Cyber Incident Victim: Equifax Inc.
Date:
Mar 2017
Location:
United States of America
Summary
A cybersecurity breach at Equifax exposed sensitive personal data of approximately 143 million U.S. consumers due to criminals exploiting a vulnerability in a web application. Compromised information included names, birth dates, Social Security numbers, addresses, driver's license numbers, and roughly 209,000 credit card numbers, alongside dispute documents containing personal details for an additional 182,000 individuals. Following the breach's discovery, three company executives sold nearly $2 million in shares, though no direct link to the incident was established, contributing to a significant drop in stock value. The organization issued public apologies, initiated mail notifications to affected consumers, and collaborated with law enforcement agencies to address the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Equifax announced a major cybersecurity incident on September 7, 2017, revealing that unauthorized actors had accessed sensitive personal data of approximately 143 million U.S. consumers through exploitation of a vulnerability in a U.S. website application. The breach was discovered by the company on July 29, 2017, though the exact timeline of unauthorized access wasn't specified in public disclosures. Compromised information included names, birth dates, Social Security numbers, physical addresses, and some driver's license numbers – core identifiers used for credit reporting and identity verification. The breach extended beyond demographic data to include 209,000 U.S. credit card numbers and approximately 182,000 dispute documents containing personal identifying information. With the U.S. population estimated at 324 million in 2017, the incident impacted nearly half of all American consumers, creating one of the largest identity theft risks in history due to the sensitivity and comprehensiveness of the exposed data.
The disclosure triggered immediate financial consequences, with Equifax shares declining over 12% in after-hours trading following the announcement. SEC filings revealed three executives – CFO John Gamble Jr., Workforce Solutions President Rodolfo Ploder, and U.S. Information Solutions President Joseph Loughran – collectively sold nearly $2 million worth of company stock in the days following the breach's discovery, though no connection between these transactions and the incident was confirmed. Cybersecurity expert Christopher O'Rourke characterized the breach as creating an "open-source intelligence nightmare," highlighting how stolen personal history details could compromise security verification systems reliant on such information. Equifax Chairman and CEO Richard Smith issued a public apology while the company initiated mail notifications to affected consumers and coordinated investigations with law enforcement agencies including the FBI. The scale and nature of exposed data created unprecedented risks for identity fraud given the permanent nature of compromised identifiers like Social Security numbers.