In September 2017, Equifax disclosed a considerable data breach that affected approximately 147 million individuals across the United States, in addition to a smaller number in the United Kingdom and Canada.
The breach occurred between May and July 2017, when attackers exploited a known vulnerability in the Apache Struts software, identified as CVE-2017-5638. Initial access was gained on March 10, 2017, allowing unauthorized individuals to infiltrate the company’s online dispute portal and access sensitive data, including names, Social Security numbers, birth dates, and driver’s license numbers. The scope of the breach was extensive, as nearly 209,000 credit card numbers were likewise exposed. This incident not only compromised personal data but greatly increased the risk of identity theft for the affected individuals. The exploitation of zero-day vulnerabilities remains one of the most challenging threats to prevent, as organizations often lack awareness of these security flaws until after an attack occurs.
Between May and July 2017, attackers exploited a critical vulnerability, gaining unauthorized access to sensitive data at Equifax.
Shortly after the disclosure, Equifax offered free credit monitoring and identity theft protection services, acknowledging the potential long-term implications for those whose information had been exposed. Remarkably, the breach impacted approximately 15.2 million individuals in the United Kingdom and around 19,000 in Canada.
In February 2020, the U.S. government indicted members of China’s People’s Liberation Army, linking them to the breach, highlighting the international nature of this cyber threat. This breach ultimately led to significant financial accountability for Equifax, as they agreed to a settlement of up to $700 million to address the claims resulting from this incident. Notably, the lack of proper network segmentation allowed attackers to pivot and access further sensitive data during the breach.
The aftermath saw Equifax facing considerable criticism for its initial response, which was deemed slow and inadequate. Public trust in credit reporting agencies diminished, triggering calls for improved security measures to prevent future breaches. The incident served as a case study, underscoring the urgency of quickly addressing known vulnerabilities.
Consequently, up to $425 million was allocated for settlement, with a deadline for claims set for January 22, 2024. Affected individuals were offered free identity restoration services until January 2029, alongside ongoing credit monitoring.
The breach finally led to heightened regulatory scrutiny concerning data protection practices, emphasizing the necessity for rigorous cybersecurity standards in an increasingly digital world.
