Detailed narrative of event

Detailed Narrative of Events¶

(Extended Documentation for the Equifax 2017 Cybersecurity Incident and Federal Enforcement Case Study)

Table of contents¶

Overview
Pre-incident environment
Initial intrusion and discovery (2017)
Data scope and sensitivity
Public disclosure and response
Federal and state investigations
FTC and CFPB orders (2019)
Civil MDL and settlement administration

Overview¶

In September 2017, Equifax publicly disclosed a cybersecurity incident affecting tens of millions of U.S. consumers, involving credit file and related personally identifiable information held by one of the nationwide consumer reporting agencies. The incident became a defining multi-agency enforcement and private litigation event: federal regulators pursued orders requiring a strengthened information security program, assessments, and consumer redress structures; state actors pursued parallel tracks; and MDL litigation produced settlement programs for consumer claims.

Public enforcement summaries emphasize failure to remediate a known critical vulnerability in an internet-facing application environment as a core technical failure mode enabling unauthorized access at bureau scale.

Pre-incident environment¶

Equifax maintained large-scale consumer credit databases and supporting application and infrastructure environments. Like other bureau-scale environments, Equifax’s attack surface included internet-facing services, patch management processes, and identity and access controls governing administrative access to sensitive data stores.

Initial intrusion and discovery (2017)¶

According to public summaries in FTC and CFPB materials and widespread press reporting, attackers exploited a known vulnerability for which a patch was available but not fully applied in a timely manner in the relevant application deployment. The failure enabled unauthorized access to sensitive consumer data at a scale commensurate with Equifax’s national role in credit reporting.

Data scope and sensitivity¶

Affected data categories publicly described in enforcement and reporting included names, Social Security numbers, birth dates, addresses, and other credit file elements—data suited to identity theft and fraud if misused. The sensitivity of the data magnified regulatory and litigation exposure.

Public disclosure and response¶

Equifax publicly disclosed the incident in September 2017, launched consumer-facing response programs (including credit monitoring and related offerings as described in public materials), and engaged with law enforcement and regulators. Internal forensic investigation and remediation efforts proceeded alongside external scrutiny.

Federal and state investigations¶

Multiple federal and state agencies investigated Equifax’s security practices, governance, and disclosures. Investigators examined whether Equifax maintained reasonable safeguards for the sensitivity and volume of data it held and whether governance and patch management failures reflected broader enterprise control weaknesses.

FTC and CFPB orders (2019)¶

In July 2019, the FTC entered a stipulated order requiring a strong information security program, third-party assessments, and substantial consumer redress funding mechanisms, among other provisions (see the published FTC Equifax order PDF on the FTC’s case materials). The CFPB pursued a parallel enforcement action described in public CFPB materials. Practitioners should read the orders for authoritative obligations and definitions.

Civil MDL and settlement administration¶

Consumer MDL litigation and settlement administration followed on a separate track from criminal enforcement (where applicable). 2020+ court filings and administration notices describe claims processes and distribution mechanics; consult the operative docket for deadlines and class definitions.