Equifax Data Breach (Jul-Sep 2017)
Introduction
In September 2017, Equifax — one of the three major US credit-reporting agencies — disclosed that its systems had been breached between May and July of that year. The exposed data covered 147.9 million Americans: Social Security numbers, dates of birth, home addresses, and in some cases driver's licence numbers and payment card details. The breach was not the result of a novel attack. It exploited a known, patchable vulnerability in Apache Struts (CVE-2017-5638) for which a patch had been publicly available since 8 March 2017 — more than two months before the breach began.
The Equifax breach is catalogued here as a confirmed case of institutional negligence compounded by insider trading and delayed disclosure — not because it involves fabricated claims, but because the documented facts are themselves more damaging than most conspiracy theories about corporate misconduct.
The Vulnerability and the Patch
Apache Struts is a widely-used open-source web application framework. CVE-2017-5638, published in the National Vulnerability Database on 8 March 2017, described a remote code execution vulnerability that allowed attackers to execute arbitrary commands on a server via a malformed HTTP header. The US Computer Emergency Readiness Team (US-CERT) issued alerts the same day. Equifax's internal security team was notified of the required patch. The patch was not applied to all systems.
On 13 May 2017 — 66 days after the patch was available — attackers began exploiting the unpatched vulnerability in Equifax's ACIS (Automated Consumer Interview System) dispute portal. The breach continued for 78 days before Equifax's security team detected it on 29 July 2017.
The Disclosure Timeline
Equifax discovered the breach on 29 July 2017. It did not notify the public until 7 September 2017 — 40 days after discovery. During that 40-day window:
- Chief Financial Officer John Gamble sold $946,374 in shares on 1 August 2017
- President of US Information Solutions Joseph Loughran sold $584,099 in shares
- President of Workforce Solutions Rodolfo Ploder sold $250,458 in shares
The company initially attributed these sales to pre-arranged trading plans. The Department of Justice subsequently charged former CIO Jun Ying with insider trading for selling approximately $950,000 in options in August 2017 after learning the company whose systems were breached was Equifax. Ying was convicted in 2019 and sentenced to four months in prison. Former manager Sudhakar Bonthu was also charged; he pleaded guilty and was sentenced to eight months of home confinement.
Executive Accountability
CEO Richard Smith appeared before multiple congressional committees in early October 2017, testifying that the failure to patch was the result of a breakdown in Equifax's internal security patching process: a single individual had failed to implement the scan that would have identified the vulnerable system. Smith resigned on 26 September 2017. CIO David Webb and CSO Susan Mauldin resigned on 26 September 2017 as well.
Critics noted that Mauldin held degrees in music composition rather than information security — a detail that became a flashpoint in congressional hearings about the adequacy of Equifax's security leadership. Equifax disputed characterisations of Mauldin's qualifications as misleading.
The Settlement and Regulatory Response
In July 2019, Equifax settled with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 state attorneys general for $700 million — at the time the largest data-breach settlement in US history. The settlement included up to $425 million in consumer restitution, though actual per-consumer payouts were significantly lower than initially advertised due to the volume of claims. The FTC was criticised for the settlement terms.
What the Breach Confirmed
The Equifax breach is a confirmed case of institutional negligence — a known critical vulnerability, unpatched for over two months, on a system holding the financial identity data of almost half the US adult population. The subsequent insider trading by executives who sold stock with advance knowledge of the breach compounds the institutional failure with documented financial crime.
No fabricated claims are involved. The documented record is the story.
Verdict
Confirmed. Every major element — the unpatched CVE, the 78-day undetected breach, the 40-day delayed disclosure, the pre-disclosure stock sales, the insider trading charges and convictions — is documented in court records, congressional testimony, FTC filings, and contemporaneous journalism. The breach is one of the most consequential failures of corporate data stewardship in US history.
Evidence Filters10
CVE-2017-5638 patch available 8 March 2017 — breach began 13 May 2017
SupportingStrongThe Apache Struts vulnerability exploited in the Equifax breach had a publicly available patch 66 days before the breach began. US-CERT issued alerts the same day as the patch release. Equifax's security team was notified. The failure to apply the patch is documented in congressional testimony by CEO Richard Smith.
78-day undetected breach period
SupportingStrongFrom 13 May to 29 July 2017, attackers exfiltrated data for 78 days without detection. This duration is evidence of inadequate monitoring and detection capabilities relative to the sensitivity of the data Equifax held.
Executives sold $1.8M in stock between discovery and public disclosure
SupportingStrongCFO John Gamble, Joseph Loughran, and Rodolfo Ploder sold a combined $1.8 million in shares between 29 July 2017 (discovery) and 7 September 2017 (public disclosure). The company attributed the sales to pre-arranged trading plans.
Rebuttal
The company's claim that the sales were pre-arranged trading plans under 10b5-1 programmes was accepted as an explanation for most of the executives' trades. The DOJ pursued charges only against Jun Ying and Sudhakar Bonthu, not the CFO or the two presidents.
