In March 2017, the software tool that consumer credit rating agency Equifax used to handle consumer disputes, Apache Struts, announced a vulnerability that could allow hackers to remotely execute code.
With a simple 15-minute update, the vulnerability could have been patched, but the warning disappeared into the bureaucracy of Equifax’s outdated IT systems, spanning 1,500 databases and 600 legacy systems, hence the breach went unattended.
On September 7, 2017, Equifax realised it had been hacked, when the hackers posted the stolen data on the dark web, and the breach was made public on September 7, 2017, but not before 15,000 Equifax US employees had their identities stolen and the credit details of 147 million Americans (nearly half the US population) had been exposed.
The CEO, Richard Smith, resigned and appeared before Congress, the FBI and the FTC launched investigations and the company’s market value plummeted by $25bn.