Safeguarding Your Digital World


Equifax Data Breach 2017

Equifax: Top 3 U.S. credit bureau, 800M+ global data, breach hit 147M, mainly U.S. individuals.


Equifax is one of the three largest consumer credit reporting agencies in the U.S., holding data on over 800 million individuals worldwide. The breach affected approximately 147 million people, primarily in the U.S.

The Breach

In September 2017, Equifax announced that it had suffered a data breach. The unauthorized access occurred from mid-May through July 2017. The breach exposed a vast amount of personal data, including:


The breach was caused by a vulnerability in the Apache Struts web application framework, which Equifax used for one of its online dispute portals. A patch for this vulnerability was available two months before the breach began, but Equifax failed to apply it in time.


Financial Impact

Equifax’s stock price dropped significantly after the breach was announced. The company faced numerous lawsuits, and it was estimated that the breach would cost the company over $600 million.

Reputational Impact

The breach had a severe impact on Equifax’s reputation. Many customers, regulators, and lawmakers criticized the company’s delay in disclosing the breach and its overall handling of the incident.

Operational Impact

In the aftermath of the breach, calls for stricter regulations concerning data protection and consumer privacy grew louder. It led to greater scrutiny of credit reporting agencies and their data protection practices.


Delayed Reporting

Equifax discovered the breach on July 29 but waited until September 7 to publicly announce it.

Website Issues

The website Equifax set up for consumers to check if they were affected was criticized for potential security flaws.

Insider Trading Allegations

Three Equifax executives sold shares worth almost $1.8 million in the days after the breach was discovered but before it was publicly announced. Equifax said the executives had not been informed of the breach at the time of their sales.

Lessons and Takeaways

Prompt Patching is Crucial

Organizations must have a system in place to promptly apply security patches to their software and systems.

Incident Response Plan

Companies must have a clear incident response plan that includes timely disclosure to affected parties and the public.

Insider Trading Policies

Companies should have strict policies about trading during times of sensitive incidents and significant internal developments..