Skip to Content Top

Equifax Fails to Fix Security Flaw


Recently, it was revealed that a vulnerability which allowed hackers to access the personal data of 145.5 million people was known of as early as March of this year. However, despite noticing the flaw, the company Equifax failed to act, leading to a cyberattack that went undetected for well over two months.

The revelation came from the company’s recently departed Chairman and CEO Richard F. Smith. Since Smith left the company, Equifax announced that the cybersecurity firm Mandiant had completed the forensic portion of its investigation. The investigation discovered that approximately 2.5 million additional U.S. consumers had been impacted by the incident. This increased original estimates from 143 million to 145.5 million.

The U.S. Department of Homeland Security's Computer Emergency Readiness Team sent Equifax a notice on March 8, telling them they needed to patch a vulnerability in the Apache Struts software. However, in an internal email sent the following day, Equifax stated, “we now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.”

In addition to the mentioned notifications, Equifax's information security department ran separate scans that should have identified any systems that were vulnerable to the Apache Struts issue. The company’s scans failed to detect the vulnerability.

Hackers first gained access to the sensitive information of consumers on May 13, but the company's security team didn't detect the issue until July 29. After the discovery, the security department immediately blocked suspicious traffic and, after noticing additional suspicious activity the following day, took the portal offline, ultimately stopping the attack.

On August 11, Equifax learned that personal information was among the data compromised by hackers. Smith spent the next few weeks informing the board of directors and making plans to publicly disclose the breach, which the company finally did on September 7.

According to testimony from both Smith and Equifax, the security breach impacted the names, Social Security numbers, birth dates, addresses, and driver’s license numbers of 143 million consumers. Additionally, 209,000 consumers had their credit card numbers hacked as well, while 182,000 consumers were compromised due to their personal identifying information being obtained from dispute documents.

Since the incident, consumers have backlashed over a mandatory arbitration clause included in the terms and conditions used for Equifax’s free credit monitoring and identity theft services.

Are you concerned that your personal information was compromised in the Equifax hack? Want to learn what you can do to protect yourself? Contact our Chicago consumer law attorneys to find out how we can help you.