A Different Kind of Breach
Most data breaches involve services you chose to sign up for — a social network, an online store, a gaming platform. The Equifax breach was different. Equifax is a credit reporting agency. They had your data whether you wanted them to or not.
In September 2017, Equifax announced that attackers had accessed the personal information of approximately 147 million Americans — nearly half the country's population.
What Was Exposed
The stolen data included:
- Social Security numbers for 145.5 million people
- Birth dates, addresses, and full names
- Driver's license numbers for approximately 10 million people
- Credit card numbers for roughly 209,000 consumers
- Dispute documents containing additional personal information
This combination of data is essentially a complete identity theft toolkit. Unlike a password that can be changed, your Social Security number and date of birth are permanent identifiers.
The Vulnerability
The breach exploited a known vulnerability in Apache Struts (CVE-2017-5638), an open-source web application framework. A patch had been available for over two months before the attackers exploited it.
Equifax's security team had been notified of the vulnerability and instructed to patch it within 48 hours. That never happened. The attackers were inside Equifax's systems for 76 days before being detected.
Compounding Failures
The breach itself was bad enough. Equifax's response made it worse:
- Delayed disclosure — the breach was discovered July 29 but not announced until September 7
- Executive stock sales — three Equifax executives sold shares worth $1.8 million days after the breach was discovered internally
- Broken remediation — Equifax's breach notification website was riddled with bugs and initially directed some users to a phishing site
What Changed
The Equifax breach became a turning point in cybersecurity policy:
- Credit freezes became free — legislation mandated that all three credit bureaus allow free credit freezes
- Regulatory action increased — Equifax paid a $700 million settlement, the largest ever for a data breach at the time
- Patching urgency — the breach became a textbook example of why timely patching is non-negotiable
Protecting Yourself
If you were affected by the Equifax breach (and statistically, you likely were), these steps remain important:
- Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) — this prevents new accounts from being opened in your name
- Monitor your accounts for unauthorized activity
- File your taxes early — stolen SSNs are frequently used for tax fraud
- Use an identity monitoring service to catch new exposures
Check LeakedSource to see if your information appears in breach databases, and set up continuous monitoring for your email and other identities.