Equifax Breach Exposed Data on Nearly 148 Million People After Unpatched Apache Struts Flaw
Equifax disclosed that attackers exploited an unpatched Apache Struts vulnerability, CVE-2017-5638, in a public-facing dispute portal and stole highly sensitive consumer data including names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card data. Subsequent forensic reviews expanded the scope from the initial 143 million victims to roughly 145.5 million Americans, with later reporting putting the total at 147.7 million, while also identifying about 200,000 payment cards, 10.9 million driver's licenses, and smaller numbers of affected consumers in Canada and the UK. Government and media reporting said the attackers moved beyond the initial servers, accessed dozens of databases, and remained inside Equifax's network for weeks before discovery.
The breach drew intense scrutiny because the Struts flaw had been publicly disclosed and patched months earlier, yet Equifax failed to remediate it despite internal and external warnings about weak security. Reports described broader security shortcomings, including poor patching, outdated systems, weak logging, and a researcher warning that sensitive data was exposed on a public-facing site before the intrusion. Equifax's response also faced criticism after it delayed public disclosure, launched an unreliable breach-check website, and came under congressional examination over governance and accountability, while lawmakers and investigators pressed the company over how a preventable vulnerability led to one of the most damaging exposures of personal information in the United States.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
32 events from the most recent confirmed update back to the earliest known activity.
UK FCA issues final notice and fine against Equifax Ltd
In 2023, the UK Financial Conduct Authority issued a final notice against Equifax Ltd over cybersecurity failures connected to the 2017 breach, imposing a financial penalty. This represents a distinct later-stage regulatory enforcement action in the UK beyond earlier disclosures and investigations already in the timeline.
DOJ indicts four PLA officers for Equifax breach
On February 10, 2020, the U.S. Department of Justice charged four members of China’s People’s Liberation Army over the 2017 Equifax breach. Officials said the state-sponsored attackers stole personal data on about 147 million Americans as well as Equifax trade secrets and proprietary database information.
FTC-backed Equifax settlement draws backlash over $125 cash claims
By September 2019, criticism mounted over the Equifax breach settlement after officials acknowledged that the fund for cash payments was too small to cover large numbers of claims for the advertised up-to-$125 option. Consumers were urged to choose free credit monitoring instead, and claimants seeking cash were told to verify existing monitoring by October 15, 2019, or risk denial.
Equifax reaches FTC-led global settlement over 2017 breach
Equifax agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories over the 2017 breach. The settlement provided for up to $425 million to help affected consumers, along with other relief and claims processes.
Reported affected total rises to 147.7 million Americans
One year after the breach, reporting cited the incident as affecting 147.7 million Americans. This reflected a later upward revision of the overall impact beyond the 145.5 million figure disclosed in October 2017.
GAO details attacker movement, dwell time, and data theft scope
By September 2018, a Government Accountability Office report described how attackers moved from three compromised servers to 48 more, remained in Equifax's network for 76 days, and extracted data from 51 databases. The report also said Equifax declined DHS assistance during the response and instead relied on a private cybersecurity firm.
Equifax says 2.4 million more Americans were affected
On March 2, 2018, Equifax disclosed that an additional 2.4 million U.S. consumers were impacted by the 2017 breach, raising the total to about 148 million. The company said it would directly notify the newly identified individuals and offer free identity theft protection and credit monitoring services.
Equifax raises Canadian victim count to more than 19,000
On November 28, 2017, Equifax Canada said further investigation showed more than 19,000 Canadians were affected by the 2017 breach, up from the roughly 8,000 previously reported. The company also said 11,670 Canadian credit cards were affected and that exposed data included names, addresses, card details, and Social Insurance Numbers.
Senate Commerce Committee holds new hearing on Equifax breach
On November 8, 2017, the U.S. Senate Commerce Committee held a hearing on consumer data security that included testimony from former Equifax CEO Richard Smith and interim CEO Paulino do Rego Barros Jr. Lawmakers questioned Equifax over the breach and the company said it was restructuring security oversight and developing an app for consumers to lock and unlock credit files.
Reporting reveals prior warning and broader security weaknesses
In late October 2017, reporting disclosed that Equifax had been warned months earlier about exposed sensitive data and vulnerable servers, and former employees described longstanding patching, logging, and legacy-system problems. The revelations suggested systemic security failures and possible multiple avenues of compromise.
