2017 Equifax Data Breach: How Equifax Let Hackers Walk Away with America’s Identity

Half of America had their identity stolen in 2017, and barely anyone talks about it.

Equifax, one of the largest credit reporting agencies in the U.S., was breached by hackers.

And this wasn’t just a basic leak. Equifax holds some of the most sensitive data in the country, Social Security numbers, birthdays, driver’s licenses, addresses, everything a hacker needs to steal your identity.

In total? 147 million Americans were exposed. That’s nearly half the adult population of the United States.

So how did this happen?

Equifax used a web framework called Apache Struts, and in March 2017, a critical vulnerability was publicly disclosed. Every company using it was told "update immediately".

Equifax didn’t.

That one missed update opened the door. Hackers slipped in, stayed hidden for over two months, and quietly pulled data undetected. Millions of personal records, gone.

When the breach finally became public, Equifax offered free credit monitoring in return. The catch? At first, signing up meant you waived your right to sue. After public outrage, that clause was quickly removed, but the damage was already done.

And before the breach was announced, three Equifax executives sold $1.8 million worth of stock. They claimed they didn’t know about the breach at the time, and investigators later said they weren’t guilty of insider trading. Still, the timing looked suspicious.

Eventually, Equifax settled with regulators for $700 million, one of the largest data-breach settlements in history. When you break that down, it’s roughly $4 to $5 per person, the price placed on your identity, your credit, and your financial life.

Afterward, the Consumer Financial Protection Bureau tried to pass a rule banning forced arbitration, so companies couldn’t stop people from joining class-action lawsuits. But in the Senate, the effort was struck down by a single vote. Vice President Mike Pence cast the tie-breaking vote to kill it.

And here’s the most chilling part:

The stolen data has never been found. It never showed up for sale on the dark web. Years later, U.S. intelligence traced the attack to hackers working for China’s military. Meaning — it might not have been about money at all, but espionage.

So maybe the data isn’t gone. Maybe it’s just waiting — for the right moment to be used.

References

Federal Trade Commission. (2019, July 22). Equifax to pay $575 million as part of settlement with FTC, CFPB, and states related to 2017 data breach. https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach

United States Government Accountability Office. (2018, August 30). Data protection: Actions taken by Equifax and federal agencies in response to the 2017 breach (GAO-18-559). https://www.gao.gov/products/gao-18-559

National Vulnerability Database (NIST). (2017, March 10). CVE-2017-5638 detail: Apache Struts 2 vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2017-5638

Axios. (2019, February 14). Equifax’s stolen data hasn’t surfaced on the dark web — and that’s telling. https://www.axios.com/2019/02/14/equifax-data-breach-stolen-data-suspect

FTC. (2024, November). Equifax data breach settlement. https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement

Reuters. (2017, November 3). Equifax clears executives who sold shares after hack. reuters. https://www.reuters.com/article/technology/equifax-clears-executives-who-sold-shares-after-hack-idUSKBN1D31JV/

Equifax Inc. (2017, November 3). Equifax Board releases findings of Special Committee regarding stock sale by executives. https://investor.equifax.com/news-events/press-releases/detail/230/equifax-board-releases-findings-of-special-committee

U.S. Department of Justice. (2020, February 10). Chinese military personnel charged with computer fraud, economic espionage, and wire fraud for hacking Equifax. https://www.justice.gov/archives/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking

(See also FBI summary: https://www.fbi.gov/news/stories/chinese-hackers-charged-in-equifax-breach-021020)