There is quite a lot of conflicting reports on how Equifax was compromised. They all seem to agree that it was a Struts vulnerability. What isn’t clear though is which one. If Equifax were toppled via CVE-2017-9805, then you have to put your hands up and say that this was unfortunate for them, due to it only being discovered in September, well after the attack which was suspected to have happened in May this year. I have always been unpleasantly surprised with how old and outdated Equifax’s customer facing portals are though, and it wouldn’t surprise me if the back-end was reflected the front end. Therefore it would be more likely for it to be an earlier Struts vulnerability that was used. Only time will tell!