Equifax Data Breach Exposes 147 Million Americans' Personal Information

In September 2017, Equifax — one of the three major credit reporting agencies — disclosed that hackers had exploited a known vulnerability in its web application software (Apache Struts) to steal the personal information of approximately 147 million Americans. The stolen data included Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers and credit card numbers.

What made the breach particularly outrageous was that a patch for the vulnerability had been available for two months before the breach occurred, but Equifax failed to apply it. The company's security practices were found to be grossly inadequate — it was essentially entrusted with the most sensitive financial data of half the American population but failed to implement basic cybersecurity measures.

Making matters worse, Equifax executives sold nearly $1.8 million in company stock after the breach was discovered internally but before it was disclosed to the public. The company also bungled its response, initially directing consumers to a website that was itself riddled with security flaws.

Consumers had no choice in Equifax collecting their data — the credit reporting system operates without consumer consent — making the breach a particularly stark example of corporate negligence affecting people who had no direct relationship with the company.