🔓

The Equifax Breach

147 Million People's Data Stolen. Nobody Went to Jail.

In 2017, Equifax — the company that collects your financial data without your consent — failed to install a security patch for two months. Hackers were inside their systems for 76 days. Executives sold stock before telling you. The CEO retired with $90 million. Your settlement check was $0.35.

I spent 12 years as a hedge fund analyst studying corporate behavior. I've seen companies do terrible things and face minimal consequences. But Equifax is in a class by itself: they lost half the country's Social Security numbers, their CEO walked away with $90 million, and they're still the ones collecting your data. You can't even opt out. The system isn't broken — it was never built to protect you.— Glen Bradford, one of the 147 million

147M

People Affected

nearly half the U.S.

Days Undetected

hackers inside the system

$90M

CEO's Retirement

Richard Smith walked

$0.35

Per Person

what your SSN is worth

Wait, How Did This Happen?

A vulnerability in Apache Struts — a web framework Equifax used — was publicly disclosed in March 2017 with a patch immediately available. Every competent IT team in the world patched within days. Equifax did not patch for over two months.

But it gets worse. Even after hackers got in, Equifax should have detected them. Their network monitoring tools would have flagged the massive data exfiltration — except that an SSL certificate used to inspect encrypted traffic had expired ten months earlier and nobody renewed it. Their security cameras were turned off.

Equifax didn't get hacked by a sophisticated zero-day exploit. They got hacked because they didn't install an update for two months and didn't notice their security monitoring was blind for ten months. This is the company that holds your Social Security number.

The Full Timeline

From an unpatched server to a $90 million retirement to a $0.35 settlement check.

March 2017The Setup

Apache Struts Vulnerability Disclosed — Patch Available

The Apache Software Foundation discloses a critical vulnerability in Apache Struts, a widely-used web application framework. A patch is immediately available. The vulnerability is serious — it allows remote code execution, meaning anyone who finds an unpatched server can essentially take full control. The US-CERT issues an alert. Every competent IT security team patches within days. Equifax, the company that holds the most sensitive financial data of 147 million Americans, does not patch. For over two months.

May 13, 2017The Breach

Hackers Enter Through the Unpatched Server

Attackers exploit the unpatched Apache Struts vulnerability and gain access to Equifax's systems. They find that Equifax's internal network segmentation is poor — once inside, they can move laterally across systems. They also discover that Equifax has stored data in plaintext and that an encryption certificate used to monitor network traffic had expired ten months earlier. Nobody noticed. The attackers will remain inside Equifax's systems for 76 days before being detected.

May–July 2017The Breach

76 Days of Undetected Data Exfiltration

For over two months, attackers systematically extract data from Equifax's servers. They access names, Social Security numbers, birth dates, addresses, and driver's license numbers for 147 million Americans. They also steal credit card numbers for approximately 209,000 consumers and dispute documents with personal identifying information for 182,000 people. Equifax's security team doesn't notice because the SSL certificate used to inspect encrypted traffic had expired, blinding their monitoring tools. The world's largest credit bureau is being robbed in broad daylight.

July 29, 2017The Cover-Up

Equifax Discovers the Breach — Internally

Equifax's security team finally discovers the breach after updating the expired SSL certificate, which lets them see the suspicious traffic that had been flowing out of their network for 76 days. The company begins an internal investigation. They do not notify the public, regulators, or the 147 million affected individuals. Not yet. There are things to handle first.

August 1–2, 2017The Cover-Up

Three Executives Sell $1.8 Million in Stock

Three Equifax executives — CFO John Gamble, President of U.S. Information Solutions Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder — sell shares worth approximately $1.8 million combined. Equifax later claims the executives were not aware of the breach when they sold. The timing is, to put it charitably, remarkable. The DOJ will later investigate. Gamble and Loughran are not charged. Equifax's CIO Jun Ying, who did know, is later convicted of insider trading for separate sales and sentenced to 4 months in prison.

September 7, 2017The Fallout

Public Disclosure — 143 Million Affected (Later Revised to 147M)

Six weeks after discovery and four months after the breach began, Equifax publicly discloses the hack. The number: 143 million Americans affected (later revised upward to 147 million — nearly half the entire U.S. population). The reaction is immediate and furious. Equifax's stock drops 35% over the following week, erasing billions in market value. It is the largest data breach of sensitive financial information in history.

September 7, 2017The Fallout

Equifax's 'Fix' — A Website With Its Own Security Flaws

Equifax sets up equifaxsecurity2017.com to let people check if they're affected and sign up for free credit monitoring. The site has its own security problems: it runs on a stock WordPress installation, and Equifax employees accidentally tweet links to a fake phishing version of the site (equifaxsecurity2017.com vs securityequifax2017.com). Multiple times. The company tasked with protecting your financial data cannot secure a WordPress site or tell its own URL from a phishing scam.

