The Equifax data breach of 2017 

Posted by cjone132 on

Casey Jones, Old Dominion University 

September 3, 2025 

The Equifax data breach of 2017 is significant due to the large amount of people affected by the illegal heist which secretly stole their sensitive personal and financial information over the course of several months before it was discovered in late July of 2017.  This attack was so critical because consumers placed their trust within Equifax to safeguard their data which was utilized for credit reporting and thus has significant impact on the financial aspects of the victims who were exposed. This writing will explore the vulnerabilities which existed, explore how they were exploited, discuss the repercussions of the incident, and theorize what might have been done to prevent this from occurring.  

The timeline of events presented by Wang and Johnson show how fast professionals must act when a public vulnerability warning is disclosed online where anyone can read it. On March 8, 2017, the United States – Computer Emergency Readiness Team issued a patch release which would fix a vulnerability in Apache’s Strut 2 software which is what Equifax used to manage their web applications. According to Wang and Johnson’s report, Equifax filed an internal memo on March 9, 2017, requesting the software to be patched. Hackers began exploiting this vulnerability the next day, taking a mere 2 months to begin extracting Personally Identifiable Information on May 13, 2017. These attackers managed to stay undetected until July 29, 2017, and removed from the network the next day after the vulnerabilities announced in March had been corrected and the Apache Strut 2 patch applied.  

The specific vulnerability was labeled cve-2017-5638 as listed in the National Vulnerability Database hosted by NIST. The issue lied within the Jakarta Multiport processor which was mishandling errors during file uploads. This flaw allowed hackers to send specially crafted http headers which contained a command string #cmd=string and allowed arbitrary command execution (NIST, 2021). Researchers at CISCO Systems reported an increased occurrence of attacks in which commands are utilized to turn off firewalls protecting servers and then allow download and execution of any malware the attacker chooses to utilize (Goodin 2017). 

 Further complicating things, attackers could use IRC bouncers which would hide their IP address during deployment of these packages which would essentially hijack a server and turn it into a botnet. Apache Strut versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10 are the ones effected by the vulnerability and the recommended fix was to immediately upgrade to a patched version and to recompile any web apps created with the affected Strut versions. Through the initial exploit, problems compounded, and access was escalated until the attackers got what they were looking for. Initially, the hackers broke into Equifax’s online dispute resolution portal which was a site affected by the Apache Strut 2 vulnerability, it was other mistakes compounded together which led to the perfect storm for this attack to work.  

On March 13, 2017, the same day data exfiltration began, attackers had switched their attention to other servers within the network which was possible due to improper network segmentation. Within those systems they were able to find plaintext credentials, gaining access to the servers with the consumer data. One might wonder how they were able to do this extraction undetected, and it introduces yet another critical vulnerability to the stack; hackers typically encrypt their data during exfiltration to disguise the activity. Under normal circumstances, a network monitoring tool would pick up this suspicious network traffic. However, the network tools Equifax utilized were turned off due to an expired TLS certificate, leaving them completely blind to the data leaving their network (BreachSense, 2024).  

The discovery of the attack on July 29, 2017, was a direct result of the TLS certification being renewed and the administrators becoming aware of the suspicious traffic immediately. The consequences of Equifax failing to upgrade after the patch from US-CERT was published in a timely manner were immense. The data breach involved the exposure of social security numbers, driver’s license numbers, credit card information, birthdays, addresses, and the financial information of over 140,000,000 US consumers or roughly 44% of the population (Wang & Johnson, 2018). Equifax suffered negative public opinion due to some of their actions taken during the incident management part of this crisis. A 6-week internal investigation was conducted before the public was notified of the breach during which several company executives sold off their shares of the company stock ahead of the announcement of the breach which led to charges of insider trading against the former Chief Information Officer (BreachSense).  

The former CEO of Equifax took an immediate retirement 3 weeks after the announcement of the data breach to be the scapegoat and limit liability of anyone else who may have been found responsible within the agency (Wang & Jonson, 2018). The impact of this incident affected consumer trust towards Equifax, financial losses for the company, and increased risk of identity theft for those who had their data compromised (BreachSense, 2024). Equifax faced a $700,000,000 settlement with the Federal Trade Commision, Consumer Protection Financial Bureau, and 50 US states including compensation to consumers, regulatory fines, and legal fees (BreachSense). The incident also prompted discussion leading to laws supporting increased protection of our data such as the California Consumer Privacy Act and the General Data Protection act in the European Union (BreachSense, 2024); the GDP is wide reaching, affecting anyone processing the data of people located in the EU. Ultimately, actions could have been taken to have prevented this incident and justify why Equifax faced at least 23 class action lawsuits for the events which transpired. 

The moment cve-2017-5638 was brought to public attention and a patch announced, the individuals responsible for implementing that within the organization should have done so as prescribed by US-CERT. Plain text credentials should never be stored on a device unencrypted, especially a network connected device where those credentials unlock access to critical systems. Another flaw pointed out during the investigation in Wang and Johnson’s article revealed a web portal was discovered to be protected with username admin and password admin which would not take an attacker long to guess, highlighting the importance of proper password etiquette. The network should never have been operated without the TLS certificate being updated for the monitoring software Equifax utilized which allowed these attacks to continue unnoticed for months. Network segmentation is another important concept which should have been utilized here and possibly would have kept the attackers isolated from critical resources. Initially they gained access through a claim dispute portal, it was because of improper segmentation, visible credentials, and lack of network monitoring that brought all of this together. Implementing these basic efforts could have prevented millions of dollars in damage, loss of confidence in consumer trust, and irreversible damage to Equifax’s reputation.  

Citations:  

  • Cover artwork digitally created with ai, no other use of ai is present in this document. 
  • BreachSense. (2024, December 8). Equifax data breach case study: Causes and aftermath. https://www.breachsense.com/blog/equifax-data-breach/ 

Leave a Reply

Your email address will not be published. Required fields are marked *