Compliance Failure Cost Them $700 Million

There’s a moment in every workplace when a message arrives—on Microsoft Teams, email, or chat—and feels easy to delay.

Not urgent. Not critical. Something to deal with later.

Most of the time, nothing happens.

But sometimes, that “later” becomes the difference between normal operations and a billion-dollar crisis.

Case in point: Equifax.

About Equifax

Equifax is one of the three major U.S. credit bureaus, alongside Experian and TransUnion. Established in 1898, it collects and analyzes highly sensitive consumer financial data used for credit scoring, loan approvals, identity verification, fraud detection, and broader financial risk assessment.

In practice, it plays a gatekeeping role in modern finance—determining who can access credit and under what terms.

The incident

The breach began in May 2017, when attackers exploited a known vulnerability in Apache Struts, a widely used open-source web application framework maintained by the Apache Software Foundation.

A security patch had already been released months earlier. But it was never applied to a critical system.

That single missed update created the entry point.

By July 2017, Equifax’s security team detected suspicious network traffic on its U.S. online dispute portal web application. They blocked the traffic and monitored activity. When it resumed the next day, they took the application offline and began investigation, identifying the vulnerability and patching it.

On August 2, 2017, Equifax engaged cybersecurity firm Mandiant to assist with the investigation.

Over the following weeks, the scale became clear: the breach had exposed the personal data of approximately 143 million people.

This included:

• Names
• Social Security numbers
• Birth dates
• Addresses
• Driver’s license numbers

In addition:

• redit card data for ~209,000 U.S. consumers
• Dispute documents for ~182,000 individuals

The breach also impacted individuals in the United Kingdom and Canada.

The critical detail most people miss

The attackers were not active only in July.

They had already gained access in May 2017 and remained inside Equifax systems for over two months—operating quietly, undetected, and extracting data slowly to avoid triggering alerts.

The root cause (and why it escalated)

This was not a sophisticated, unknown vulnerability.

It was a known issue with a known fix.

The patch for Apache Struts had already been released by the Apache Software Foundation. Equifax failed to apply it to a key system, leaving a publicly documented vulnerability exposed.

But the failure didn’t stop there.

Even after entry, multiple systemic weaknesses amplified the breach:

• A monitoring system failed due to an expired SSL certificate, limiting visibility into encrypted traffic
• Weak internal network segmentation allowed attackers to move laterally across systems

• Data was exfiltrated slowly over weeks, delaying detection
• Despite discovery in late July, public disclosure did not occur until September 7

This combination of missed patching, reduced visibility, and weak internal controls turned a preventable issue into a large-scale breach.

The consequences

The fallout was severe.

Federal Trade Commission and other regulators reached a settlement of up to $700 million, covering penalties, consumer compensation, and identity protection services.

Beyond that:

• Total costs exceeded $1 billion (including legal fees, remediation, and reputational damage)

• Hundreds of lawsuits were filed

• The company’s stock price dropped significantly after disclosure

Taking accountability

The breach led to major executive departures. CEO Richard F. Smith stepped down shortly after the incident became public, followed by CIO David Webb and CSO Susan Mauldin.

These resignations reflected not just technical failure, but broader breakdowns in governance, risk management, and accountability.

The Equifax breach is often remembered as a cybersecurity incident.
But at its core, it was something simpler—and more common.
A known patch existed, a critical update was missed, and “later” became a two-month undetected intrusion inside one of the most sensitive data systems in the world.

How DocRead can help you avoid the same fate

DocRead is a policy and compliance management solution for Microsoft 365 and SharePoint that ensures critical documents are not just distributed, but also acknowledged, tracked, and auditable.

The Equifax breach exposed not only a cybersecurity failure but a breakdown in communication and accountability, where critical updates were not reliably read, understood, or acted upon—an issue DocRead directly addresses by turning passive communication into verifiable action.

The lesson is clear: in modern organizations, ensuring information is acknowledged and acted upon is essential to preventing risks from escalating into costly financial, legal, and reputational consequences.

You may also like: