The Equifax Data Breach

An expired security certificate—$100 worth of software maintenance—let attackers steal the personal data of 148 million Americans. Equifax knew about the Apache Struts vulnerability on March 8, 2017, when the Department of Homeland Security personally contacted them. The patch wasn't applied until July 29. For 76 days, attackers moved freely through Equifax's network.

The 14-month congressional investigation found the breach 'entirely preventable.' But the technical failure was the least interesting finding. Equifax had allowed over 300 security certificates to expire, including 79 for business-critical systems. They kept event logs for only 30 days—insufficient for detecting sophisticated intrusions. They had no complete inventory of their IT systems and had declined to fund requests to create one. The monitoring tools designed to catch exactly this kind of attack were blind because of the expired certificate.

Biologically, this is immune system failure from organizational complexity. Equifax's aggressive acquisition strategy created fragmented IT infrastructure—a body with too many organs to maintain. Each acquisition added legacy systems, security tools, and monitoring requirements. The organism grew faster than its immune surveillance could scale. The attackers sent 9,000 queries to 48 databases, extracting personal information 265 times, and no alarm sounded.

The report's most damning finding: 'no clear lines of authority within Equifax's IT management.' When everyone is responsible for security, no one is. The CIO and CSO took early retirement eight days after the breach went public. The CEO followed two weeks later. A VP was terminated for failing to forward a single email about the vulnerability. The attack was Chinese military, but the failure was purely organizational—and entirely preventable with basic hygiene.