In September 2017, Equifax announced that hackers had stolen personal information belonging to 147.9 million Americans. Social Security numbers, birth dates, addresses, driver's licenses—all of it, just gone. And here's the part that still gets me: the whole thing was preventable.
The attackers exploited a known vulnerability in Apache Struts, a web framework Equifax was running on one of their servers. A patch had been available for over two months. Equifax just never installed it.
The hackers got in around mid-May 2017 and stayed hidden in Equifax's systems for 76 days. Seventy-six days of freely accessing and downloading sensitive data, and nobody noticed. When they finally discovered the breach in late July, the damage was already catastrophic.
What Actually Happened
Let me walk you through the timeline, because understanding how this unfolded helps explain why it's relevant to any business with a website:
March 7, 2017: Apache publicly discloses a critical vulnerability in Struts (CVE-2017-5638) and releases a patch the same day. The US-CERT issues an alert the next morning. This is a big deal—security teams everywhere are scrambling to update their systems.
March 9, 2017: Equifax's internal security team is notified about the vulnerability. They run some scans, but somehow miss the one vulnerable server that matters.
May 13, 2017: Attackers find their way into that unpatched server and begin their work.
July 29, 2017: Equifax finally discovers something's wrong—76 days after the initial breach.
September 7, 2017: The public finds out.
The Real Cost
Equifax eventually paid over $1.4 billion in cleanup costs, legal fees, and settlements. Their CEO resigned. In 2019, they agreed to a settlement with the FTC that could reach $700 million.
But here's what doesn't get enough attention: the 147 million people whose Social Security numbers are now floating around criminal networks. Those numbers don't expire. Those people will be dealing with the consequences of this breach for the rest of their lives.
Why This Matters for Small Businesses
You might be thinking, "I'm not Equifax. I don't have 147 million customer records." Fair point. But the lesson here isn't about scale—it's about fundamentals.
Equifax had a massive security budget. They had dedicated teams. They had enterprise tools. And none of it mattered because they didn't do the basics consistently.
For small businesses, this is actually encouraging. You don't need Equifax's resources to be more secure than they were in 2017. You just need to:
- Keep your software updated. When your CMS, plugins, or server software have updates available—especially security updates—install them. Don't wait two months like Equifax did.
- Know what you're running. Can you list every piece of software on your website right now? If not, that's your first task.
- Monitor for unusual activity. You don't need expensive tools. Even basic logging and occasional review is better than nothing.
- Limit what you collect. The less sensitive data you store, the less damage a breach can cause. Do you really need to keep customer data forever?
The Uncomfortable Truth
Most breaches—even big ones—happen because of simple oversights. Unpatched software. Weak passwords. Misconfigured servers. The sophisticated nation-state hacking you see in movies is real, but it's not what takes down most businesses.
What takes down most businesses is the boring stuff: the plugin that didn't get updated, the admin password that was "password123," the server that's been running the same vulnerable software for three years because "it still works."
If Equifax can fall to a two-month-old unpatched vulnerability, so can anyone. The difference is whether you're paying attention.
What You Should Do Today
Don't read this and then go back to whatever you were doing. Take 15 minutes and check on your website's security:
- Log into your hosting dashboard and check if there are pending updates
- Look at your plugins or extensions—are any of them outdated?
- When was your SSL certificate last renewed? Is it valid?
- Do you have backups? When was the last one? Have you ever tested restoring from one?
If you want a quick overview of where you stand, run your site through our free security scanner. It takes about 30 seconds and doesn't require any signup. It won't catch everything, but it'll flag the obvious stuff—which, as Equifax proved, is often all an attacker needs.
