Open in app

Sign in

Write

Sign in

Research Paper: The 2017 Equifax Data Breach: A Negligence in Addressing Critical Security Warnings

Vaibhav Kubade
6 min readSep 13, 2024

--

Abstract

In 2017, Equifax, one of the largest credit reporting agencies in the United States, experienced a massive data breach that exposed sensitive personal information of 147 million people. This breach, caused by the company’s failure to patch a known vulnerability in its software, stands as one of the most significant cybersecurity incidents in history. This paper explores the events leading to the breach, particularly focusing on the unaddressed warning of the vulnerability, the technical and organisational failures that contributed to the attack, and the lessons learned from this cybersecurity negligence. The case of Equifax serves as a critical example of the importance of timely patch management, organisational accountability, and robust cybersecurity practices.

Keywords

Equifax, Data Breach, Cybersecurity, Vulnerability Management, Apache Struts, Cyber Attack, Data Protection

1. Introduction

The 2017 Equifax data breach is widely regarded as one of the most damaging cybersecurity incidents, primarily because it affected such a vast number of individuals and compromised sensitive personal information including Social Security numbers, birth dates, and addresses. The breach was preventable, as it exploited a known vulnerability in the Apache Struts web application framework — a flaw that Equifax had been warned about months prior to the breach. Despite receiving multiple alerts and having the necessary resources to address the vulnerability, Equifax failed to implement a timely patch, exposing the company to a devastating cyber attack.

The purpose of this paper is to investigate the events that led to the Equifax breach, analyse the technical vulnerabilities, and evaluate the organisational shortcomings that contributed to the failure in preventing the attack. This analysis highlights the broader implications for cybersecurity governance, the consequences of neglecting critical software updates, and the lessons organisations must learn to prevent similar breaches.

2. Background and Timeline of Events

2.1 Equifax and its Role in Data Management

Equifax, established in 1899, is a global leader in consumer credit reporting. The company gathers, stores, and processes a vast amount of sensitive financial and personal data, making it a prime target for cybercriminals. As a credit reporting agency, Equifax’s services are vital to financial institutions, businesses, and governments, which rely on it for credit evaluations, identity verification, and fraud detection.

2.2 Discovery of the Vulnerability

In March 2017, a significant security vulnerability (CVE-2017–5638) was discovered in the Apache Struts web application framework. This vulnerability allowed remote attackers to execute arbitrary code on affected systems, effectively providing unauthorized access to the underlying servers. Given the widespread use of Apache Struts in web applications, including by large corporations, the United States Computer Emergency Readiness Team (US-CERT) issued a warning advising organisations to patch the vulnerability immediately.

2.3 Failure to Patch

Despite the high-priority warning from US-CERT, Equifax did not take immediate action. Internal investigations later revealed that Equifax’s security team was informed about the Apache Struts vulnerability soon after the advisory was issued. However, the critical patch was not implemented, leaving a gap in the company’s security defenses. This delay allowed cybercriminals to exploit the vulnerability between May and July 2017, during which attackers gained unauthorized access to Equifax’s systems and exfiltrated massive amounts of data.

3. Technical Analysis of the Breach

3.1 The Apache Struts Vulnerability (CVE-2017–5638)

Apache Struts is an open-source framework for creating Java-based web applications. The vulnerability in question, CVE-2017–5638, was a critical Remote Code Execution (RCE) flaw caused by improper handling of Content-Type headers in file upload requests. This allowed attackers to send maliciously crafted requests to the application, resulting in arbitrary code execution.

Equifax’s use of Apache Struts in one of its web portals exposed the company to this vulnerability. While patches were released soon after the discovery of CVE-2017–5638, the failure to apply them within a reasonable time frame left Equifax susceptible to attack.

3.2 Exploitation by Attackers

Attackers reportedly began exploiting the vulnerability in May 2017, gaining access to sensitive systems within Equifax’s network. Over the course of several months, the attackers were able to operate undetected, extracting vast amounts of personal information from the company’s databases.

