← The Five Quadrants of Risk

Risk register · entry

Q3 · Engineered

Equifax breach

One unpatched server exposed half of America. The password was admin.

Tightly coupled systems where one small fault cascades and takes down the whole machine.

Room
Q3 Engineered
Year
2017
Impact
147.9M records
Sector
Credit data
Region
Global
Category
Technological

Why this room

The originating fault was a single, well-documented, patchable vulnerability with a simple, calculable fix, textbook Q3, but the payoff distribution turned fat-tailed once several independent detective controls failed simultaneously, letting a routine engineering gap sit undetected long enough to compound into a systemic, cross-quadrant event.

The record

  • 147.9 million US consumers had names, SSNs, and birth dates exposed (initial reports said 143 million, later revised up)certain
  • Apache Struts patch for CVE-2017-5638 released March 7, 2017; DHS/US-CERT notified Equifax March 8; internal Equifax email told admins to patch March 9; a vulnerability scan on March 15 failed to flag the exposed systemscertain
  • Attackers first entered through the Struts flaw on March 10, 2017; began actively exfiltrating data May 13, 2017; the intrusion ran undetected until July 29, 2017, a roughly 76-day window, because a network-traffic-inspection certificate had been left expired for about 10 monthscertain
  • Public disclosure came September 7, 2017, close to six weeks after internal discoverycertain
  • Settlement with FTC, CFPB and 48 states/DC/Puerto Rico totaled up to $700 million: up to $425 million in consumer relief, $175 million to states, $100 million civil penalty to CFPBcertain
  • Equifax reported roughly $1.4 billion in breach-related remediation and security costslikely
  • DOJ indicted four members of China's PLA 54th Research Institute on February 10, 2020, alleging they ran about 9,000 queries against Equifax systems and routed traffic through roughly 34 servers in about 20 countries to hide their trackscertain
  • A former Equifax CIO of a US business unit, Jun Ying, was separately convicted of insider trading tied to the breachlikely
  • Separately, in September 2017 security researchers found an Equifax employee portal in Argentina protected only by the username and password "admin"/"admin"certain
  • Moody's cited cyber risk when it downgraded Equifax's outlook in 2019, an early instance of a rating agency naming a cyber incident explicitlylikely

Sources

  1. CSO Online
  2. Federal Trade Commission
  3. Consumer Financial Protection Bureau
  4. US Department of Justice
  5. CNBC

The book

This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.

Join the waiting list