The Breach That Touched Half the Country

In September 2017, the credit reporting bureau Equifax disclosed that, between mid-May and late July of that year, attackers had compromised the personal financial data — names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers — of approximately one hundred and forty-five million Americans. The figure represented, at the time of disclosure, roughly forty-five percent of the United States population. The breach was, by population coverage, the largest single data-security incident in American consumer-financial history.

The attack exploited a known vulnerability in an Apache Struts web framework that had been disclosed publicly approximately ten weeks before the attack began. Equifax had been notified of the vulnerability through standard channels. A patch was available. The patch had not been installed. The attackers, having identified the unpatched vulnerability through routine reconnaissance of Internet-facing systems, used it to access the underlying customer databases over a period of approximately ten weeks before the company detected the intrusion.

The Disclosure Sequence. The detection-to-disclosure timeline produced its own scandal. Equifax internal investigations had identified the breach in late July. Public disclosure did not occur until early September. In the intervening weeks, several Equifax executives, including the chief financial officer, sold substantial portions of their personal stock holdings — sales that became the subject of subsequent insider-trading investigations. The chief executive resigned. The Federal Trade Commission imposed substantial settlements. The aggregate cost to the company, in penalties, remediation, customer protection services, and class-action settlements, has exceeded one and a half billion dollars.

The Industry Effect. The Equifax breach catalyzed a substantial reset in the consumer-data-protection landscape. The Federal Trade Commission introduced new disclosure requirements for data breaches. Several state legislatures, led by California, introduced comprehensive consumer-data-privacy legislation. The credit-monitoring industry, which had historically been treated as a routine consumer-financial service, became the subject of explicit regulatory attention. The Consumer Financial Protection Bureau introduced expanded oversight authority over the three major credit bureaus (Equifax, Experian, TransUnion).

The Underlying Vulnerability. What the case demonstrated, in unusually clear form, was the structural fragility of the consumer-credit data infrastructure. The bureaus collect data from millions of sources without consumer consent, retain it indefinitely, and use it to score consumer borrowers with no consumer right of review beyond the limited regulatory mechanisms of the Fair Credit Reporting Act. The information collected is highly sensitive, broadly distributed, and structurally difficult to protect. The Equifax breach was, in this framing, less surprising than its prior absence; the system had been operating with substantial security exposure across decades without a catastrophic loss event.

The post-breach reforms have improved consumer protection at the margin. The underlying business model — bureaus collecting consumer data without consumer consent and selling it to lenders — has not changed. The Equifax breach, in this sense, was a regulatory event that produced incremental procedural reform without disturbing the structural arrangement. The next major breach, when it occurs, will repeat much of the pattern. The participants have been told. The remediation, at the necessary depth, has not been undertaken.