What Happened?

Equifax, an organization that handles consumer information and credit services such as credit information and ratings, announced on September 7, 2017 that it was the victim of a cyberattack. This attack was successful due to an unpatched vulnerability (CVE-2017-5638) found in an Apache Struts instance running on Equifax’s web servers. The impact of a breach at an organization handling extremely sensitive data—including names, addresses, social insurance numbers, and financial information—was devastating and highlights the importance of effective patch management.

The Vulnerability:

CVE-2017-5638 was announced in March 2017 and identified as critical severity with a vulnerability score of 10.0. Vulnerabilities of this severity should be patched immediately due to the risk they pose to enterprise environments. CVE-2017-5638 is a Remote Code Execution (RCE) vulnerability that allows remote threat actors to execute commands on backend systems through online form fields. Because this vulnerability existed within a web application framework, identifying vulnerable instances proved difficult. Equifax’s failure to patch this flaw led to a series of events now viewed as one of the largest security breaches of the 21st century.

Timeline of Events:

• March 6, 2017 – Apache Struts RCE zero-day vulnerability identified and actively exploited.
• March 7, 2017 – Proof-of-concept exploit code uploaded to a public GitHub repository.
• March 9, 2017 – Equifax issues an internal directive to deploy the patch within 48 hours; vulnerability scans fail to detect exposure.
• March 13, 2017 – Threat actors gain access to sensitive data affecting nearly 44% of the U.S. population.
• July 29, 2017 – Equifax detects the breach and halts the intrusion.
• August 1–3, 2017 – Three Equifax executives sell nearly $2M in company stock.
• September 7, 2017 – Equifax publicly announces the breach and launches a consumer notification website.
• September 8, 2017 – Equifax stock drops 13.7%.
• September 12, 2017 – Two senior security executives retire; CEO issues a public apology.
• September 14, 2017 – FTC announces an investigation; shares fall an additional 5%.
• September 26, 2017 – CEO Richard Smith retires; interim CEO appointed.

Public Impact:

Equifax’s failure to patch a known critical vulnerability resulted in the compromise of personal and financial data for roughly 44% of the U.S. population. Victims now face long-term risks of identity theft, fraud, and targeted phishing attacks, with much of this data likely sold on underground marketplaces.

Equifax – Immediate Impact (First 30 Days):

The immediate aftermath significantly damaged Equifax’s reputation. Stock prices fell nearly 19%, executives departed, and the organization faced investigations and class-action lawsuits. Communication failures, ineffective mitigation efforts, and poor public response further eroded trust.

Equifax – Long-Term Impact (30+ Days):

The long-term consequences of the breach are severe and enduring. Sensitive personal and financial data cannot be replaced, and Equifax remains under regulatory scrutiny. Ongoing investigations, legal costs, declining stock performance, and increased oversight of the credit reporting industry continue to impact the organization.

Summary:

This breach demonstrates that cybersecurity risks must never be underestimated. Strong security practices, vulnerability awareness, and timely patch management are critical to protecting organizational data and reputation.

Organizations can reduce exposure by understanding vulnerability severity, staying current with updates, and undergoing regular security assessments. InfoTransec provides security assessments and vulnerability assessments to help organizations identify and mitigate risk. Contact us for assistance.