Chronological Record
A documented chronology of Equifax's most significant security failures, controversies, and regulatory actions from 2012 through the present.
2012 – 2016
Consumer advocacy groups begin raising concerns about Equifax's dispute resolution processes and the accuracy of credit reports affecting millions of Americans. Reports surface of systemic errors in credit files going unaddressed for months.
Federal Trade Commission receives a significant increase in consumer complaints regarding credit reporting inaccuracies. Equifax is among the most-complained-about companies in the credit bureau industry.
The Consumer Financial Protection Bureau orders Equifax and other agencies to improve dispute handling. Investigations reveal patterns of inadequate investigation into consumer-reported errors.
2017 – The Breach
Apache Foundation discloses CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts. A patch is made available immediately. Equifax's systems remain unpatched.
Attackers exploit the unpatched Struts vulnerability to access Equifax's systems. For 76 days, personal data — including Social Security numbers, birth dates, addresses, and driver's license numbers — is exfiltrated from approximately 147 million consumer records. Equifax's intrusion detection systems, with expired SSL certificates, fail to flag the activity.
Equifax publicly announces the breach six weeks after internal discovery. The disclosure reveals that three senior executives sold approximately $1.8 million in company stock in the days after internal discovery but before public announcement.
CEO Richard Smith testifies before Congress and resigns. The breach response website is criticized for security flaws and confusing terms of service. The IRS temporarily suspends a fraud-prevention contract with Equifax.
2018 – 2019
The Government Accountability Office publishes a detailed report on the breach. The UK's Information Commissioner's Office fines Equifax £500,000 for the breach's impact on UK consumers. Additional state-level investigations are launched across the U.S.
Equifax agrees to a settlement of up to $700 million with the FTC, CFPB, and 50 U.S. states and territories. The agreement includes a $425 million consumer restitution fund, though affected individuals widely report receiving far less than initially indicated.
2020 – Present
The U.S. Department of Justice indicts four members of the Chinese military in connection with the breach. Class action litigation continues, with consumers reporting difficulty claiming settlement funds. Equifax faces continued scrutiny over data accuracy.
CFPB receives continued high volumes of complaints about Equifax's credit reporting accuracy. Additional state attorneys general investigations examine post-breach data practices and compliance with settlement terms.
Consumer advocacy organizations, including this platform, continue monitoring Equifax's data practices, dispute resolution compliance, and security posture. The long-term impact of the 2017 breach continues to affect consumers.
Security Analysis
Critical
The largest credit bureau breach in history. An unpatched Apache Struts vulnerability allowed attackers to access names, SSNs, birth dates, addresses, and driver's license numbers for approximately 147 million consumers. Undetected for 76 days due to expired SSL inspection certificates and inadequate network segmentation.
High
Beyond discrete breach events, systematic issues with credit report accuracy have affected millions of consumers. CFPB complaint data shows persistent patterns of inaccurate information, delayed dispute resolution, and mixed file errors where one consumer's data appears on another's report.
High
Equifax's breach response itself created additional risks. The initial notification website contained security vulnerabilities. A phishing-susceptible domain was used for breach notifications. Customer service was overwhelmed, and the credit monitoring offer included arbitration clauses later retracted under public pressure.