Equifax 2017: 147M Americans Exposed by an Unpatched Apache Struts CVE
Context
Equifax is one of the three major credit reporting agencies in the United States. In 2017, the company held financial data on over 800 million consumers and 88 million businesses worldwide.
The Vulnerability: CVE-2017-5638
The exploited flaw is CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2. The framework used a vulnerable Content-Type parser that allowed an attacker to execute arbitrary commands on the server by sending a specially crafted HTTP request.
The patch had been available since March 7, 2017. The public exploit existed since March 10. Equifax was attacked starting May 13, 2017, more than two months after the patch was published.
Timeline
March 7, 2017: Apache releases the patch for CVE-2017-5638.
March 8, 2017: US-CERT issues an alert. Equifax's security team is notified.
March 15, 2017: Equifax runs an internal scan but does not detect the vulnerable server (according to the investigation report, the scan did not cover the right scope).
May 13, 2017: attackers exploit the flaw on Equifax's dispute resolution portal.
May to July 2017: attackers exfiltrate data for 76 days without being detected.
July 29, 2017: Equifax detects suspicious traffic and identifies the intrusion.
September 7, 2017: Equifax publicly announces the breach.
Data Exposed
Compromised information includes names, Social Security numbers, dates of birth, addresses, and in some cases driver's license numbers and credit card numbers for 147 million Americans. Data of UK and Canadian residents was also affected.
Why the Patch Was Not Applied
The investigation revealed several failures:
Financial and Legal Impact
Equifax paid approximately $700 million in settlement (FTC fine and victim compensation). The CEO, CIO, and CISO resigned. Stock value dropped 35% in the days following the announcement.
Lessons
Patching is non-negotiable. A critical CVE with a public exploit must be fixed in days, not months.
Asset inventory is foundational. If you do not know which systems run which software, you cannot protect them.
Monitoring must work. An expired SSL certificate disabling a detection tool for 19 months is a systemic failure.
CleanIssue identifies vulnerable components and unpatched CVEs during its external reviews. This is the first line of defense against this type of incident.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
France Travail 2024: 43M French Citizens Leaked, What Really Happened
Technical breakdown of the France Travail data breach in 2024: how 43 million records were exposed, timeline, and lessons learned.
Viamedis and Almerys 2024: 33M French Health Records Breached
Analysis of the dual Viamedis/Almerys breach that exposed health data of 33 million French citizens in January 2024.
Okta 2022 and 2023: When the Identity Provider Gets Hacked
Two major Okta compromises in two years. Analysis of vectors, impact on customers, and lessons for identity provider security.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.