There have been some sizable and well-publicized data breaches in recent years, but in both categories, the Equifax hack of 2017 is hard to top. Given the scope of the credit reporting giant’s data collection activities on Americans, nearly 150 million people had their personal information stolen. For many individuals, this was the first time cybersecurity stopped being an abstract concept and became an immediate, personal concern. So, what happened?

Meet CVE-2017-5638. Reported by The Apache Software Foundation on March 7, 2017, this vulnerability is a classic data validation handling error that provides attackers ways to access data that should remain secure. Poor data validation practices in web applications are at the root of several categories of vulnerability, among them cross site scripting and SQL injection attacks. Javascript, which is the language supported by the Struts framework, is rather notorious for such vulnerabilities in the cybersecurity world.

However, this penetration was not simply a case of clever hackers finding a zero-day exploit in Equifax’s web servers. According to investigators, the breach did not occur until May 13th, over two months after the CVE had been published and an official patch had been released! The patch was not applied until late July, after Equifax personnel had begun to notice suspicious traffic had taken place. Once again, the exploit was possible due to untimely patching of a long-known (in software development terms) problem that had an available solution.

The total fallout from a data breach this massive has proved difficult to quantify. A settlement in 2019 between Equifax and the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC), and numerous additional parties “impose[d] up to $700 million in relief and penalties.” However, additional class-action cases have been pursued and Equifax claims that its losses have totaled almost $2 billion, though most consumers were greatly unsatisfied with the payouts they received, if any at all. An indictment was issued by the US Department of Justice against four Chinese nationals affiliated with that nation’s military; they remain, unsurprisingly, at large as of publication time.

What is the takeaway for your cybersecurity and mine?

Patch, and don’t delay. Patch early and often and tell your friends. Your data’s security depends upon it.