Jun Ying convicted of insider trading — sentenced to four months
SupportingStrongFormer Equifax CIO Jun Ying was charged by the DOJ with insider trading for selling approximately $950,000 in stock options in August 2017 after learning his company was the breach victim. He was convicted at trial in 2019 and sentenced to four months in prison and $117,117 in disgorgement.
$700M FTC and state AG settlement — largest data breach settlement at the time
SupportingStrongIn July 2019 Equifax settled with the FTC, CFPB, and all 50 state attorneys general for $700 million, including up to $425 million in consumer restitution. It was the largest data breach settlement in US history at the time of announcement.
CEO, CIO, and CSO all resigned 26 September 2017
SupportingRichard Smith (CEO), David Webb (CIO), and Susan Mauldin (CSO) all departed on 26 September 2017. The simultaneous resignation of the top security and technical leadership was widely interpreted as accountability for the breach and the response.
Consumer restitution payouts far below advertised amounts
NeutralThe FTC's initial advertising of up to $125 per consumer was criticised when the volume of claims made clear the actual per-person payout would be far smaller. The FTC updated guidance to recommend consumers take credit monitoring services instead of cash payouts.
Rebuttal
The settlement cap was $425M for consumer restitution. With 147.9M potential claimants and high claim volume, per-consumer cash payouts were inevitably small. The FTC's communications around the settlement were criticised as misleading by consumer advocates.
Congressional testimony attributed patch failure to a single individual
NeutralCEO Richard Smith testified before Congress that the failure to apply the patch resulted from a breakdown in Equifax's internal scanning process — one individual had failed to run the scan that would have identified the vulnerable system. Critics argued this deflected institutional accountability onto a single employee.
Rebuttal
Attributing a systemic failure in patch management to a single individual's error was widely criticised by security professionals as a deflection from institutional governance failures. Patch management processes should not depend on a single point of failure.
Apache Struts Patch Failure Was Negligence in an Enterprise-Wide Process, Not Coordination
DebunkingThe Equifax breach exploited CVE-2017-5638, a critical Apache Struts vulnerability for which a patch had been available for two months before the breach. Internal communications revealed the patch was identified, communicated to IT teams, but not applied to the specific dispute-portal system due to process failures in Equifax's patch-management workflow. This is enterprise IT negligence — the failure of large organizations to consistently apply patches across complex legacy environments — not evidence of deliberate decision to leave vulnerabilities open.
Insider Trading Convictions Were Personal, Not Systematic Corporate Conspiracy
DebunkingFormer Equifax executive Jun Ying was convicted of insider trading for selling stock options after learning of the breach but before public disclosure. A second employee, Sudhakar Bonthu, pleaded guilty to similar charges. Both were individual actors taking personal advantage of material non-public information — not evidence of a boardroom-coordinated stock-manipulation scheme. Ying's prosecution and conviction demonstrate that securities enforcement identified and punished the individual misconduct, which is accountability operating as intended.
Evidence Cited by Believers6
CVE-2017-5638 patch available 8 March 2017 — breach began 13 May 2017
SupportingStrongThe Apache Struts vulnerability exploited in the Equifax breach had a publicly available patch 66 days before the breach began. US-CERT issued alerts the same day as the patch release. Equifax's security team was notified. The failure to apply the patch is documented in congressional testimony by CEO Richard Smith.
78-day undetected breach period
SupportingStrongFrom 13 May to 29 July 2017, attackers exfiltrated data for 78 days without detection. This duration is evidence of inadequate monitoring and detection capabilities relative to the sensitivity of the data Equifax held.
Executives sold $1.8M in stock between discovery and public disclosure
SupportingStrongCFO John Gamble, Joseph Loughran, and Rodolfo Ploder sold a combined $1.8 million in shares between 29 July 2017 (discovery) and 7 September 2017 (public disclosure). The company attributed the sales to pre-arranged trading plans.
Rebuttal
The company's claim that the sales were pre-arranged trading plans under 10b5-1 programmes was accepted as an explanation for most of the executives' trades. The DOJ pursued charges only against Jun Ying and Sudhakar Bonthu, not the CFO or the two presidents.
Jun Ying convicted of insider trading — sentenced to four months
SupportingStrongFormer Equifax CIO Jun Ying was charged by the DOJ with insider trading for selling approximately $950,000 in stock options in August 2017 after learning his company was the breach victim. He was convicted at trial in 2019 and sentenced to four months in prison and $117,117 in disgorgement.
$700M FTC and state AG settlement — largest data breach settlement at the time
SupportingStrongIn July 2019 Equifax settled with the FTC, CFPB, and all 50 state attorneys general for $700 million, including up to $425 million in consumer restitution. It was the largest data breach settlement in US history at the time of announcement.
CEO, CIO, and CSO all resigned 26 September 2017
SupportingRichard Smith (CEO), David Webb (CIO), and Susan Mauldin (CSO) all departed on 26 September 2017. The simultaneous resignation of the top security and technical leadership was widely interpreted as accountability for the breach and the response.
