Apache disclosed CVE-2017-5638 March 7 2017 and patched same day. Equifax security scans failed to identify the vulnerable system. Attackers exploited Apache Struts flaw in Equifax’s online dispute portal starting March 10. Exfiltrated ~147.9 million Americans’ SSNs, DOBs, addresses, driver’s license numbers, and ~200K credit card numbers from May-July 2017. Detected July 29 2017. No encryption for data at rest. $700M FTC/state settlement. Total cost ~$1.38B. Chinese military (PLA Unit 54891) indicted in 2020.