3
the 1970s, was running a version of Apache Struts containing the vulnerability. Equifax did not
patch the Apache Struts software located within ACIS, leaving its systems and data exposed.
On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76
days. The attackers dropped “web shells” (a web-based backdoor) to obtain remote control over
Equifax’s network. They found a file containing unencrypted credentials (usernames and
passwords), enabling the attackers to access sensitive data outside of the ACIS environment. The
attackers were able to use these credentials to access 48 unrelated databases.
Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted
personally identifiable information (PII) data 265 times. The attackers transferred this data out of
the Equifax environment, unbeknownst to Equifax. Equifax did not see the data exfiltration
because the device used to monitor ACIS network traffic had been inactive for 19 months due to
an expired security certificate. On July 29, 2017, Equifax updated the expired certificate and
immediately noticed suspicious web traffic.
After updating the security certificate, Equifax employees identified suspicious traffic
from an IP address originating in China. The suspicious traffic exiting the ACIS application
potentially contained image files related to consumer credit investigations. Equifax discovered it
was under active attack and immediately launched an incident response effort.
On July 30, Equifax identified several ACIS code vulnerabilities. Equifax noticed
additional suspicious traffic from a second IP address owned by a German ISP, but leased to a
Chinese provider. These red flags caused Equifax to shut down the ACIS web portal for
emergency maintenance. The cyberattack concluded when ACIS was taken offline.
On July 31, Chief Information Officer (CIO) David Webb informed Richard Smith of the
cyber incident. Equifax suspected the attackers exploited the Apache Struts vulnerability during
the data breach. On August 2, Equifax engaged the cybersecurity firm Mandiant to conduct an
extensive forensic investigation. Equifax also contacted outside counsel and the Federal Bureau
of Investigation to alert them to the cyber incident.
By late August 2017, Mandiant confirmed attackers accessed a significant volume of
consumer PII. Equifax launched an effort to prepare for public notice of the breach. As part of
this effort, Equifax created a website for individuals to find out whether they were affected by
the data breach and, if so, to register for credit monitoring and identity theft services. Equifax
also began efforts to stand up a call center capability staffed by 1,500 temporary employees. On
September 4, Equifax and Mandiant completed a list of 143 million consumers affected by the
data breach, a number that would later grow to 148 million.
When Equifax informed the public of the breach on September 7, the company was
unprepared to support the large number of affected consumers. The dedicated breach website and
call centers were immediately overwhelmed, and consumers were not able to obtain timely
information about whether they were affected and how they could obtain identity protection
services.