Equifax

Overview

Equifax Inc. is one of the three dominant credit reporting agencies in the United States, alongside Experian and TransUnion. Headquartered in Atlanta, Georgia, the company maintains credit files on more than 820 million consumers and over 91 million businesses worldwide. Founded in 1899 as Retail Credit Company, Equifax has operated for over 125 years as a collector and seller of personal financial information, making it one of the oldest surveillance infrastructure companies in America.

Equifax is most infamously known for the 2017 data breach that exposed the Social Security numbers, dates of birth, addresses, and other sensitive information of 147 million Americans, approximately 56% of the U.S. adult population. The breach, caused by the company's failure to patch a known vulnerability in Apache Struts web application software for over two months after a fix was available, is widely considered one of the worst data breaches in history, both for its scale and for the negligent security practices that enabled it.

The company's annual revenue exceeds $5.1 billion, derived from credit reporting, data analytics, workforce solutions, and identity verification services. Equifax operates in 24 countries across North America, South America, Europe, and Asia-Pacific, with major operations in the United States, United Kingdom, Canada, Australia, Brazil, India, Argentina, and Chile.

Like Experian, Equifax operates as both a credit bureau and a data broker. The credit bureau collects and reports financial information that determines consumers' access to credit, housing, employment, and insurance. The data analytics division sells consumer profiles, marketing data, and predictive models to corporate clients. This dual role gives Equifax access to some of the most sensitive personal information in existence, and as the 2017 breach demonstrated, the company's stewardship of that information has been catastrophically inadequate.

The aftermath of the 2017 breach revealed a pattern of corporate negligence, executive malfeasance, and institutional failure that extended far beyond a single unpatched server. Equifax executives sold company stock before the breach was disclosed, the company's initial consumer response website was riddled with security flaws, and investigations revealed a corporate culture that systematically under-invested in cybersecurity despite holding data on the majority of American adults.

The company's response to the breach became a case study in corporate crisis mismanagement. The initial breach notification website, equifaxsecurity2017.com, was hosted on a generic WordPress installation rather than Equifax's main domain, a setup so amateurish that security researchers initially mistook it for a phishing site. The company's official Twitter account repeatedly directed consumers to a spoofed website (securityequifax2017.com) created by a developer to demonstrate how easily the response could be mimicked. The credit monitoring service offered to affected consumers was provided by Equifax itself, requiring victims to share additional personal data with the company that had just failed to protect their existing information.

Equifax's corporate history extends well beyond the 2017 breach. As the Retail Credit Company (its name until 1979), the company built consumer dossiers that included information about individuals' sexual orientation, political activities, marital disputes, and drinking habits. A 1970 congressional investigation revealed that the company maintained files on millions of Americans that included unverified rumors and gossip. The resulting public outcry contributed to the passage of the Fair Credit Reporting Act in 1970, the same law that Equifax was later found to have inadequately complied with.

Data Collection Practices

Equifax's data collection spans the full spectrum of consumer financial and personal information:

Credit reporting data is the company's core asset, collected from approximately 11,000 data furnishers including banks, credit unions, mortgage companies, auto lenders, credit card issuers, student loan servicers, and collection agencies:

• Credit account details (types, balances, limits, payment history, status)
• Mortgage origination and payment data
• Auto loan and lease information
• Student loan records and payment performance
• Retail and store credit accounts
• Medical debt and collection accounts
• Personal loan and installment credit data
• Public records (bankruptcies, tax liens, civil judgments)
• Hard and soft credit inquiries

This data covers over 820 million consumers globally and forms the basis for credit scores and reports that determine financial outcomes for hundreds of millions of people.

Employment and income data is collected through Equifax's Workforce Solutions division, which operates The Work Number, one of the largest databases of employment and income records in the United States. The Work Number contains payroll records contributed by thousands of employers, covering approximately 130 million employment records from more than 2.5 million contributing employers.

The Work Number is used for income verification in mortgage lending, rental applications, government benefits administration, and other contexts. While ostensibly a verification service, it functions as a comprehensive employment surveillance database, tracking where people work, what they earn, when they receive raises, and when they change jobs. The database contains payroll records dating back years, providing a longitudinal view of individuals' career trajectories and compensation history.

Equifax charges lenders and landlords fees to verify income and employment through The Work Number, effectively monetizing payroll data that employees provided to their employers, not to Equifax. This business model has generated controversy: employees are unaware that their detailed payroll data is being collected and sold, employers contribute the data through automated payroll processor integrations that are rarely disclosed to workers, and the revenue flows entirely to Equifax rather than to the employees whose data generates it.

