🔍 Overview
In September 2017, Equifax—one of the largest credit reporting agencies in the U.S.—announced a massive data breach that compromised the sensitive information of over 147 million Americans.
💥 What Happened?
- Attackers exploited a known vulnerability in the Apache Struts web framework (CVE-2017-5638).
- Despite a patch being available in March 2017, Equifax failed to update their systems.
- The breach occurred between May and July 2017 but wasn’t discovered until late July and disclosed to the public in September 2017.
🧾 Data Compromised
- Names
- Social Security Numbers
- Birthdates
- Addresses
- Driver’s license numbers
- In some cases, credit card numbers and dispute records
📉 Impact
- Over 147 million people affected
- Loss of trust and reputation
- Lawsuits and regulatory investigations
- $700+ million settlement with the U.S. Federal Trade Commission (FTC), CFPB, and states
- Several top executives, including the CEO, resigned
🛠️ What Went Wrong
- Failure to patch known vulnerability
- Lack of proper vulnerability scanning
- No proper encryption of sensitive data
- Poor incident detection and response
✅ Lessons Learned
| Area | Recommendation |
|---|---|
| Patch Management | Apply patches as soon as they are available |
| Threat Detection | Use intrusion detection and endpoint monitoring |
| Data Security | Encrypt all sensitive PII at rest and in transit |
| Incident Response | Have a formal, tested response plan in place |
| Compliance | Conduct regular audits and risk assessments |
📚 External Resources
🧩 Discussion Questions
- Could the Equifax breach have been prevented? How?
- What should be the legal responsibility of companies storing PII?
- What role does employee training play in breach prevention?