Equifax Data Breach Exposes 147 Million Americans Due to Unpatched Apache Struts Vulnerability

Hackers begin systematically exfiltrating personal data of 147.9 million Americans from Equifax systems through an unpatched Apache Struts vulnerability (CVE-2017-5638). The breach, which Equifax would not disclose until September 7, 2017, represents one of the largest cybercrimes related to identity theft in history. Stolen data includes names, Social Security numbers, birth dates, addresses, driver’s license numbers, and 209,000 payment card numbers. Additionally, 15.2 million British citizens and 19,000 Canadian citizens were compromised.

The breach exemplifies corporate negligence and regulatory capture. Apache released a critical security patch on March 7, 2017—two months before the major data exfiltration—but Equifax failed to apply it despite the vulnerability receiving a maximum 10.0 severity score. Forensics later revealed attackers first breached Equifax systems on March 10, 2017, just three days after the patch was released. The breach exploited regulatory weaknesses in the credit reporting industry, where companies hold massive amounts of sensitive consumer data with minimal accountability. Despite the catastrophic security failure, no Equifax executives faced criminal charges. The case demonstrates how the U.S. regulatory system inadequately protects consumer data from corporate negligence, with credit bureaus operating with impunity despite holding the financial identities of virtually all American adults.