What is Equifax Data Breach?

The Equifax breach is the gold standard of why you should never trust companies with your most sensitive data. A credit bureau — whose entire business is collecting your financial information — failed to patch a known vulnerability for months.

What Happened

• March 2017: Apache Struts vulnerability (CVE-2017-5638) disclosed with available patch
• May–July 2017: Attackers exploited the unpatched vulnerability for 76 days
• July 29, 2017: Equifax discovered the breach
• September 7, 2017: Public disclosure — 6 weeks after discovery

What Was Exposed

• 147.9 million Americans affected (nearly half the US population)
• Social Security numbers
• Birth dates
• Home addresses
• Driver's license numbers
• 209,000 credit card numbers
• Dispute documents with personal information

Why It Matters

Unlike a retailer breach where you can change a password, you cannot change your Social Security number. The Equifax breach created a permanent identity theft risk for nearly half of all Americans. Data brokers and identity thieves have had this data for years.

The Aftermath

• $700 million settlement with the FTC (2019)
• Affected individuals received as little as $125 (most got far less)
• Equifax executives sold stock before public disclosure (insider trading investigation)
• Congress held hearings but passed no new legislation
• Equifax's stock price recovered within two years

What You Should Do

1. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) — it's free
2. Monitor your credit reports at AnnualCreditReport.com
3. Use identity theft protection if you were affected
4. Assume your SSN is compromised and act accordingly
5. Remove your data from brokers — services like those on our /remove page can help