The Equifax Breach
The Patch That Was Never Applied
A critical vulnerability was disclosed in Apache Struts — a piece of open-source software running inside one of the largest repositories of consumer financial data on Earth. The severity score was 10 out of 10. A patch was released the next day. The Department of Homeland Security sent Equifax a direct alert. Equifax’s own security team emailed more than four hundred employees, setting a forty-eight-hour remediation deadline.
The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside.
What the episode covers
The full 2017 Equifax breach — from the OGNL injection mechanism that turned a text field into a command line, to the vulnerability scanner that checked the wrong directories, to the SSL inspection appliance that had been blind for over a year because nobody renewed a certificate. The breach response that created a fake-looking real website, buried an arbitration clause in the credit monitoring terms, and issued sequential PINs that anyone could guess. The insider trading convictions. And the 2020 federal indictment that revealed the attackers were four members of the Chinese military — and that the stolen data was never sold. It was intelligence.
The part the episode couldn’t go deeper on
Equifax is not a service you sign up for. Banks, lenders, landlords, and employers report your financial activity to Equifax as part of the system’s infrastructure. You did not choose this relationship. You cannot leave it. There is no alternative provider you can switch to, no account you can close, no terms of service you agreed to and can revoke.
Before 2017, freezing your credit report cost money in most states — you had to pay the company that lost your data for the privilege of locking it down. The Equifax breach changed that. The Economic Growth, Regulatory Relief, and Consumer Protection Act, signed in May 2018, made credit freezes free nationwide. That was a direct legislative consequence of the breach.
But the underlying structure hasn’t changed. Equifax still collects your data without your consent. It still sells access to your credit profile to any institution with a permissible purpose. The 2019 settlement required Equifax to implement a comprehensive information security programme with third-party assessments every two years — controls that had been available, documented, and recommended before the breach occurred. The earliest by nearly a decade.
The fundamental question isn’t whether Equifax’s security has improved. It probably has. The question is whether an organisation that holds the data that defines your financial identity — collected without your consent, stored without your control — should be allowed to operate without your explicit, revocable permission. That question remains unanswered.
Technical breakdown
The full technical breakdown — the complete attack timeline, the OGNL injection mechanism, the expired certificate blind spot, every missing control with its pre-breach availability date, and the intelligence mosaic connecting Equifax to the OPM, Anthem, and Marriott breaches — is available as a free downloadable PDF.