Equifax says 10.9 million driver's license records were compromised
By October 11, Equifax disclosed that attackers had obtained driver's license data for about 10.9 million Americans. This clarified the scale of one of the data categories only partially described in the initial breach notice.
Equifax says 694,000 UK customers were affected
Equifax disclosed that about 694,000 UK customers were affected by the 2017 breach. The company said exposed UK data included phone numbers, driving licence details, and in some cases passwords and partial credit card information.
Congress examines Equifax breach in Senate hearing
US lawmakers held a Senate hearing on October 4, 2017, to examine the Equifax cybersecurity breach and the company's security failures and response. The hearing marked a major escalation in official scrutiny of the incident.
House committee grills Equifax as former CEO blames employee error
On October 3, 2017, former Equifax CEO Richard Smith told the House Energy and Commerce Committee that the breach resulted from a single employee's failure to apply a critical patch, compounded by technology failures including a scanning tool that did not detect the issue. Lawmakers sharply criticized Equifax's security practices, breach response, and executive stock sales, escalating congressional scrutiny ahead of the Senate hearing.
Equifax reduces estimated Canadian victims to about 8,000
As part of the same October 2017 update, Equifax said Mandiant found no Equifax databases outside the United States were accessed and lowered the estimated number of affected Canadians from 100,000 to about 8,000. This materially revised the known international impact of the breach.
Equifax raises US victim count to 145.5 million
On October 2, Equifax said forensic review identified 2.5 million additional US consumers affected, increasing the total from 143 million to 145.5 million. The company said these were previously uncounted victims rather than a new intrusion.
Equifax CEO Richard Smith retires after breach fallout
On September 26, 2017, Equifax announced the immediate retirement of CEO Richard Smith amid mounting criticism over the company's handling of the breach. Board member Mark Feidler was appointed non-executive chairman, and the board said it had formed a special committee to oversee the company's response and reduce the risk of a similar incident recurring.
Equifax says about 100,000 Canadians may be affected
On September 19, 2017, Equifax Canada disclosed that about 100,000 Canadian consumers may have had personal information exposed in the broader breach, including names, addresses, Social Insurance Numbers, and in limited cases credit card data. The company said the data was accessed through a U.S. consumer website application and that Equifax Canada’s own systems and core credit-reporting databases were not directly compromised.
Equifax says 200,000 payment cards were exposed
Equifax disclosed that credit card numbers for about 200,000 US consumers were stolen from transaction history data. This added a new category of compromised information beyond the personal identity data already announced.
Equifax confirms unpatched Apache Struts flaw caused breach
On September 14, Equifax formally confirmed that attackers exploited the unpatched Apache Struts vulnerability CVE-2017-5638 to access its systems. The company said it was working with law enforcement, sharing indicators of compromise, and using Mandiant for incident response.
New York attorney general opens investigation into Equifax breach
New York Attorney General Eric Schneiderman announced an investigation into Equifax following the company's breach disclosure. The move marked an early state-level official response to the incident amid mounting criticism of Equifax's handling of consumers' data.
Equifax says it will replace predictable credit-freeze PIN generation
Amid fallout from the breach, reporting revealed that Equifax generated credit-freeze PINs using a predictable method based on the date and time a freeze was created rather than random values. Equifax said it believed existing PINs were not compromised but would update the PIN generation and reset process to issue randomly generated PINs.
Equifax removes arbitration language from breach-response site terms
On September 10, 2017, Equifax updated its public statement to say consumers using its free breach-related credit monitoring and identity theft services did not waive their right to sue. The company said it removed arbitration language from the equifaxsecurity2017.com terms and would not enforce arbitration or class-action waiver provisions for claims tied to the incident or the free products.
Equifax pulls mobile apps from Apple and Google app stores
In the week before September 15, 2017, Equifax removed its consumer mobile apps from the Apple App Store and Google Play. The company said the move was precautionary after identifying a vulnerability in the apps and amid concerns they could be used to compromise consumer information.
Equifax breach-response lookup tool draws criticism
Soon after the public disclosure, Equifax's online tool for checking whether consumers were affected was found to return inconsistent results, including for bogus inputs. The problems intensified criticism of the company's response and consumer communications.
Equifax publicly discloses breach affecting 143 million people
Equifax announced the breach on September 7, 2017, saying attackers stole names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers for about 143 million consumers. The disclosure came more than five weeks after the company discovered the intrusion.
