Equifax knew about security vulnerability months before massive data breach

Article

When 147 million Americans woke up to the news of the Equifax data breach in September 2017, the company's narrative was simple: they were victims of sophisticated hackers exploiting a previously unknown vulnerability. The breach exposed names, Social Security numbers, birth dates, and addresses—essentially everything needed to commit identity theft on a massive scale. Equifax executives promised an investigation and offered free credit monitoring, hoping the story would fade. But internal documents later revealed a more damning truth: Equifax knew about the vulnerability months before the breach occurred and did nothing.

The vulnerability in question was the Apache Struts flaw, a well-documented security weakness that security researchers had identified and publicly disclosed in March 2017. This wasn't a zero-day exploit that caught the industry off guard—it was a known problem with a known fix. Equifax's own IT staff identified the vulnerable code in their systems that same month. Despite this knowledge, the company failed to apply the patch to their systems. Hackers exploited this unpatched flaw in May 2017, gaining access to the sensitive data of roughly half the American population.

Initially, Equifax and cybersecurity analysts downplayed human negligence in the breach. Some suggested the vulnerability was particularly tricky to locate or that the company's systems were too complex to patch quickly. The implication was that this was a systemic problem affecting many corporations, not a failure specific to Equifax. The company's leadership avoided admitting to any timeline of awareness that would suggest preventable negligence.

Documents produced during subsequent regulatory investigations and lawsuits told a different story entirely. Internal emails and technical logs showed that Equifax IT staff had flagged the vulnerability and knew patches were available. The company's patch management system had failed—not due to technical complexity, but due to organizational failures, missed deadlines, and inadequate security prioritization. There was no evidence of unusual circumstances that prevented patching. The vulnerability remained open from March until May, a two-month window during which the company's most valuable asset, their database of Americans' personal information, sat exposed.

The breach ultimately became the largest consumer data breach in history at that time. The company eventually agreed to a $700 million settlement, a number that seemed almost arbitrary compared to the scope of the damage: millions of Americans dealing with years of potential identity theft, fraud alerts, and the psychological burden of knowing their most sensitive information had been stolen.

This case matters because it exposes a common assumption about data breaches—that they're typically unavoidable acts of technical sophistication. The Equifax breach revealed something simpler and more troubling: a major corporation holding sensitive data on virtually every American was breached because it failed at basic cybersecurity hygiene. They knew. Their IT staff warned them. Leadership either ignored the warnings or lacked the systems to act on them.

For public trust, this is corrosive. It suggests that companies holding our most sensitive information may not prioritize our security even when the path forward is clear and simple. The vulnerability wasn't cutting-edge or unknown. The fix wasn't complex or expensive. What was missing was organizational accountability—the very thing that might actually prevent future breaches.