On March 9, 2017, an email went out to more than 400 system administrators at Equifax. The message was simple: a critical vulnerability had just been disclosed in a piece of software the company ran, and it needed to be patched within 48 hours.
If you’ve ever worked in IT, you already know how this story feels. You’ve gotten that email. The one that lands in a queue alongside forty other things on fire, gets a mental “yeah, I’ll get to that,” and then quietly slips beneath the surface of a busy week.
At Equifax, one of those servers never got patched. Two months later, attackers walked through the exact hole that email warned about — and stayed inside the network, undetected, for 76 days. By the time anyone noticed, the most sensitive personal data of roughly 147 million Americans was gone: names, Social Security numbers, dates of birth, addresses, and in millions of cases, driver’s license and credit card numbers.
Here’s the part the headlines usually skip. This was not an unstoppable, state-of-the-art cyberattack. The U.S. House Oversight Committee, the Government Accountability Office, and the forensics firm Mandiant all reached the same conclusion: the breach was entirely preventable. It was the predictable result of ordinary failures — a missed patch, an expired certificate, a flat network, passwords sitting in a plaintext file — stacked on top of each other until they collapsed.
Let’s make this simple. We’re going to walk through exactly how it happened, step by step, the way a defender would reconstruct it. And if you came up through help desk, sysadmin, networking, or infrastructure, pay attention to how familiar every single failure feels. That familiarity is the whole point.
The way in: a known vulnerability with a patch already available
The front door was a web application called ACIS — Equifax’s online portal that let consumers dispute errors on their credit reports. It ran on Apache Struts, a common open-source framework for Java applications.
In early March 2017, the Apache Software Foundation disclosed a critical flaw in Struts, tracked as CVE-2017-5638. The vulnerability lived in the framework’s Jakarta Multipart parser and let an attacker run arbitrary commands on the server just by injecting a malicious expression into the Content-Type header of a web request. No login required. Full remote code execution. It earned a CVSS severity score of 10.0 — the maximum possible.
The timeline is what makes this sting:
- March 7 — Apache discloses the flaw and releases the patch the same day.
- March 8 — US-CERT publicly warns the industry, Equifax included.
- March 9 — Equifax’s own vulnerability team emails 400+ admins: patch within 48 hours.
- May 13 — Attackers, having scanned the internet for vulnerable Struts servers, hit the unpatched ACIS portal and get in.
For more than two months, a maximum-severity vulnerability with a freely available fix sat exposed on an internet-facing system that handled credit dispute data. The patch existed before the attack. It just never made it onto that server.
This is Inventory and Threats failing together — and it’s the first lesson defenders take from Equifax. You cannot patch what you don’t know you have. We’ll come back to that.
76 days of silence: how a single server became 48 databases
Once inside, the attackers didn’t need to be sophisticated, because nothing inside the network forced them to be.
They dropped a lightweight web shell — the well-known “China Chopper” — giving them persistent command-line access. From that beachhead, they ran the kind of built-in Windows commands any sysadmin recognizes (net view, nbtstat) to map the internal network and find the databases worth stealing.
Then they got lucky in a way that should never have been possible: they found an unsecured file share containing administrative usernames and passwords stored in plaintext. Game over for any pretense of segmentation. With those credentials, they moved laterally using ordinary admin tooling — WMI, PowerShell Remoting, PsExec — the same tools legitimate administrators use every day.
The ACIS application needed access to roughly three back-end databases to do its job. Because the network was essentially flat, with no meaningful internal segmentation, the attackers reached 48 of them. Over the intrusion, they ran an estimated 9,000 SQL queries, pulling consumer records out by the millions.
To get the data out, they compressed it into 10-gigabyte chunks and shipped it through standard encrypted HTTPS, routed across roughly 34 proxy servers in nearly 20 countries to mask the destination. To Equifax’s defenses, it looked like normal web traffic.
And this is where the most quietly devastating detail of the entire breach comes in.
Equifax owned a device specifically designed to catch this — an SSL Visibility Appliance that decrypts and inspects outbound encrypted traffic looking for exactly this kind of data theft. It would have screamed. Except the digital certificate that device needed to do its job had expired roughly 19 months earlier. With an invalid certificate, the appliance simply waved all encrypted traffic through, uninspected. The single tool that could have caught the exfiltration had been blind for over a year and a half.
The breach wasn’t discovered through clever detection. It was discovered by accident. On July 29, an IT staffer finally renewed that expired certificate. The instant the appliance came back online and started inspecting traffic, alerts flooded in — anomalous data flows leaving the ACIS system, headed toward a foreign IP. Equifax shut the portal down the next day, ending a 76-day intrusion they’d been blind to the entire time.
This wasn’t a one-off oversight, either. Investigators later found that Equifax had let over 300 certificates expire across the enterprise, including 79 on business-critical systems. The blindness was a pattern, not an accident.
Reading the disaster through a defender’s lens
Here’s the thing that should give every IT pro reading this a strange jolt of confidence: you can map this entire catastrophe onto a single, repeatable way of thinking. At Blue Team Academy we call it the Threat & Control Method — Inventory → Threats → Controls → Scale — and Equifax failed at every stage in a way you can name precisely.
Inventory — you can’t protect what you can’t see. Equifax had no reliable inventory of what systems ran Apache Struts. Their vulnerability scanners were misconfigured and didn’t even check the directories where ACIS lived, which created a false sense of safety — the scans came back clean, so administrators assumed they were fine. Asset visibility isn’t busywork. It’s the foundation everything else stands on.
