Equifax: Corporate Irresponsibility  

The company could have prevented the data breach

New details on how Equifax responded to breach continues to define the company's irresponsibility.

Equifax in its initial statements attempted to place blame for a security vulnerability (bug) in their enterprise framework Apache Struts 2. The framework is widely used among Fortune 500 companies such as VMWare, Citigroup and Lockheed Martin. Not a single Fortune 500 firm has reported a security breach.


In a progress update on September 13th, Equifax confirmed the bug was Apache Struts CVE-2017-5638

A security update for the bug was released back on March 6th, leaving over two months for Equifax to install the security update before, as Equifax stated, hacking started in "mid-May."

Then, it took Equifax over a month to learn of the unauthorized access of its database. 

The Timeline of Events

Monday, March 6, 2017

The bug responsible for the Equifax breach FCVE-2017-5638. "The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server." Image and quote: Dev Central F5.

  • A "critical vulnerability" (FCVE-2017-5638) is discovered in Apache Struts 2. A patch is quickly released by the Apache Software Foundation.
  • All organizations running Apache Struts 2 are instructed to install the patch immediately due to the critical vulnerability.  
  • Equifax did not install the patch.

Mid-May, unreported date, 2017

  • Equifax stated the hacking started at this time.

Saturday, July 29, 2017

  • A month later, Equifax discovers that hackers have exploited the FCVE-2017-5638 vulnerability on their website to gain access to databases with consumer information. 

Tuesday, August 1, 2017

  • John Gamble, Chief Financial Officer, sell shares worth nearly $950,000.
  • Joseph M. Loughran III, President, U.S. Information Solutions, sell shares worth about $685,000.

Wednesday, August 2, 2017

  • Rodolfo O. Ploder, President, Workforce Solutions, sells stocks for more than $250,000.

August 22, 2017

  • Equifax’s brand reputation firm, MarkMonitor, purchases the domain equifaxsecurity2017.com.

August 29, 2017

September 4, 2017

  • A "severe vulnerability" in Apache Struts that has existed since 2008 is detected by lgtm, assigned (CVE-2017-9805).

Thursday, September 7, 2017

  • Equifax releases a PR statement via PRNewsWire and their website announcing the “cybersecurity incident."
  • The Crisis response site is launched on the external domain equifaxsecurity2017.com.
  • Someone buys equifaxsecurity2016.com, as well as the 2018 and 2019 domains because Equifax didn't bother to purchase them.
  • Equifax tweets the website is down.
  • Equifax (EFX) stock drops by 13%

The Public Outrage Begins

  • Consumers find the checking tool, TrustedID, is owned by Equifax and asks consumers for additional details. Social media scrutiny ensues.  
  • The same checking tool, is not properly validating entries. Again, the company is scrutinized on social media and through media outlets.
  • The public finds that the terms of service for TrustedID forces consumers to waive any right to participate in a class action lawsuit. A move by the company to mitigate legal risks.
  • Equifax stock plummets by more than 13%.

Friday, September 8, 2017

  • The blog Quarts claims in an article that the Apache Struts bug CVE-2017-9805 has existed in the wild for 9 years and is to blame for the Equifax breach.
  • New York State Attorney General AG Scheiderman lashes out at Equifax and open inquires into the breach.
  • Equifax adds an opt-out provision for the arbitration clause after public pressure.
  • Equifax places blame on the web application framework Apache Struts 2
  • A class action lawsuit is filed in Portland, OR seeking up to $70 billion in damages, which out be the largest class-action suit in U.S. history.
  • Hackers give Equifax until September 15th to pay a ransom payment of 600 bitcoin (BTC), approximately $2.6 million dollars, via a dark web page (Caution: .onion link).
  • Public is outraged after discovering Equifax is charging consumers for a credit freeze.
  • The @askEquifax Twitter account tweets "Happy Friday."

The since deleted tweet from Equifax. Courtesy of Twitter user @darth.

Saturday, September 9, 2017

The supposed hackers darkweb page. If you're a brave dark web user, find it here.

  • The Apache Software Foundation (ASF) issues a statement on the Equifax security breach.
  • The Apache Struts Project Management Committee (PMC) releases a statement, notably taking issues with the claim from Quartz that the bug was CVE-2017-9805 and has extended for 9 nines. 
  • The Quartz article has since been updated.

Monday, September 11, 2017

  • More than 30 lawsuits have piled up against Equifax
  • Bowing to pressure, Equifax drops fees for credit freeze until Nov. 21

Tuesday, September 12, 2017

Wednesday, September 13, 2017

Friday, September 15, 2017

  • Elizabeth Warren and co-sponsor Brian Schatz from Hawaii introduce legislation that would require Equifax to freeze consumer's credit reports for free and currently limit the company's ability to profit from data.

Share and comment: