26, 2017. The company's CIO and CSO also departed. In July 2019, the Federal Trade Commission announced that Equifax agreed to a settlement of at least $575 million, with the potential to reach up to $700 million, to resolve federal and state investigations and a class action lawsuit. The settlement included $425 million in a consumer restitution fund.
The GAO report identified multiple systemic failures beyond the unpatched vulnerability: an outdated IT infrastructure, a lack of clear accountability for patching, and insufficient network segmentation that allowed the attackers to move from the web-facing dispute portal to internal databases containing consumer records.
The Third-Party Risk Dimension
Equifax is itself a critical third-party vendor to thousands of financial institutions, employers, landlords, and government agencies. The breach exposed a fundamental challenge in vendor risk management: how do you assess and manage the security posture of a vendor that is so deeply embedded in the financial system that alternatives are limited?
For organizations practicing TPRM, the Equifax breach highlighted the need to:
- Evaluate vendors' vulnerability management and patching practices as a core part of risk assessments
- Require evidence of timely patch application, not just the existence of a patching policy
- Monitor for vendor breach disclosures and have incident response plans that account for compromised vendor data
- Assess concentration risk when critical business functions depend on a small number of vendors
- Use FAIR risk quantification to model the financial exposure from a vendor's failure to patch known vulnerabilities
Lessons for Modern GRC Programs
The Equifax case reinforced that governance, risk, and compliance programs must extend beyond an organization's own perimeter. When a credit bureau with access to nearly half the U.S. population's most sensitive data cannot manage a routine patch, the implications cascade through every organization in its data supply chain. Modern TPRM platforms help organizations track vendor patching commitments, automate reassessments when critical vulnerabilities are disclosed, and quantify the financial risk exposure using frameworks like FAIR.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (GAO-18-559) - U.S. Government Accountability Office, August 2018
- Equifax Data Breach Settlement - Federal Trade Commission, July 2019
- CVE-2017-5638 Detail - National Vulnerability Database (NVD)
- S2-045: Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser - Apache Struts Security Bulletin
- How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach - U.S. Senate Minority Staff Report, February 2018