Collapse of Credit - 2017 Equifax Information Breach and Personal Credit Crisis (March 2017 - July 2019)

Collapse of Credit - 2017 Equifax Information Breach and Personal Credit Crisis (March 2017 - July 2019)

In 2017, the personal information of approximately 147 million individuals was compromised at Equifax, a U.S. credit information company. The cause was a known vulnerability (CVE-2017-5638) in Apache Struts that was left unchecked and continued to operate. The attackers entered in mid-May and freely accessed the internal system until the end of July. Extremely sensitive information, including names, birth dates, addresses, social security numbers, and driver's license numbers were compromised. More than half of all U.S. adults were affected, an incident that shook the very foundation of the financial credit system.

The discovery was triggered when the SSL certificate was renewed after being expired for nine months, the monitoring system was reactivated and an abnormal communication was detected. The combination of the failure to apply security patches, sloppy monitoring, and lack of operational coordination led CEO Richard Smith to admit responsibility in congressional testimony and forced his resignation.

In 2019, the company reached a settlement with the FTC, CFPB, and all states totaling $700 million, making it one of the largest data breach compensation cases in US history. The case showed the world the vulnerability of the Social Security number-based credit system and prompted legislation such as GDPR and CCPA. It was considered a symbol of the "structural risk of the credit society" created not by technical flaws but by a lack of control and accountability.