Consumer Data Access Authority Failure Through Unpatched Known Vulnerability at Equifax

Equifax is one of three major consumer credit reporting agencies in the United States, maintaining detailed financial records on approximately 800 million consumers and 88 million businesses worldwide. The data Equifax holds — Social Security numbers, birth dates, credit histories, employment records — constitutes precisely the information needed to impersonate a consumer for purposes of identity theft and financial fraud. Equifax's internet-facing systems provided the access perimeter protecting this data.

On March 7, 2017, the Apache Software Foundation disclosed CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts, a widely used web application framework. The disclosure included a patch. The U.S. Computer Emergency Readiness Team (US-CERT) issued an alert the same day. Equifax's internal security team circulated the notification internally on March 9, instructing relevant personnel to apply the patch within 48 hours. The patch was not applied to the system that was subsequently breached.

Beginning on May 13, 2017 — sixty-seven days after the patch was available — attackers exploited the unpatched vulnerability on Equifax's online dispute portal to gain initial access to the system. Over the following 76 days, the attackers moved laterally through Equifax's network, accessing databases containing consumer records. They exfiltrated data on approximately 147 million consumers, including Social Security numbers for 145.5 million, birth dates for 99 million, and driver's license numbers for 17.6 million. Equifax's internal security tools had also failed to detect the data exfiltration because an SSL inspection certificate on a monitoring device had expired, leaving encrypted traffic uninspected for nineteen months.

Equifax discovered the breach on July 29, 2017 when its security team noticed suspicious network traffic. The company publicly disclosed the breach on September 7, 2017 — more than five months after the patch was available and six weeks after detection. The disclosure prompted congressional hearings, regulatory investigations across multiple agencies, and what became one of the largest data breach settlements in history.

The access control failure was the gap between knowing a vulnerability existed and verifying that it had been remediated. Equifax's internal process identified the vulnerability, circulated the notification, and instructed personnel to patch. But no verification step confirmed the patch was applied to all affected systems. The instruction created a procedural obligation without a confirmation mechanism — the process told people to act but did not confirm they had acted. The specific system breached was missed because Equifax's asset inventory did not accurately identify all systems running the vulnerable software, so the patching instruction reached personnel who did not know they were responsible for the affected system.

No external authority required Equifax to demonstrate that known critical vulnerabilities had been patched within a specific timeframe. The FTC's authority over data security practices addressed whether companies maintained "reasonable" security without prescribing specific patching timelines. Equifax could receive a vulnerability notification, circulate it internally, fail to apply the patch, and face no external verification that the remediation had occurred — until the failure manifested as a breach. The expired SSL certificate on the monitoring device compounded the failure: the system designed to detect unauthorized data movement had been inoperative for nineteen months, also without external verification.

Equifax's CEO, CIO, and CSO departed in the weeks following disclosure. The company agreed to a settlement with the FTC, CFPB, and 50 state attorneys general totaling approximately $700 million, including a consumer restitution fund. Congressional hearings examined both Equifax's specific failures and the broader regulatory gap in data security requirements for credit reporting agencies. A GAO report documented the cascading failures: incomplete asset inventory, unverified patching, expired monitoring certificates, and inadequate network segmentation that allowed lateral movement from a single compromised system to databases containing the full consumer record set.