Threats — knowing what can go wrong, and prioritizing it. The threat here wasn’t theoretical. It was a publicly disclosed, maximum-severity, actively exploited vulnerability with a vendor patch and a government alert attached. The information was all there. What was missing was a process to turn “we got a CVE alert” into “this specific server is patched, confirmed, today.”
Controls — choosing defenses and verifying they actually work. Equifax didn’t lack security controls. It had a patch policy, vulnerability scanners, and a traffic-inspection appliance. Every one of them failed — not because they didn’t exist, but because nobody verified they worked. A patch policy with no enforcement. A scanner pointed at the wrong place. An inspection device blinded by an expired certificate. The lesson defenders carry forward is brutal and clear: the presence of a control is not the same as the control working. You have to test it.
Scale — and this is the failure that turned a bad day into a historic one. A single compromised web server should never be able to reach 48 unrelated databases. Network segmentation, least-privilege access, and not storing admin passwords in a plaintext file are the controls that contain a breach instead of letting it metastasize. Equifax had none of them in place, so one foothold scaled into a total compromise.
None of that is rocket science. Every one of those gaps is something an experienced IT professional can look at and immediately understand — because you already manage patches, certificates, network segments, and credentials. You already speak this language. What Equifax was missing wasn’t genius. It was direction.
The part that was technical was bad. The part that was human was worse.
It would be generous to say the failure stopped at the network perimeter. The breach also exposed an organizational problem that no firewall can fix.
At Equifax, the Chief Security Officer didn’t report to the Chief Information Officer. She reported to the Chief Legal Officer. Security wrote the policies — including that 48-hour patch rule — but had no operational authority over the IT teams responsible for actually carrying them out. Investigators called it an “accountability gap”: the people responsible for security couldn’t enforce it, and the people who could enforce it weren’t accountable for security. A 48-hour patch deadline means nothing if no one has the authority to make it happen.
When the breach went public on September 7, 2017 — six weeks after Equifax discovered it internally — the response managed to make a catastrophe worse:
- Instead of hosting breach information on its trusted
equifax.comdomain, the company spun up a brand-new lookalike site,equifaxsecurity2017.com, on a shared certificate. It looked exactly like a phishing page, and some browsers flagged it as one. A security researcher registered a near-identical typo domain to prove the point — and Equifax’s own Twitter account spent hours directing worried victims to the fake site by mistake. - The PINs Equifax issued so consumers could freeze and unfreeze their credit weren’t random. They were timestamps of when the freeze was requested — trivially guessable.
- The free credit monitoring Equifax offered came wrapped in fine print requiring victims to waive their right to sue. Public outrage forced a reversal within days.
And in the weeks between internal discovery and public disclosure, multiple executives sold company stock. One — Jun Ying, CIO of a U.S. business unit — used internal information to deduce the breach’s scale, sold nearly $1 million in options before the news broke, avoided over $117,000 in losses, and was later indicted by the SEC, pled guilty, and went to federal prison.
The reckoning
The numbers that followed were historic. Equifax’s stock dropped about 30% in the days after disclosure. The CEO, CIO, and CSO all departed. In July 2019, the company agreed to a settlement of at least $575 million — the largest data breach settlement in U.S. history at the time — including a consumer fund, civil penalties, and a mandate to maintain an independently audited security program for 20 years. All-in costs eventually topped $1.4 billion.
In February 2020, the Department of Justice indicted four members of China’s People’s Liberation Army for the intrusion, reframing the breach as state-sponsored espionage rather than ordinary cybercrime. The data, prosecutors argued, wasn’t stolen to be sold — it was harvested to feed intelligence and AI development.
But the people most affected weren’t the executives or the company. They were the 147 million ordinary people whose Social Security numbers and birth dates — identifiers that cannot be changed — are now permanently in the wild. As one widely cited observation put it at the time: in the credit bureau model, consumers were never really Equifax’s customers. They were its product. They couldn’t opt out, so they had no leverage to demand the company protect them.
Why this story matters to someone coming from IT
It’s tempting to read all this and conclude that security is impossibly hard. The honest takeaway is the opposite.
Read back through every failure in this breach. An unpatched server. An expired certificate. A flat network with no segmentation. Admin passwords in a plaintext file. A scanner pointed at the wrong directory. A monitoring tool nobody verified was working. Not one of those requires elite, exotic, hacker-movie knowledge to understand. They require someone who knows how infrastructure actually works — someone who has been the person managing patches, renewing certs, segmenting networks, and locking down credentials.
That someone looks a lot like you.
The myth that you have to “start over” to get into cybersecurity gets this exactly backwards. The Equifax breach is, top to bottom, a story of operational IT decisions gone wrong. The professionals best equipped to have caught it weren’t fresh security graduates — they were experienced IT people who understood the business context, knew what that server actually did, and could have said “we cannot leave this unpatched.” Defense is your existing knowledge, viewed through a sharper lens.
That lens — learning to look at any environment and systematically work through what exists, what can go wrong, what controls close the gap, and how to repeat that reasoning anywhere — is exactly what we teach at Blue Team Academy. Not tools to memorize. A way to think.
If you found yourself nodding along to the technical parts of this breakdown, you’re closer to security thinking than you give yourself credit for. Follow along for the rest of the Breach Files series — we take the biggest security disasters in history apart, decision by decision, and show how the people who prevent them think. Because cybersecurity, it turns out, is not rocket science. It’s discipline, visibility, and direction.