Privacy advocates have raised concerns about The Work Number's scope, noting that employees are generally unaware that their detailed payroll data is being shared with Equifax and sold to third parties. Employers contribute data through payroll processors, often without explicit employee notification or consent beyond references in employee handbook fine print.

Marketing and consumer data extends the company's reach beyond credit reporting into demographic, behavioral, and lifestyle profiling used for targeted advertising and customer analytics:

• Age, gender, income estimates, and education levels
• Household composition and family size
• Home ownership status, property values, and neighborhood characteristics
• Vehicle data and transportation patterns
• Consumer interests and purchase behavior indicators
• Digital behavior and online activity patterns

Identity verification data includes Social Security numbers, dates of birth, current and historical addresses, phone numbers, and other identity elements used for authentication and fraud detection purposes.

International data collection varies by market but follows similar patterns in each country where Equifax operates:

• Brazil: Equifax's Boa Vista subsidiary holds credit data on tens of millions of Brazilian consumers
• United Kingdom: Comprehensive credit reporting and consumer data
• Canada: Full credit bureau operations
• India: Growing credit reporting infrastructure serving the Indian financial system
• Australia: Credit reporting and identity verification services
• Argentina and Chile: Credit bureau operations in developing markets

Known Clients & Government Contracts

Equifax's client relationships span the same institutional landscape as Experian, with credit data serving as the foundation:

Financial services: Every major U.S. bank, credit card company, mortgage lender, and auto finance company purchases Equifax credit data for lending decisions. The company processes over 2 billion credit report requests annually, making it a critical decision infrastructure for the financial system.

Employers: Through The Work Number, thousands of employers and their authorized verifiers access Equifax employment and income data. This includes mortgage lenders verifying borrower income, government agencies confirming benefits eligibility, and employers conducting pre-employment screening.

Government agencies: The Social Security Administration, the IRS, state tax authorities, and various federal and state agencies use Equifax for identity verification and income verification. The government's reliance on Equifax data for benefits administration and tax processing creates a dependency that persisted even after the 2017 breach.

Notably, following the 2017 breach, the IRS awarded Equifax a $7.25 million no-bid contract for identity verification and fraud prevention services, a decision widely criticized as rewarding a company that had just exposed the personal data of most American taxpayers.

Insurance companies: Auto, property, and life insurance companies use credit-based insurance scores derived from Equifax data to price policies, meaning credit bureau data directly affects insurance costs for millions of consumers.

Landlords and property managers: Equifax provides tenant screening reports used to evaluate rental applicants, making the company a gatekeeper to housing access.

Telecommunications and utilities: AT&T, Verizon, and other service providers use Equifax credit checks for new customer enrollment and fraud prevention.

Background check companies: Equifax data feeds into the broader background check ecosystem, influencing employment, licensing, and volunteer screening decisions.

International operations: Equifax serves major financial institutions in each of its 24 country markets. In the United Kingdom, Equifax is one of three licensed credit reference agencies. In Canada, Equifax operates alongside TransUnion as one of two national credit bureaus. In Brazil, Equifax's Boa Vista subsidiary competes with Serasa Experian in the consumer credit market. In India, Equifax India is one of four licensed credit information companies, providing credit data infrastructure for the rapidly growing Indian financial services market.

Healthcare: Through its healthcare vertical, Equifax provides patient identity verification, insurance eligibility checking, and revenue cycle management services to hospitals and health systems. These services give Equifax access to patient demographic and insurance data that, while not clinical records, reveals healthcare utilization patterns and insurance status.

Data analytics and modeling clients: Beyond raw credit reporting, Equifax sells predictive models and analytics tools that help clients forecast consumer behavior. These products include propensity-to-pay models, life event triggers (detecting when a consumer is likely to move, buy a car, or have a child), and marketing segmentation tools. The analytics layer transforms credit data into a predictive surveillance system that anticipates future behavior based on historical patterns.

Privacy Incidents & Litigation

The 2017 Mega-Breach: On September 7, 2017, Equifax publicly disclosed that hackers had exploited a known vulnerability in the Apache Struts web application framework (CVE-2017-5638) to access the company's systems between May and July 2017. The breach exposed:

• 147 million Americans' records including Social Security numbers, dates of birth, addresses, and driver's license numbers
• Approximately 209,000 consumers' credit card numbers
• 182,000 consumers' personal identifying documents
• 15.2 million UK consumer records
• 19,000 Canadian consumer records

The Apache Struts vulnerability had been publicly disclosed on March 7, 2017, and a patch was available the same day. Equifax did not apply the patch for over two months, despite the vulnerability being actively exploited in the wild. The Department of Homeland Security had issued an alert about the vulnerability on March 8, 2017, the day after disclosure.