Counter-Evidence2
Apache Struts Patch Failure Was Negligence in an Enterprise-Wide Process, Not Coordination
DebunkingThe Equifax breach exploited CVE-2017-5638, a critical Apache Struts vulnerability for which a patch had been available for two months before the breach. Internal communications revealed the patch was identified, communicated to IT teams, but not applied to the specific dispute-portal system due to process failures in Equifax's patch-management workflow. This is enterprise IT negligence — the failure of large organizations to consistently apply patches across complex legacy environments — not evidence of deliberate decision to leave vulnerabilities open.
Insider Trading Convictions Were Personal, Not Systematic Corporate Conspiracy
DebunkingFormer Equifax executive Jun Ying was convicted of insider trading for selling stock options after learning of the breach but before public disclosure. A second employee, Sudhakar Bonthu, pleaded guilty to similar charges. Both were individual actors taking personal advantage of material non-public information — not evidence of a boardroom-coordinated stock-manipulation scheme. Ying's prosecution and conviction demonstrate that securities enforcement identified and punished the individual misconduct, which is accountability operating as intended.
Neutral / Ambiguous2
Consumer restitution payouts far below advertised amounts
NeutralThe FTC's initial advertising of up to $125 per consumer was criticised when the volume of claims made clear the actual per-person payout would be far smaller. The FTC updated guidance to recommend consumers take credit monitoring services instead of cash payouts.
Rebuttal
The settlement cap was $425M for consumer restitution. With 147.9M potential claimants and high claim volume, per-consumer cash payouts were inevitably small. The FTC's communications around the settlement were criticised as misleading by consumer advocates.
Congressional testimony attributed patch failure to a single individual
NeutralCEO Richard Smith testified before Congress that the failure to apply the patch resulted from a breakdown in Equifax's internal scanning process — one individual had failed to run the scan that would have identified the vulnerable system. Critics argued this deflected institutional accountability onto a single employee.
Rebuttal
Attributing a systemic failure in patch management to a single individual's error was widely criticised by security professionals as a deflection from institutional governance failures. Patch management processes should not depend on a single point of failure.
Timeline
Apache Struts CVE-2017-5638 patch published
NIST publishes CVE-2017-5638 in the National Vulnerability Database. US-CERT issues an alert. The patch for the remote code execution vulnerability is publicly available. Equifax's security team is notified. The patch is not applied to the ACIS dispute portal system.
Source →Breach begins — attackers exploit unpatched Struts vulnerability
Attackers begin exploiting the unpatched CVE-2017-5638 in Equifax's ACIS consumer dispute portal, 66 days after the patch was available. Exfiltration of 147.9 million Americans' PII — Social Security numbers, dates of birth, addresses — begins.
Breach discovered internally; executives begin stock sales
Equifax's security team discovers the intrusion after 78 days of undetected access. CFO John Gamble and two other executives sell a combined $1.8M in shares in the days following discovery, before public disclosure. Jun Ying, separately, sells options worth approximately $950,000.
Public disclosure; CEO and senior leadership resign 26 Sep 2017
Equifax discloses the breach publicly on 7 September 2017, 40 days after discovery. CEO Richard Smith, CIO David Webb, and CSO Susan Mauldin all resign on 26 September 2017. Congressional hearings begin in early October. Smith testifies the patch failure was the result of a single employee failing to run a required scan.
Source →
Verdict
CVE-2017-5638 patch was available 8 March 2017. Breach began 13 May 2017. Discovered 29 July 2017. Disclosed 7 September 2017. CFO and three executives sold $1.8M in stock between discovery and disclosure. Jun Ying convicted of insider trading 2019. $700M FTC + state AG settlement July 2019. CEO Richard Smith, CIO David Webb, and CSO Susan Mauldin all resigned 26 September 2017.
Frequently Asked Questions
Why was the Equifax patch never applied if it was available months earlier?
CEO Richard Smith testified to Congress that the failure resulted from a breakdown in Equifax's internal patch scanning process — a single employee had failed to run the scan that would have identified the vulnerable system. Security professionals widely criticised this explanation as deflecting systemic governance failure onto an individual, arguing that a patch management process with a single point of failure was itself the institutional problem.
Were the executive stock sales before disclosure illegal?
The DOJ charged former CIO Jun Ying and manager Sudhakar Bonthu with insider trading. Both were convicted or pleaded guilty. The CFO's and two presidents' sales were attributed to pre-arranged 10b5-1 trading plans and were not prosecuted. Whether the trading-plan defence was fully adequate remains a subject of criticism from securities law scholars.
How much did affected consumers actually receive from the settlement?
The FTC initially advertised up to $125 in cash per claimant. Due to the volume of claims — far exceeding the $31 million cash fund — actual cash payouts were a small fraction of that amount. The FTC updated guidance to recommend free credit monitoring services instead. Consumer advocates criticised the settlement terms and the FTC's communications as misleading.
What data was actually exposed in the Equifax breach?
Sources
Show 3 more sources
Further Reading
- articleFTC Equifax data breach settlement — official case page — Federal Trade Commission (2019)
- paperSenate Banking Committee hearing: Equifax data breach — US Senate Banking Committee (2017)
- bookCountdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon — Kim Zetter (2014)