This is a Equifax tire fire

Seriously? get your shit together Equifax!

What Happened

In March 2017, Apache disclosed CVE-2017-5638: a critical remote code execution vulnerability in Apache Struts. A patch was available the same day. Equifax was notified. Equifax had a policy requiring critical patches to be applied within 48 hours. Equifax did not apply the patch. Equifax was subsequently compromised in May 2017 through that unpatched vulnerability. The compromise was not discovered until July 2017, because the certificate used to inspect encrypted traffic on that system had expired eleven months prior and nobody had noticed. They announced the breach in September. The data of 147 million people — names, Social Security numbers, birth dates, addresses, credit card numbers — had been on someone else's servers for months.

The vulnerability was known. The patch was available. The policy said patch it. They did not patch it. This is the whole story.

The Response

After discovery, Equifax set up a website for affected consumers to check whether their data was compromised. The website was hosted on a third-party domain that looked like a phishing site. Equifax's own Twitter account accidentally linked to the phishing lookalike four times instead of the real site. The real site had its own problems: it accepted any name and any partial Social Security number and returned "yes, you were affected" for nearly everyone, which is technically correct because nearly everyone was affected, but not a useful result. The site was also found to be running on a WordPress installation, which is a fine choice for a blog and an unusual choice for a breach notification portal handling the sensitive data of 147 million people.

The credit monitoring service offered as remediation required affected consumers to waive their right to participate in class action lawsuits as a condition of enrollment. This was not a subtle move. It was noticed immediately. Equifax removed the clause. The "check if you were affected" tool remained in operation, returning results of unclear accuracy, for months.

The Accountability

The CEO retired. The CISO retired. The CIO retired. They received compensation packages. The company eventually paid $575 million in settlements. Affected consumers could claim up to $125 each, except the fund was capped at $31 million total for cash payments, so most consumers who filed received approximately $5.21 after the fund was divided by the number of claims. Equifax's annual revenue at the time was approximately $3.1 billion. The stock recovered. The 147 million people whose data was exposed have not recovered their data. You cannot un-expose a Social Security number.