What Happened
On September 7, 2017, Equifax disclosed a breach that exposed personal information of 147 million people. The attack exploited CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2. This vulnerability was publicly disclosed on March 7, 2017—157 days before Equifax announced the breach.
The Department of Homeland Security's US-CERT issued an alert about the vulnerability on March 8. Equifax's security team received the notification and scanned for vulnerable systems but missed a critical public-facing web application. Attackers gained initial access on May 13, 2017—67 days after disclosure—and maintained access until July 30.
Timeline
March 7, 2017: Apache Software Foundation discloses CVE-2017-5638 and releases a patch. The vulnerability allows unauthenticated remote code execution through malformed Content-Type headers.
March 8, 2017: US-CERT issues alert TA17-067A. Equifax's security team receives notification and initiates internal scans.
March 9, 2017: Equifax's security team issues internal notification requiring all systems running Apache Struts to be patched within 48 hours.
March 15, 2017: Internal deadline passes. The ACIS (Automated Consumer Interview System) portal remains unpatched and undetected by vulnerability scans.
May 13, 2017: Attackers exploit the unpatched ACIS system, gaining initial access to Equifax's network.
May 13 - July 30, 2017: Attackers move laterally, exfiltrate data through encrypted channels. Equifax's expired SSL certificate monitoring prevents inspection of outbound traffic.
July 29, 2017: Equifax discovers suspicious network traffic during routine security review.
July 30, 2017: Equifax blocks the attack and begins incident response.
September 7, 2017: Public disclosure.
Which Controls Failed or Were Missing
Asset Inventory: Equifax could not definitively identify all systems running Apache Struts. The ACIS portal was not included in the vulnerability scan scope. You cannot patch what you cannot see.
Vulnerability Scanning Coverage: The scanning tool used by Equifax's team did not detect the vulnerable Struts version on the ACIS system. The tool was configured to scan web servers, but the vulnerable component was embedded in application code that required deeper inspection.
Patch Verification: Equifax issued a 48-hour patch deadline but had no automated mechanism to verify compliance. The security team relied on manual confirmation from system owners. The ACIS team never responded to the patch notification, and no escalation process triggered.
Network Segmentation: Once inside the ACIS system, attackers moved to 51 databases containing consumer data. These databases were accessible from the compromised web application without additional authentication barriers.
Egress Monitoring: Attackers exfiltrated data through encrypted SSL connections over 76 days. Equifax's SSL inspection certificate had expired 19 months earlier, rendering the monitoring system unable to decrypt and inspect outbound traffic.
Access Logging: The compromised system generated authentication logs, but Equifax did not retain or monitor them effectively. The attackers used stolen credentials to access databases, but this activity did not trigger alerts.
What the Relevant Standard Requires
PCI DSS v4.0.1 Requirement 6.3.1 mandates that you identify security vulnerabilities using reputable sources and assign a risk ranking to newly discovered vulnerabilities. The requirement specifically states you must maintain an inventory of system components that are in scope.
Requirement 6.3.2 requires you to install critical security patches within one month of release. For systems facing the internet, the timeline is tighter—you need compensating controls if you cannot patch immediately. Equifax had the patch available on March 7. The attack occurred on May 13—67 days later.
Requirement 11.3.1 requires external vulnerability scans at least quarterly and after significant changes. These scans must be performed by an Approved Scanning Vendor (ASV) or internal staff with equivalent expertise. The scans must cover all system components in the cardholder data environment. Equifax's scans missed a critical public-facing application.
NIST 800-53 Rev 5 Control RA-5 (Vulnerability Monitoring and Scanning) requires you to scan for vulnerabilities in systems and applications, remediate legitimate vulnerabilities based on risk assessment, and share vulnerability information with designated personnel. The control enhancement RA-5(5) specifically addresses privileged access—you should monitor systems with elevated privileges more frequently.
Control SI-3 (Malicious Code Protection) requires you to implement detection and eradication mechanisms at system entry and exit points. Equifax's expired SSL certificate made egress monitoring ineffective. You cannot detect what you cannot inspect.
ISO/IEC 27001:2022 Control 8.8 (Management of technical vulnerabilities) requires you to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate action. The control explicitly states you should define time periods for taking action based on risk.
Lessons and Action Items for Your Team
Build a Complete Asset Inventory: You need a single source of truth for every system component, especially those running common frameworks like Struts, Spring, or Django. Tag each asset with its technology stack, exposure level (internet-facing vs. internal), and data classification. Update this inventory automatically—manual spreadsheets drift within days.
Verify Patch Deployment, Not Just Issuance: Sending a patch notification is not the same as patching. Implement automated verification that checks actual software versions on production systems. If a system owner does not respond within your SLA, escalate automatically to their manager and the CISO. Track patch compliance as a metric in your security dashboard.
Expand Vulnerability Scanning Beyond Network Layer: Application-level vulnerabilities require application-layer scanning. Deploy DAST tools that test running applications, not just open ports. For critical frameworks, use software composition analysis (SCA) to identify vulnerable dependencies even when they are buried in compiled code.
Segment Your Most Sensitive Data: If attackers compromise a web application, they should not have direct database access. Place a bastion host or API gateway between your web tier and database tier. Require separate authentication for database connections. Monitor and alert on any database query originating from a web application server—every query should be logged with the authenticated user context.
Fix Your Egress Monitoring: Replace expired SSL inspection certificates immediately. This is not optional infrastructure—it is a security control. Configure your monitoring system to alert when certificates approach expiration. If you cannot inspect encrypted traffic, you cannot detect exfiltration.
Set Time-Based SLAs Based on Exploitability: The median time to exploitation has dropped to 1.6 days for critical vulnerabilities. Your patch SLA should reflect this reality. For remote code execution vulnerabilities in internet-facing systems, your SLA should be measured in hours, not weeks. For the ACIS breach, the 48-hour deadline was reasonable—the failure was in verification and enforcement.
Test Your Vulnerability Notification Workflow: Send a test critical vulnerability alert to your team quarterly. Track who responds, how quickly they patch, and whether your verification tools correctly detect the fix. Equifax's process looked adequate on paper but failed under real conditions.
The Equifax breach was not caused by a sophisticated zero-day attack. It was caused by a known vulnerability, a published patch, and a series of control failures that are entirely preventable. Your vulnerability management process is only as strong as your ability to verify that patches actually deploy to every system in scope.
