The Equifax breach information page has some interesting root cause analysis:
- The particular vulnerability (that the bad guys used) in Apache Struts was identified and disclosed by U.S. CERT in early March 2017.
- The attack was done May 13-July 30.
If they had responded promptly to the CERT advisory, this whole thing might not have happened.