Equifax Data Breach: Technical Root Cause, Compliance Failures, and Regulatory Fallout

Equifax Data Breach: Technical Root Cause, Compliance Failures, and Regulatory Consequences

TL;DR

• Attackers exploited CVE-2017-5638, an Apache Struts vulnerability rated CVSS 9.8, for 76 days before Equifax detected it — not because the patch didn't exist, but because an expired SSL certificate had blinded the vulnerability scanner.
• The breach exposed personal data of approximately 147.9 million Americans, 15.2 million UK citizens, and roughly 19,000 Canadians.
• Equifax settled with the FTC, CFPB, and 48 states for $575 million: $300 million in a consumer compensation fund, $175 million to states and territories, and a $100 million civil penalty to the CFPB.
• The U.S. House Oversight Committee concluded the breach was entirely preventable given the tools and expertise Equifax already had.
• Every control that would have stopped this attack — patch management, certificate monitoring, network segmentation, data minimization — is a standard requirement in SOC 2, PCI DSS, ISO 27001, and NIST CSF.

Who this is for: Security and compliance teams at startups and mid-sized companies building or maturing their programs. This case study maps the exact control gaps that let the Equifax breach run for 76 days to the specific framework requirements that would have closed them.

What Happened: A Timeline Built on Missed Checkpoints

On March 10, 2017, the National Vulnerability Database published CVE-2017-5638, a flaw in the Jakarta Multipart parser in Apache Struts 2. The CVSS 3.1 score was 9.8 — one notch below the theoretical maximum. A patch was available the same day. CISA added it to its Known Exploited Vulnerabilities catalog because active exploitation began almost immediately after disclosure.

Equifax's internal processes required critical patches to be applied within a defined window. IT teams ran vulnerability scans shortly after the disclosure. The scan missed the vulnerable web application because an SSL certificate on the inspection tool had expired — nine months before detection, according to the U.S. Senate Permanent Subcommittee on Investigations report. Without a valid certificate, the scanner could not inspect encrypted traffic to or from that server. The affected system was invisible to the team that was supposed to patch it.

Exploitation began on May 12, 2017. Attackers spent the next 76 days conducting over 9,000 database queries across 34 servers, moving through a network that had no meaningful segmentation between the public-facing web application and Equifax's consumer data stores. They exfiltrated data through encrypted channels that, because the inspection certificate was expired, generated no alerts.

On July 29, Equifax's security team renewed the expired certificate as part of routine maintenance. The inspection tool immediately flagged suspicious outbound traffic. The affected application was taken offline the following day. Public disclosure came September 7, 2017. CEO Richard Smith resigned on September 26.

The U.S. House Oversight Committee reviewed the incident and concluded that Equifax had the tools, expertise, and resources to prevent the breach — and chose not to prioritize the controls that would have done so.

The Five Failures and the Controls That Map to Them

This was not a zero-day attack. Equifax was not outpaced by a sophisticated adversary. The breach ran on a known, patched vulnerability for 76 days because of a chain of operational failures that every mainstream framework addresses.

Failure 1: An Unpatched Known Vulnerability

CVE-2017-5638 had a patch the day it was published. Equifax's internal policy required critical patches to be applied quickly. The patch was never applied to the affected system because no one confirmed it was in scope for the scan.

The root cause here is not the missed patch — it is the incomplete asset inventory that made the scanner's blind spot possible. Equifax did not know this server existed in the scan scope. You cannot patch what you cannot see.

PCI DSS v4.0 Requirement 6.3.3 mandates applying all security patches within one month for critical vulnerabilities. Requirement 12.5.1 requires a complete inventory of all system components in scope. ISO 27001:2022 Control A.8.8 covers management of technical vulnerabilities. NIST CSF 2.0 ID.AM-1 requires identification of all assets within the organization's environment.

The shared lesson: vulnerability management programs that do not cross-reference scan coverage against a complete asset inventory will have blind spots. Those blind spots will eventually be discovered — by someone other than your security team.

Failure 2: Certificate Expiry That Disabled Monitoring

The SSL certificate on Equifax's network traffic inspection tool had expired nine months before the breach was discovered. Because the inspection tool could not establish valid encrypted sessions, it could not inspect traffic on encrypted channels. Equifax's attackers used those channels exclusively. Seventy-six days of data exfiltration generated no alerts.

When the certificate was renewed on July 29, the inspection tool immediately flagged the suspicious traffic. The security team took the application offline the next morning. One certificate renewal exposed an active breach that had been running for more than two months.

Certificate lifecycle management does not appear by name in most frameworks, but the underlying control does. SOC 2 CC7.2 requires monitoring for anomalies that indicate unauthorized activity. ISO 27001:2022 A.8.16 covers monitoring activities. NIST CSF DE.CM-1 covers network monitoring. An expired certificate that disables monitoring is a DE.CM-1 control failure.

For practical application: treat TLS/SSL certificate expiry as a security control, not a DevOps housekeeping task. Automated renewal (via AWS Certificate Manager, Let's Encrypt, or HashiCorp Vault PKI) and expiry alerts set 30 to 60 days in advance should be part of any monitoring program.

Failure 3: No Network Segmentation

Once attackers were inside the ACIS web application, they moved freely across Equifax's internal network. There were no access controls separating the public-facing portal from the databases containing consumer Social Security numbers, birth dates, and addresses. A single entry point was sufficient to reach 34 servers across multiple systems.

The House Oversight Committee report identified the flat network architecture as a critical amplifying factor. The vulnerability gave attackers an entry point. The lack of segmentation gave them the entire environment.

PCI DSS v4.0 Requirement 1.3 requires network access controls that prevent unauthorized traffic between systems. NIST SP 800-53 Rev 5 SC-7 covers boundary protection and network segmentation. ISO 27001:2022 A.8.22 requires network segregation. NIST CSF 2.0 PR.AC-5 covers network integrity and segregation.

The practical implication: a web application that handles user requests has no legitimate need to query a database of Social Security numbers for 209,000 credit card holders while simultaneously accessing records for 147 million others. Data flow mapping — understanding which systems need to communicate with which other systems and why — is the prerequisite for meaningful segmentation.

Failure 4: Excessive Data Retention

Equifax stored personally identifiable information well beyond any documented business need. Some records that were exposed dated back decades. The House Oversight Committee identified this as a factor that amplified the scope of harm: had Equifax disposed of records it no longer needed, fewer people would have been exposed.

This is a straightforward data minimization failure. The data existed because no one had defined retention limits and automated their enforcement.

NIST SP 800-53 Rev 5 SI-12 addresses information management and retention. PCI DSS v4.0 Requirement 3.2 prohibits storing sensitive authentication data after authorization. SOC 2 CC6.5 covers the disposal of confidential information. ISO 27001:2022 A.5.33 covers protection of records, including their retention and disposal.

For any organization: define maximum retention periods per data category, map those to your data stores, and automate deletion. Data you do not hold cannot be breached.

Failure 5: Security Governance That Could Not Escalate Risk

The Senate PSI report documented that Equifax's CISO reported to the Chief Legal Officer, not to the CEO or the board. Security investments were routinely deprioritized against revenue-generating projects. No single person owned the patch management program end-to-end. Board-level security briefings were infrequent.

The result was predictable: known risks did not reach decision-makers. The expired certificate, the incomplete asset inventory, and the flat network architecture were all known problems. They were not fixed because the governance structure did not create accountability for fixing them.

SOC 2 CC1.1 through CC1.5 address control environment, board oversight, and accountability structures. ISO 27001:2022 Clause 5 covers leadership commitment and organizational roles. NIST CSF 2.0 GV.OC covers organizational context and risk tolerance as governance inputs. PCI DSS v4.0 Requirement 12.1 requires a security policy that assigns accountability.

Governance is the control that enforces all other controls. When the CISO is two levels below the CEO and security budgets compete with feature roadmaps without executive arbitration, the technical controls will degrade over time.

The Regulatory Response

Federal Settlement

In July 2019, Equifax reached a global settlement with the FTC, CFPB, and 48 states, Washington D.C., and Puerto Rico totaling $575 million:

Beyond financial penalties, the consent order required Equifax to implement a specific security program: annual third-party assessments, board-level reporting on security metrics, documented asset inventory processes, and vulnerability management procedures with defined SLAs.

UK Regulatory Action

The UK Financial Conduct Authority fined Equifax Ltd £11,164,400 for failing to manage and monitor the security of UK consumer data outsourced to its US parent. The FCA found that Equifax Ltd had inadequate oversight of the data processing arrangement and did not respond appropriately when it learned of the breach.

The UK Information Commissioner's Office separately issued a £500,000 penalty — the maximum then available under the Data Protection Act 1998, which predated GDPR — for failing to protect the personal data of 15.2 million UK citizens.

Executive Accountability

CEO Richard Smith resigned on September 26, 2017. The CIO and CSO left within days of the public disclosure.

Jun Ying, who was CIO of a US division, was sentenced to four months in federal prison and fined $55,000 after pleading guilty to insider trading. He had sold Equifax stock options worth approximately $950,000 after learning internally of the breach but before the public announcement.

Downstream Regulatory Effects

The breach directly influenced several subsequent regulatory developments. California's Consumer Privacy Act of 2018 significantly expanded consumer data rights, in part as a response to the scale of the Equifax exposure. The Economic Growth, Regulatory Relief, and Consumer Protection Act required all three major credit bureaus to offer free credit freezes. The SEC strengthened its guidance on cybersecurity disclosure obligations for public companies.

What Your Program Needs

Each of the five failures maps to controls that are required, not optional, in the frameworks most compliance programs target. This is not about adding new requirements — it is about treating existing requirements as operational realities rather than checkbox exercises.

Asset inventory as a security input. Vulnerability management only works if every asset in scope is known to the scanner. Automated discovery tools (network scanners, cloud asset inventories, agent-based discovery) should cross-reference against your vulnerability scanning scope on a defined cycle. Gaps between the two lists are your blind spots.

Certificate monitoring as a security control. TLS certificate expiry should trigger the same alert process as a failed backup or an access control change. The certificate manager should be owned by the security team, not just DevOps. Automate renewals where possible; for manual certificates, set alerts at 60 days and 30 days before expiry.

Data flow mapping before segmentation. Network segmentation without a data flow map produces the wrong segments. Map which systems process sensitive data, which systems need to query which others, and why. Segment at the boundaries of those legitimate flows. Web applications that serve public requests should not have direct query access to bulk consumer databases.

Retention schedules with automated deletion. Define maximum retention by data category. Automate the deletion. Audit the automation quarterly. Data that no longer exists creates no liability.

Security reporting to the CEO or board. The CISO's reporting line is a governance decision that determines whether security risks surface to decision-makers. If the CISO reports to the CLO, security risks compete with legal risks for the CLO's attention before reaching the CEO. That competition has a predictable outcome. Quarterly board-level security briefings — with specific metrics, not summaries — are the minimum for a functional governance structure.

Frequently Asked Questions

How many people were affected by the Equifax breach? Equifax's original disclosure stated approximately 143 million U.S. consumers. That figure was later revised to approximately 147.9 million Americans. The breach also exposed personal data of 15.2 million UK citizens and approximately 19,000 Canadians.

What was the exact root cause? The NVD entry for CVE-2017-5638 describes the flaw: incorrect exception handling in Apache Struts 2's Jakarta Multipart parser allowed remote command execution via a crafted Content-Type HTTP header. The deeper root cause was that the system running the vulnerable version was excluded from Equifax's vulnerability scans because an SSL certificate on the inspection tool had expired nine months earlier.

Could the same pattern affect a smaller organization? The specific conditions — an enterprise-scale flat network, a nine-month-expired inspection certificate, and an unknown asset — are not exclusive to large organizations. Smaller teams often have fewer dedicated security staff to catch these gaps, not fewer gaps. The controls that would have prevented this breach (asset inventory, certificate lifecycle management, network segmentation, data minimization, and executive accountability) are achievable at any scale.

