On September 7, 2017, the credit reporting agency Equifax announced that attackers had accessed the personal information of a vast number of consumers. The U.S. Government Accountability Office report on the breach (GAO-18-559) found that at least 145.5 million individuals had their data compromised, including names, Social Security numbers, birth dates, and addresses. It remains one of the largest exposures of sensitive personal data in history.
The technical cause was a known, unpatched vulnerability. The attackers exploited CVE-2017-5638, a critical remote code execution flaw in the Jakarta Multipart parser of Apache Struts 2, a popular web application framework. As the NVD record describes, a crafted Content-Type header could cause the framework to execute arbitrary commands. The flaw carried a CVSS score of 9.8 out of 10 and was being actively exploited in the wild within days of its public disclosure in March 2017.
The damning detail is timing. A patch for CVE-2017-5638 was available in March 2017, months before the breach. Equifax ran a vulnerable Struts application on an internet-facing system and did not apply the fix. The GAO report identified compounding failures: gaps in identifying vulnerable systems, failures to detect the intrusion for an extended period, insufficient segmentation of databases, and weak data governance. The attackers had access for roughly two and a half months before they were discovered.
The consequences were severe. In 2019 the Federal Trade Commission, the Consumer Financial Protection Bureau, and the states announced a settlement requiring Equifax to pay up to 575 million dollars, potentially rising to 700 million. The breach became a standard teaching example of how a single missed patch on a known vulnerability can cascade into one of the most expensive security failures on record.