Internal investigations revealed that Equifax's security infrastructure was deeply inadequate. The company's SSL certificate used to monitor encrypted traffic had expired 19 months earlier and was never renewed, rendering the company blind to data being exfiltrated through encrypted connections. An internal security scan in March 2017 failed to identify the unpatched server because the scan was incomplete.

Executive Stock Sales and Insider Trading: Between the time Equifax discovered the breach internally (July 29, 2017) and the public disclosure (September 7, 2017), four Equifax executives sold approximately $1.8 million in company stock.

The SEC charged Jun Ying, Equifax's former Chief Information Officer for U.S. Information Solutions, with insider trading. Ying was convicted and sentenced to four months in federal prison and ordered to pay $117,117 in restitution and a $55,000 fine. Sudhakar Reddy, a former software engineering manager, was also charged with insider trading based on the breach.

CEO Richard Smith resigned shortly after the breach disclosure, departing with a retirement package valued at approximately $90 million, later reduced following public outrage.

$700 Million FTC Settlement (2019): In July 2019, Equifax agreed to pay up to $700 million to settle federal and state investigations, making it the largest data breach settlement in history at the time:

• $300 million for a consumer restitution fund (increased to $425 million if initial funds were exhausted)
• $175 million to 50 U.S. states and territories
• $100 million to the CFPB as a civil penalty

The settlement required Equifax to spend a minimum of $1 billion on information security over five years and submit to independent security assessments.

Congressional Investigations: Multiple Congressional committees investigated the breach, with hearings revealing:

• Systemic under-investment in cybersecurity (Equifax spent less on security than peer companies)
• A corporate culture that treated security as a cost center rather than a priority
• Fragmented IT infrastructure with over 300 security certificates managed manually
• No single executive fully accountable for data security

GAO Report (2018): The Government Accountability Office published a detailed report documenting Equifax's security failures, finding that the company lacked adequate patch management procedures, network segmentation, and encryption practices. The report described a pattern of known vulnerabilities left unaddressed for extended periods.

CFPB Investigation: The Consumer Financial Protection Bureau investigated Equifax's credit reporting practices separately from the breach, focusing on complaint handling and accuracy. The investigation found that Equifax failed to adequately investigate consumer disputes and maintained procedures that were insufficient to ensure the accuracy of credit reports.

International Regulatory Response: The UK's Information Commissioner's Office fined Equifax GBP 500,000 (the maximum under pre-GDPR law) for the breach's impact on UK consumers. The Canadian Privacy Commissioner investigated the breach's impact on Canadian consumers and found that Equifax failed to adequately protect personal information.

Class-Action Litigation: Multiple class-action lawsuits were consolidated in the Northern District of Georgia. The consumer settlement, combined with the FTC settlement, represented one of the largest data breach resolutions in history.

Chinese Military Indictment (2020): In February 2020, the U.S. Department of Justice indicted four members of China's People's Liberation Army for the 2017 Equifax breach. Attorney General William Barr described the hack as one of the largest thefts of personally identifiable information by state-sponsored hackers. The indictment alleged that the PLA hackers routed their traffic through 34 servers in nearly 20 countries to obscure their identity, and spent weeks navigating Equifax's internal network to locate and exfiltrate the most sensitive databases.

The attribution to Chinese military hackers elevated the breach from a corporate security failure to a national security incident. The stolen data, Social Security numbers, dates of birth, and addresses for 147 million Americans, could be used for intelligence targeting, recruitment, and counter-intelligence operations.

The Work Number Scrutiny: Consumer advocates and legislators have specifically targeted Equifax's The Work Number database, arguing that the collection and sale of detailed payroll data without meaningful employee consent is an invasion of privacy that goes beyond traditional credit reporting. In 2023, the CFPB began examining whether The Work Number's data practices comply with the FCRA, particularly regarding the permissible purposes for which employment and income data can be disclosed.

Threat Score Analysis

Equifax receives a composite threat score of 76/100, reflecting its catastrophic breach history, massive data holdings, and demonstrated pattern of corporate negligence:

• Data Collection (88/100): Equifax maintains credit files on 820 million consumers globally, supplemented by The Work Number's employment and income records on 130 million workers, and additional marketing and demographic data. The combination of credit history, employment records, income data, and consumer profiles creates dossiers of extraordinary sensitivity. The data directly determines individuals' access to credit, housing, employment, and insurance.