Equifax’s lack of adequate network segmentation further exacerbated the breach. Once inside, the attackers had access to multiple sensitive systems, allowing them to exfiltrate data from various databases without triggering alarms.

3.3 Detection and Response

Equifax eventually detected suspicious activity on July 29, 2017, after which the company took its affected web application offline. However, by this time, the damage had already been done. Investigations revealed that the breach had compromised personal data, including Social Security numbers, birth dates, and addresses of over 147 million Americans, as well as some international customers.

4. Organisational Failures

4.1 Failure to Act on Security Warnings

Equifax’s most significant organisational failure was its inability to act on explicit security warnings regarding the Apache Struts vulnerability. After receiving the March 2017 alert from US-CERT, Equifax’s internal security teams failed to follow up with the appropriate patching protocols. The company had procedures in place for patch management, but a breakdown in communication and oversight allowed the vulnerability to remain unaddressed.

4.2 Inadequate Incident Response Plan

Equifax’s incident response plan was also severely lacking. While the company was eventually able to detect the breach, it was slow to respond and inform affected individuals. Additionally, there was confusion regarding how to properly address the breach, and communication between different departments was poor. This disorganised response not only delayed mitigation efforts but also damaged the company’s reputation.

4.3 Leadership and Accountability Issues

Several executives at Equifax were criticised for their handling of the breach, including their decisions not to immediately inform the public. The company’s Chief Information Officer and Chief Security Officer resigned shortly after the breach became public, but these leadership changes did little to restore trust or rectify the damage done by the company’s earlier inaction.

5. Lessons Learned and Recommendations

5.1 Importance of Patch Management

The Equifax breach highlights the critical importance of timely patch management in modern cybersecurity strategies. Organisations must prioritise the rapid implementation of patches for known vulnerabilities, especially when those vulnerabilities have the potential for remote code execution, as was the case with CVE-2017–5638. Furthermore, regular audits and automated patching systems should be in place to ensure that security gaps are closed promptly.

5.2 Robust Incident Response Plans

An effective incident response plan is essential for minimizing the damage caused by a breach. Equifax’s disjointed and delayed response underscores the need for a clear, well-practiced plan that can be implemented quickly when a breach occurs. This includes designating roles and responsibilities, maintaining communication between teams, and preparing to notify affected individuals in a timely manner.

5.3 Cybersecurity as a Board-Level Priority

Cybersecurity should be considered a top-level concern for corporate leadership. Equifax’s leadership failed to adequately prioritise cybersecurity, resulting in the neglect of critical issues like patch management. Ensuring that cybersecurity is integrated into corporate governance, with clear lines of accountability and oversight, is essential for preventing similar breaches in the future.

6. Conclusion

The Equifax data breach of 2017 was a preventable disaster, resulting from the company’s failure to patch a known vulnerability in a timely manner. This oversight exposed sensitive personal information of millions of people, leading to severe repetitional damage and financial penalties for the company. The incident underscores the importance of maintaining strong cybersecurity practices, prioritising patch management, and ensuring that organisational structures support quick and effective responses to emerging threats.

As organisations continue to face an evolving landscape of cybersecurity challenges, the lessons learned from the Equifax breach must serve as a warning: failing to address known vulnerabilities can have catastrophic consequences.

References

  • United States Government Accountability Office (GAO). (2018). Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. Retrieved from GAO website
  • Apache Struts. (2017). Security Vulnerability CVE-2017–5638. Retrieved from Apache Struts website
  • United States Senate Committee on Commerce, Science, and Transportation. (2017). Equifax Data Breach: An Examination of the Company’s Mistakes, Past Mistakes, and Lessons for the Future. Retrieved from Senate website
Cybersecurity
Research Paper

--

--

Vaibhav Kubade

Written by Vaibhav Kubade

6 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams