The Equifax Breach: 147 Million Americans

There is a company you have never chosen to do business with that knows your Social Security number, your date of birth, every address you have lived at, every credit account you have ever opened, every late payment you have ever made, and the precise numerical score used to determine whether you can rent an apartment, buy a car, or secure a mortgage.

Equifax is a credit reporting bureau — one of three such companies in the United States that constitute an oligopoly over the financial life records of nearly every American adult. You did not consent to give Equifax your information. Banks, lenders, and creditors report it to Equifax automatically, by contract. Equifax collects it, processes it, and sells access to it. The data is extraordinarily valuable. It is also extraordinarily sensitive.

On September 7, 2017, Equifax announced that it had suffered a data breach. The number of Americans affected: 147.9 million — approximately 45% of the entire United States adult population.

Stolen: Social Security numbers. Dates of birth. Home addresses. Driver’s license numbers. In some cases, credit card numbers. The complete financial identity of half of America.

The method of intrusion: a known vulnerability in widely-used open-source software, patched by the vendor two months before the breach, which Equifax’s security team had been notified about and had failed to patch.

The perpetrators: four members of the People’s Liberation Army’s Unit 54891, indicted by a federal grand jury in 2020.

The congressional testimony that followed: a procession of institutional security failures that took months to fully catalogue.

Threat Actor Profile: PLA Unit 54891

Designation: PLA Unit 54891; assessed to be affiliated with the People’s Liberation Army Strategic Support Force or the Ministry of State Security’s technical research component
Attribution: US Department of Justice indictment, February 10, 2020, naming Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei as members of Unit 54891 responsible for the Equifax breach
Origin: People’s Republic of China; military unit
Primary Mission: Large-scale collection of sensitive personal information on American citizens for Chinese intelligence purposes; financial data and PII collection to complement personnel intelligence operations
Known Tradecraft: Exploitation of publicly known vulnerabilities in web-facing applications, VPN tunneling through 20 countries to obscure traffic origin, wiping access logs, systematic database enumeration and bulk exfiltration

Notorious Operations:

• Equifax (2017): The breach described here — the largest theft of American consumer financial data ever attributed to a nation-state actor.
• OPM-related campaign context (2014–2015): Unit 54891 is assessed to be part of the broader Chinese intelligence apparatus that conducted the OPM breach — the same pattern of collecting comprehensive personal dossiers on American citizens, this time targeting financial rather than government employment data.
• Marriott/Starwood (attributed 2018): A related campaign attributed to Chinese state actors targeting hotel reservation data — complementing financial and government personnel data in a comprehensive American citizen intelligence collection effort.

The Vulnerability: A Patch That Wasn’t Applied

The story of the Equifax breach begins not on the day of the attack but on March 7, 2017 — two months before the intrusion — when the Apache Software Foundation published a security advisory for CVE-2017-5638.

Apache Struts is an open-source Java web framework used by thousands of enterprise organizations worldwide — including Equifax, which used it to power a consumer-facing online dispute resolution portal. CVE-2017-5638 was a critical vulnerability in Struts’ handling of the Content-Type header in file upload requests. An attacker could craft a malicious HTTP request with a specially formed Content-Type value and achieve remote code execution on the server — no authentication required, no user interaction, a single HTTP packet.

The severity was rated maximum (CVSS 10.0). The Apache Foundation urged immediate patching. The US Computer Emergency Readiness Team (US-CERT) issued an alert.

Equifax received the alert. Its security team identified Struts as a component in its technology stack. They conducted a scan to identify affected systems.

The scan missed the vulnerable web portal.

This was not a sophisticated attack. It was not a novel technique. It was not a zero-day discovered by a sophisticated nation-state research team. It was a publicly known, publicly documented, widely-publicized critical vulnerability that thousands of organizations had already patched by the time Equifax’s systems were compromised.

The gap between the patch release and Equifax’s breach: 78 days.

The Intrusion: Nine Weeks of Silence

The attackers entered Equifax’s systems on May 13, 2017. They would remain inside, undetected, until July 29, 2017 — a dwell time of seventy-eight days during which they systematically mapped the company’s databases, ran queries against them, and exfiltrated their contents.

The technique was methodical:

Initial Access: Exploit CVE-2017-5638 against Equifax’s online dispute portal to achieve remote code execution on the web server.

Reconnaissance: Enumerate the internal network from the compromised web server. Map database connections. Identify what data stores are accessible.

Database Queries: Run approximately 9,000 queries against Equifax’s databases over the course of the intrusion. Each query harvested a specific slice of data: Social Security numbers for one state, dates of birth for another, addresses across a third.

Exfiltration: The attackers routed their exfiltration traffic through 20 different countries using VPN endpoints, deliberately making attribution difficult. Data left Equifax’s network in encrypted form, disguised as legitimate traffic.

Log Erasure: Equifax’s security monitoring of SSL-encrypted traffic was limited because a digital certificate required to inspect that traffic had expired ten months earlier. The security team could not see inside the encrypted exfiltration channels. When the attackers wiped their access logs as a counter-forensic measure, they were erasing evidence that the monitoring system had already been blind to.

The expired certificate was a central detail in subsequent congressional criticism. Security tools designed to inspect traffic for threats had been running in a degraded state for nearly a year. No one had noticed.

July 29, 2017: A security analyst noticed that a digital certificate had expired and re-enabled the SSL inspection capability. Within hours, the monitoring system detected the suspicious traffic that had been invisible for seventy-eight days. The breach was finally discovered.

The Institutional Failures: A Catalogue of Neglect

Congressional hearings that followed the Equifax disclosure produced a detailed accounting of the systemic failures that enabled the breach. They were numerous, overlapping, and, in several cases, had been previously identified in internal audits and not remediated.

The unpatched vulnerability: The Struts patch was not applied for seventy-eight days, despite internal security alerts and a US-CERT advisory. Post-breach investigation revealed that Equifax’s patch notification email went to a distribution list — and one person on the list was supposed to forward it to the relevant IT team. It did not happen.

Legacy architecture: The dispute portal that was compromised ran on infrastructure that was isolated from the rest of the Equifax network — but not properly segmented from the databases containing sensitive consumer data. The web application server, once compromised, had database access it should not have had.

The expired certificate: A security certificate required to enable SSL traffic inspection had expired ten months before the breach. The expiration had not been flagged or remediated. The monitoring system ran dark for nearly a year.

Inadequate monitoring: Equifax processed millions of data queries daily as part of normal operations. The 9,000 attacker queries ran against that background noise without triggering anomaly detection. There were no alerts on bulk data extraction.

Cleartext data storage: Portions of the sensitive data accessed by the attackers were stored in ways that the Congressional investigators described as insufficiently protected for data of that sensitivity.

Response delay: When the breach was discovered on July 29, Equifax did not publicly disclose it until September 7 — forty days later. During that period, three senior Equifax executives, including the Chief Financial Officer, sold company stock worth a combined $1.8 million. The DOJ ultimately declined to prosecute the executives for insider trading, finding insufficient evidence of foreknowledge of the breach at the time of the sales — a conclusion that was itself contested.

The Aftermath: Half of America on Notice

Equifax established a dedicated breach response website and offered affected individuals free credit monitoring. The website itself was initially plagued by technical problems and, at one point, Equifax’s own social media accounts mistakenly directed users to a security researcher’s phishing demonstration site — an error so embarrassing it became a case study in post-breach communication failure.

The regulatory and legal fallout accumulated over years:

$575 million settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 state attorneys general — at the time the largest data breach settlement in history. Equifax agreed to fund a $300 million victim compensation fund and implement substantial security improvements.

$380.5 million in consumer compensation from a broader class action settlement.

Congressional testimony by Equifax CEO Richard Smith, who had retired three weeks after the breach announcement, produced a memorable exchange when Senator Orrin Hatch asked how Equifax’s free service made money:

“Senator, we’re in a data business.”

The DOJ indictment of four PLA Unit 54891 members in February 2020 — Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei — charged them with computer fraud, economic espionage, and wire fraud. As with virtually all indictments of Chinese military hackers, the defendants remain in China and are not expected to face trial.

For the 147.9 million affected individuals: credit freezes became the only reliable defensive measure. Equifax offered free freezes. So, subsequently, did the three credit bureaus collectively, under regulatory pressure. Millions of Americans placed freezes on their credit files — a practical acknowledgment that their financial identity data could no longer be assumed uncompromised.

The data stolen — Social Security numbers and dates of birth in particular — cannot be changed. There is no “patch” for having your SSN exposed. The individuals affected carry that exposure permanently.

The four PLA officers remain unaccountable. The data remains in China.

---

Attack Chain: Equifax Breach — PLA Unit 54891

graph TD
    A["🇨🇳 PLA Unit 54891\nWu Zhiyong + Wang Qian\nXu Ke + Liu Lei"] --> B["Target Selection:\nEquifax — 147.9M Americans'\nFinancial Identity Data"]

    B --> C["Reconnaissance\nEquifax Web Properties\nApache Struts Version Fingerprinting"]

    C --> D["Vulnerability: CVE-2017-5638\nApache Struts — Content-Type RCE\nCVSS 10.0 — March 7, 2017 Patch Released"]

    D --> E["Equifax Receives US-CERT Alert\nMarch 2017\nInternal Scan — Miss Vulnerable Portal"]

    D --> F["Exploit CVE-2017-5638\nMay 13, 2017\nOnline Dispute Portal\nSingle HTTP Request → RCE"]

    F --> G["Web Server Compromised\nEquifax Dispute Portal\n(Java App Server)"]

    G --> H["Internal Network Reconnaissance\nDatabase Connection Enumeration\nInsufficient Network Segmentation"]

    H --> I["Database Access\n~9,000 Queries Over 78 Days"]

    I --> I1["Social Security Numbers\n143.5M+ Americans"]
    I --> I2["Birth Dates — 147.9M"]
    I --> I3["Home Addresses — 147.9M"]
    I --> I4["Driver's License Numbers — 17.6M"]
    I --> I5["Credit Card Numbers — 209,000"]

    I1 --> J["Data Staging + Exfiltration"]
    I2 --> J
    I3 --> J
    I4 --> J
    I5 --> J

    J --> K["Traffic Routed Through\n20 Countries via VPN\nDeliberate Attribution Obfuscation"]
    K --> L["Encrypted Exfiltration\nBlind Spot: SSL Cert Expired\n10 Months Prior — Monitoring Off"]

    L --> M["Attackers Wipe Access Logs\nCounter-Forensic Measures"]

    M --> N["78 Days Undetected\nMay 13 → July 29, 2017"]
    N --> O["July 29: Analyst Renews\nExpired SSL Certificate\nMonitoring Re-Enabled\nSuspicious Traffic Detected"]

    O --> P["Breach Discovered\nJuly 29, 2017"]
    P --> Q["September 7, 2017:\nPublic Disclosure\n40-Day Delay"]

    Q --> R["🔴 147.9M Americans Notified\n45% of US Adult Population"]
    Q --> S["3 Equifax Executives Sell\n$1.8M in Stock\nDOJ Declines to Prosecute"]

    R --> T["FTC + CFPB Settlement:\n$575M (Largest Breach Settlement)"]
    R --> U["Class Action:\n$380.5M Consumer Fund"]
    R --> V["Richard Smith (CEO) Testimony:\n'We're in a data business'"]

    A --> W["DOJ Indictment:\nWu Zhiyong, Wang Qian\nXu Ke, Liu Lei\nFebruary 2020"]
    W --> X["🇨🇳 Defendants in China\nNo Extradition\nNo Trial Expected"]