• Third-Party Sharing (82/100): Equifax data flows to thousands of institutional clients across financial services, insurance, employment, housing, telecommunications, and government. Over 2 billion credit report requests are processed annually. The Work Number extends data sharing to employment and income contexts. The dual credit-bureau-and-data-broker model means personal data is shared for both regulated credit purposes and less-regulated marketing and analytics uses.

• Breach History (95/100): The 2017 breach is among the worst in history, 147 million Americans' Social Security numbers, dates of birth, and addresses exposed due to negligent security practices. The unpatched vulnerability, expired SSL certificate, incomplete security scans, and executive insider trading created a cascading failure that demonstrated systemic organizational dysfunction. Additional breaches affecting UK and Canadian consumers compounded the damage.

• Government Contracts (40/100): Government agencies including the IRS, SSA, and state authorities use Equifax for identity and income verification. The controversial $7.25 million IRS contract awarded after the breach highlighted the government's dependency on credit bureau infrastructure. While government work is not Equifax's primary business, the institutional dependency limits regulatory accountability.

• Transparency (25/100): Equifax's breach response was characterized by delay, confusion, and self-serving decision-making. The company waited over five weeks to disclose the breach while executives sold stock. The initial breach response website was itself insecure. Equifax's credit reporting practices have been criticized by the CFPB, Congress, and consumer advocates for inadequate dispute resolution and persistent accuracy failures.

Weighted calculation: (88 * 0.25) + (82 * 0.25) + (95 * 0.20) + (40 * 0.15) + (25 * 0.15) = 22.0 + 20.5 + 19.0 + 6.0 + 3.75 = 71.25, adjusted to 76 due to the unprecedented severity and negligence of the 2017 breach, the executive insider trading, and the systemic failures that allowed a known vulnerability to be exploited for months.

Transparency & Accountability

The Equifax breach represents the most significant test case for accountability in the data broker and credit bureau industry, and by most measures, accountability has failed.

Executive accountability was minimal. CEO Richard Smith resigned with a retirement package initially valued at approximately $90 million. While one CIO was convicted of insider trading with a four-month sentence, the executives who presided over years of security under-investment faced no criminal liability. The corporate culture that treated cybersecurity as an afterthought was never meaningfully addressed through individual accountability.

The $700 million settlement sounds large but is modest in context. Divided among 147 million affected Americans, the consumer restitution fund amounts to approximately $2-4 per person for the exposure of their Social Security numbers, dates of birth, and addresses, data sufficient to enable identity theft for the rest of their lives. The $100 million CFPB penalty represents approximately one week of Equifax's annual revenue.

Government dependency undermined regulatory leverage. The IRS's decision to award Equifax a $7.25 million contract months after the breach demonstrated that government agencies' reliance on credit bureau infrastructure limited their ability, or willingness, to impose meaningful consequences. The government is simultaneously Equifax's regulator and its customer, creating a conflict that dilutes enforcement.

Consumer remediation was inadequate. The free credit monitoring offered to breach victims was provided by Equifax itself, meaning the company that failed to protect consumers' data was the same company now monitoring it. The settlement's claims process was complex, underfunded, and resulted in payments far below the harm experienced by consumers.

Systemic reform has not materialized. Despite the largest data breach settlement in history, the fundamental structure of the credit reporting industry remains unchanged:

• Consumers still cannot meaningfully opt out of credit bureau data collection
• The Big Three credit bureaus still operate as an oligopoly with limited competitive pressure to improve security or accuracy
• No comprehensive federal legislation has been enacted to reform credit reporting
• Credit bureaus continue to profit from selling the data they failed to protect

The Equifax breach exposed a fundamental flaw in the accountability framework for credit bureaus: these companies collect and profit from the most sensitive personal information in existence, but the costs of failure are externalized almost entirely to the consumers whose data is compromised. Until the incentive structure is reformed, through legislation that imposes meaningful financial consequences for security failures, eliminates the credit bureau oligopoly's market power, or gives consumers genuine control over their data, breaches like Equifax will remain an inevitable feature of the credit reporting system rather than an aberration.

The breach was not an isolated security failure. It was the predictable consequence of a business model that treats personal data as a revenue source rather than a responsibility, cybersecurity as a cost to be minimized rather than an obligation, and consumers as products rather than stakeholders. Five years and $700 million later, the model is fundamentally unchanged.