Which frameworks directly address the five failures? SOC 2, PCI DSS v4.0, ISO 27001:2022, and NIST CSF 2.0 all address all five failure categories. The specific controls are: CC7.1/CC7.2 (SOC 2 monitoring), PCI DSS 6.3.3 and 12.5.1 (patch management and asset inventory), ISO 27001 A.8.8 and A.8.22 (vulnerability management and network segmentation), NIST CSF ID.AM-1 and PR.AC-5 (asset management and network integrity). The failure was not that these frameworks did not exist — it was that Equifax did not enforce them operationally.

What happened to Equifax after the breach? Equifax hired a new CISO reporting directly to the CEO, migrated infrastructure to Google Cloud Platform, achieved ISO 27001 certification, and established a dedicated cybersecurity committee at the board level. The company has publicly disclosed ongoing security investment since 2018. None of this prevented the breach; it is the cost of not doing it before.

Sources

1. National Vulnerability Database, "CVE-2017-5638 Detail," accessed 2026-05-12. https://nvd.nist.gov/vuln/detail/CVE-2017-5638
2. U.S. House Committee on Oversight and Government Reform, "The Equifax Data Breach," December 2018. https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf
3. U.S. Senate Permanent Subcommittee on Investigations, "How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach," March 2019. https://www.hsgac.senate.gov/equifax-how-one-of-americas-largest-credit-bureaus-neglected-data-security-and-the-public-interest/
4. FTC, "Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach," July 22, 2019. https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach
5. UK Financial Conduct Authority, "FCA fines Equifax Ltd over £11 million for cyber security failure," accessed 2026-05-12. https://www.fca.org.uk/news/press-releases/fca-fines-equifax-ltd-over-11-million-cyber-security-failure
6. Equifax Inc., Form 8-K, September 7, 2017. https://www.sec.gov/Archives/edgar/data/33185/000003318517000028/0000033185-17-000028-index.htm
7. Equifax press release, "Equifax Announces Cybersecurity Incident Involving Consumer Information," September 7, 2017. https://www.prnewswire.com/news-releases/equifax-announces-cybersecurity-incident-involving-consumer-information-300515960.html
8. PCI Security Standards Council, PCI DSS v4.0, March 2022. https://www.pcisecuritystandards.org/documents/PCI_DSS_v4_0.pdf
9. NIST, Special Publication 800-53 Rev 5, "Security and Privacy Controls for Information Systems and Organizations," September 2020. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
10. NIST, "Cybersecurity Framework 2.0," February 2024. https://www.nist.gov/cyberframework
11. ISO, "ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection," accessed 2026-05-12. https://www.iso.org/standard/27001
12. AICPA, "SOC 2 — SOC for Service Organizations: Trust Services Criteria," accessed 2026-05-12. https://www.aicpa-cima.com/resources/article/soc-2-overview
13. California Office of the Attorney General, "California Consumer Privacy Act (CCPA)," accessed 2026-05-12. https://oag.ca.gov/privacy/ccpa
14. U.S. Congress, S.2155, "Economic Growth, Regulatory Relief, and Consumer Protection Act," 115th Congress. https://www.congress.gov/bill/115th-congress/senate-bill/2155

Sources used

1. CVE-2017-5638 — accessed 2026-05-12
2. 147.9 million Americans — accessed 2026-05-12
3. FTC, CFPB, and 48 states — accessed 2026-05-12
4. U.S. House Oversight Committee — accessed 2026-05-12
5. CISA — accessed 2026-05-12
6. U.S. Senate Permanent Subcommittee on Investigations report — accessed 2026-05-12
7. PCI DSS v4.0 — accessed 2026-05-12
8. ISO 27001:2022 — accessed 2026-05-12
9. NIST CSF 2.0 — accessed 2026-05-12
10. SOC 2 — accessed 2026-05-12
11. NIST SP 800-53 Rev 5 — accessed 2026-05-12
12. UK Financial Conduct Authority — accessed 2026-05-12
13. Consumer Privacy Act of 2018 — accessed 2026-05-12
14. Economic Growth, Regulatory Relief, and Consumer Protection Act — accessed 2026-05-12
15. original disclosure — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.