Equifax Breach Exposes Social Security Numbers of 147 Million Americans
What happened
Attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) to breach Equifax and exfiltrate the personal data of 147 million Americans, including Social Security numbers, birth dates, and credit card numbers. The patch had been available for two months before the breach.[1]
What went wrong
Equifax failed to apply a critical security patch for 78 days after it was released. The company also had inadequate network segmentation and SSL inspection, allowing attackers to exfiltrate data undetected for 76 days.[1]
Lesson learned
Patch management is non-negotiable for internet-facing systems. Network segmentation and egress monitoring can limit blast radius when perimeter defenses fail. A single unpatched library can compromise an entire organization.
Sources
- [1]
External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.