Equifax executives sell stock after breach discovery
In the days following the July 29 discovery, three Equifax executives sold more than $1.8 million in stock. The sales drew scrutiny over the company's governance and incident handling.
Equifax discovers the breach
Equifax discovered suspicious activity and identified the breach on July 29, 2017. Later reporting said attackers had remained in the environment for more than two months by that point.
Attackers begin exploiting Equifax systems via unpatched Struts flaw
Equifax later said attackers breached its systems in May 2017 through an unpatched Apache Struts vulnerability in a US web application, commonly described as the dispute portal. The intrusion became the starting point of the company's major consumer data breach.
Apache Struts flaw CVE-2017-5638 is publicly disclosed and patched
The Apache Struts vulnerability later tied to the Equifax breach was publicly disclosed and patched months before the intrusion. Later accounts said Equifax received a US-CERT alert about the flaw but failed to ensure the patch was applied.
Equifax takes down previously exposed website after warning
After months of inaction following the December researcher disclosure, Equifax removed the publicly exposed website in June 2017. Later reporting suggested this may have represented an additional avenue of compromise beyond the portal Equifax publicly blamed.
Researcher warns Equifax about exposed sensitive data and weak servers
An anonymous security researcher reported in December 2016 that an Equifax public-facing website exposed highly sensitive personal data without authentication and that multiple Equifax servers were vulnerable to basic attacks. According to later reporting, Equifax did not remove the exposed site until June 2017.
Sources
43 references tracked. Mallory keeps watching after this page renders.
Report: Equifax to pay $700 million in breach settlement
ajc.com
Open sourceCredit firm Equifax says 143m Americans' social security numbers exposed in hack | US news | The Guardian
theguardian.com
Open sourceChina denies responsibility in Equifax breach after DOJ charges four military members - CBS News
cbsnews.com
Open sourceChinese Military Officers Hacked Equifax, Justice Department Says - Defense One
defenseone.com
Open sourceEquifax breach exposed data for 143 million consumers - CBS News
cbsnews.com
Open sourceBreach at Equifax May Impact 143M Americans - Krebs on Security
krebsonsecurity.com
Open sourceEquifax data breach 2017: Here's how to protect yourself - CNET
cnet.com
Open sourceFca
fca.org.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Anonymous Breach of Stratfor Exposed Customer Data and Millions of Internal Emails
Anonymous-affiliated attackers breached private intelligence firm **Stratfor**, stealing subscriber records, payment data, and a vast archive of internal correspondence. Reporting on the intrusion said the attackers accessed administrative systems, expanded into databases and mail servers, and exfiltrated data affecting about **860,000 user accounts** and more than **60,000 credit cards**; some reports said card numbers were stored in plaintext, while passwords were protected with weak **unsalted MD5** hashes. The attackers defaced Stratfor’s website, deleted server contents, published stolen card data, and used some of the payment information for fraudulent charitable donations, contributing to losses that reports put at at least **$700,000** and broader damages of roughly **$2 million**. The breach escalated when **WikiLeaks** began publishing roughly **5 million Stratfor emails**, exposing the firm’s client relationships, source-handling practices, monitoring of activist groups, and sensitive geopolitical claims contained in internal messages. Subsequent reporting said the FBI had visibility into parts of the operation through informant **Hector Xavier Monsegur ("Sabu")** and later built its case against alleged participant **Jeremy Hammond**, while Stratfor faced delayed customer notification and legal fallout. Years later, researchers also warned that some documents in the leaked Stratfor archive contained live malware, including files exploiting **`CVE-2010-3333`**, creating additional risk for journalists and researchers who downloaded the material.
May 26, 2026
DentaQuest Breach Exposed Sensitive Data of 2.6 Million Accounts
DentaQuest, a major U.S. dental benefits administrator owned by Sun Life, disclosed a cybersecurity incident involving unauthorized access to a limited portion of its network, exposing sensitive information tied to **2.6 million accounts**. The breach was first publicized by the extortion group **ShinyHunters**, which claimed to have stolen more than **234 GB** of data and later leaked the dataset after an alleged failure to reach an agreement with the company. Analysis of the leaked data found records containing email addresses, full names, phone numbers, dates of birth, genders, government-issued IDs, and health insurance information. DentaQuest said its systems remained operational and customer service saw only limited disruption while external experts investigated the scope of the compromise, but the exposed data significantly increases the risk of phishing, social engineering, identity theft, and related fraud targeting affected individuals.
Jun 12, 2026