143 million customer records stolen at credit reference agency


In September 2017, one of the big three credit reference agencies disclosed they had suffered a data breach which exposed personally identifiable information for 143 million US customers along with other customers around the world. The attackers exploited a security flaw on the company's website.

This data breach was breathtaking due to the amount of highly sensitive data effectively handed over to the attackers, including full names, social security numbers, birth dates, addresses and driver licence numbers. It provided almost all of the information that companies use to confirm consumers identity directly into the hands of hostile actors and will remain so indefinitely.

According to senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans".

A standard precaution advised to data breach victims where financial information is exposed is to monitor your records at the credit reference agencies. According to Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud “on a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data”.

Other notable aspects to this case was the company's severely criticised "haphazard" incident response and that the breach caused key executives to leave including the CEO and CISO.

In September 2018, the company received a £500,000 fine by the Britain's ICO. The US government blamed the ex-CEO Richard Smith claiming it was his aggressive expansion strategy that led to the breach.

In October 2023, Britain's financial regulator, the Financial Conduct Authority, fined the company £11 million in relation to this incident.

Book a consultation

Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:


  • Equifax Inc.

We've done the analysis so you can make the decisions

When purchasing a minimum of 5 Case Studies
$699.99 if buying less than 5.

  • Detailed cause & effect analysis
  • Lessons learnt catalogued
  • Preventive controls extracted
Add to Cart
Heads up! Want to try before you buy? You can download our FREE demo case study here