October 2017The Aftermath

CEO Richard Smith Retires With $90 Million

Equifax CEO Richard Smith retires. His total compensation package is worth approximately $90 million, including stock, pension, and benefits. He testifies before Congress and apologizes. He is not required to give back any compensation. He oversaw the company during the period when it failed to patch a known vulnerability for two months, failed to detect intruders for 76 days, and delayed disclosure for six weeks. His reward: $90 million and a comfortable retirement.

2018The Aftermath

Congressional Hearings — 'Staggering' and 'Inexcusable'

Multiple congressional committees hold hearings on the breach. A Government Accountability Office report calls Equifax's cybersecurity practices 'inadequate.' A House Oversight Committee report describes the breach as 'entirely preventable' and identifies at least two points where it could have been stopped. Senators call the breach 'staggering' and 'inexcusable.' Equifax makes promises about improved security. No new legislation passes. No executives face criminal charges.

July 2019The Aftermath

$700 Million Settlement — $0.35 Per Person After Lawyers

Equifax agrees to a settlement of up to $700 million with the FTC, CFPB, and 50 states. Sounds like a lot. But $175 million goes to the states. $100 million is a fine to the CFPB. The consumer restitution fund is $380.5 million, split among up to 147 million people. That works out to roughly $2.59 per person before administrative costs. After lawyers and administrative overhead, actual payments to individuals are far less. Many people report receiving checks for $0.35. Your Social Security number is worth thirty-five cents.

February 2020The Aftermath

DOJ Charges 4 Chinese Military Hackers — None Arrested

The Department of Justice indicts four members of China's People's Liberation Army for the hack. The indictment provides detailed evidence of how the hackers exploited the Apache Struts vulnerability and moved through Equifax's systems. None of the four hackers are arrested. None will likely ever be arrested. China does not extradite its military personnel. The indictment is largely symbolic — a geopolitical statement, not a legal action that will produce consequences.

2023–2026The Aftermath

Equifax Is Still in Business. Still Collecting Your Data.

Equifax continues to operate as one of the three major credit bureaus. You cannot opt out of Equifax collecting your data. You did not opt in to begin with. They experienced the largest breach of sensitive financial data in American history, and their punishment was a settlement that amounts to a rounding error on their annual revenue. They are still collecting your Social Security number, your payment history, your address, your employment information, and your financial life. They will continue to do so. You have no choice in the matter.

The Cast of Characters

A credit bureau, a $90M golden parachute, a 4-month prison sentence, and 147 million people who got thirty-five cents.

Equifax

Credit Bureau / Company That Lost Half of America's Data

One of the Big Three credit bureaus that collects financial data on virtually every American adult — without their consent. Failed to patch a known vulnerability for two months, failed to detect intruders for 76 days, delayed disclosure for six weeks, and set up a remediation website that was itself a security liability. Still in business. Still collecting your data.

“We are committed to protecting the data entrusted to us.”

Richard Smith

CEO / Retired With $90 Million After Overseeing the Breach

Equifax CEO from 2005 to 2017. Under his leadership, the company failed to implement basic cybersecurity practices that would have prevented the breach entirely. Testified before four congressional committees after the breach. Apologized. Retired with approximately $90 million in total compensation. Was not required to return any of it.

“I want to sincerely apologize to every American affected.”

Jun Ying

CIO / The Only Executive Actually Convicted

Equifax's Chief Information Officer who learned about the breach before public disclosure and sold $950,000 in Equifax stock. Charged with insider trading by the SEC and DOJ. Pleaded guilty. Sentenced to 4 months in federal prison and a $55,000 fine. The only Equifax executive to face criminal consequences. Everyone else walked.

“No comment.”

The Apache Software Foundation

Released the Patch That Equifax Didn't Install for Two Months

Disclosed the Apache Struts vulnerability in March 2017 and immediately released a patch. Did everything right. The vulnerability was publicly known, the fix was publicly available, and every competent organization patched promptly. Equifax did not patch for over two months. Apache did their job. Equifax did not.

“The patch was available from day one. Organizations are responsible for applying security updates.”

147 Million Americans

The People Whose Data Was Stolen / Settlement: ~$0.35 Each

Nearly half the U.S. population had their names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers stolen. They did not choose to give Equifax this data. They cannot opt out of Equifax having this data. Their settlement payout worked out to roughly thirty-five cents per person. Their Social Security numbers are now permanently compromised.

“I didn't even know Equifax had my information.”

The Four PLA Hackers

Chinese Military / Indicted, Never Arrested, Never Will Be

Four members of China's People's Liberation Army 54th Research Institute who exploited the unpatched vulnerability and exfiltrated data for 76 days. Indicted by the DOJ in February 2020 in a grand ceremony. Will never be arrested, tried, or imprisoned. China does not extradite its military personnel. The indictment exists primarily for geopolitical messaging.

“[No statement given — they are members of a military intelligence unit]”

The Math

Headline settlement amount

sounds big

$700M

Portion going to states

not to you

$175M

CFPB fine

also not to you

$100M

Consumer restitution fund

before lawyers

$380.5M

Per person (before overhead)

147M people

$2.59

Actual checks received

after lawyers & admin

~$0.35

CEO Richard Smith's retirement

for presiding over the breach

$90M

Equifax 2023 annual revenue

the fine was a rounding error

$5.3B

The Accountability Meter

People Whose Data Was Stolen100%

147 million Americans. Nearly half the country. You are almost certainly one of them.

CEO Compensation After the Breach95%

$90 million retirement package. For the man who oversaw the company that didn't patch a server for two months.

Total Prison Time Served (All Executives)3%

4 months. One CIO. Insider trading, not the breach itself. Nobody was charged for the security failures.

Settlement Per Affected Person1%

$0.35 average actual payout. Your Social Security number, birth date, and address — thirty-five cents.

Why This Story Matters

Credit bureaus exist in a regulatory gray zone where they collect the most sensitive financial data on every American adult without consent, without oversight proportional to that responsibility, and without meaningful consequences when they fail to protect it.

You cannot opt out. You cannot delete your file. You cannot choose which credit bureau collects your data. The system was built for the convenience of lenders, not for your protection. And when the system fails catastrophically — as it did in 2017 — the company pays a fine that amounts to a fraction of one year's revenue, the CEO retires rich, and you get a check for thirty-five cents.

The Equifax breach isn't a cybersecurity story. It's a story about what happens when a company has no competitive incentive to protect your data, because you're not their customer — you're their product.

Glen's Take

When the Equifax breach happened, I checked their website to see if I was affected. The website asked me to enter the last six digits of my Social Security number. Into a website. Run by the company that just lost my Social Security number. I genuinely thought it was a phishing scam. It was not. It was their actual remediation site.

The $90 million retirement package is the number that haunts me. Not because it's a lot of money — it is — but because it means the system is designed so that the people at the top face zero downside risk. Your data gets stolen? CEO retires rich. You get $0.35. There is no version of this where the incentives align.

I used to tell people to freeze their credit as a precaution. Now I tell them to freeze their credit because a company they never chose to do business with already lost their Social Security number and got paid $90 million for the privilege.

147 million people. $0.35 each. Share this.

Share on X Reddit Facebook WhatsApp Text

Get Glen’s Updates

Investing insights, new tools, and whatever I’m building this week. Free. No spam.

Unsubscribe anytime. I respect your inbox more than Congress respects property rights.

Frequently Asked Questions

How many people were affected by the Equifax breach?

147 million Americans — nearly half the entire U.S. population. This included names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card numbers. You almost certainly were affected. Equifax set up a website to check, though that website also had security problems.

Did anyone go to jail for the Equifax breach?

One person: Jun Ying, Equifax's CIO, was convicted of insider trading for selling stock after learning about the breach. He served 4 months. No one was charged for the cybersecurity failures that caused the breach. CEO Richard Smith retired with $90 million. The four Chinese military hackers were indicted but will never be arrested.

How much did affected people actually get from the settlement?

The headline number was $700 million, but most of that went to fines, states, and administrative costs. The consumer fund was $380.5 million split among up to 147 million people. After lawyers and overhead, many individuals report receiving checks for $0.35 or less. Some received nothing. Your Social Security number was valued at approximately thirty-five cents.

Was the Equifax breach preventable?

Yes, entirely. The House Oversight Committee specifically called it 'entirely preventable.' The Apache Struts vulnerability had a known patch available for two months before hackers exploited it. Additionally, Equifax had an expired SSL certificate that blinded their monitoring tools for ten months. Patching the server or renewing the certificate — either one — would have prevented or detected the breach.

Can I opt out of Equifax collecting my data?

No. Credit bureaus collect your financial data from lenders, creditors, and public records without your consent. You cannot opt out. You cannot delete your data. You can freeze your credit to prevent new inquiries, but Equifax still maintains your file. The company that lost your Social Security number is still required — by the structure of the financial system — to keep collecting your information.

Why is this on Glen Bradford's website?

Because a company that collects your most sensitive financial data without your consent, fails to protect it, has executives sell stock before telling you, gives the CEO a $90 million retirement package, settles for $0.35 per person, and continues operating with zero structural consequences is a story that should make everyone uncomfortable. I'm a former hedge fund analyst. I've seen a lot of corporate behavior. This one is special.

Keep Exploring

New