Equifax 2017: $1.4B+ total and still accruing.

Apache Struts is a widely-used Java web framework. On 7 March 2017 the Apache Software Foundation published a security advisory for CVE-2017-5638, a remote code execution vulnerability in the Jakarta Multipart parser. Within 24 hours of disclosure, working public exploits were available. The patch was published the same day as the advisory.

Equifax operated a public-facing consumer dispute portal (web.archive.org snapshots show it as a customer-service-oriented tool for consumers to report inaccurate credit-bureau records) on an instance of Apache Struts that was not patched between March 2017 and the breach detection in late July 2017. The 11-week unpatched window allowed attackers to gain initial access on 13 May 2017 and exfiltrate data over the subsequent 76 days before Equifax network defenders noticed unusual traffic.

The House Oversight Committee's December 2018 report documented the failure chain in detail: an outdated asset inventory missed the Struts instance during the patch sweep; the certificate on the network-monitoring tool that should have detected exfiltration had expired 19 months earlier; the consumer dispute portal was not segmented from the Equifax internal network; and the password for one of the breached database accounts was "admin".

The cost figures above are partially overlapping. The $700M FTC settlement includes consumer redress that flows through the same channels as the class-action settlement, with court-supervised allocation to ensure no double-recovery. The total cumulative cost figure represents the cumulative cash outflow disclosed in SEC filings rather than the sum of headline settlement figures.

The FTC settlement agreed in July 2019 included $300M in consumer compensation, $175M to states (via the multistate AG action structured as part of the same package), $100M to the CFPB as a civil penalty, and a commitment to provide free credit monitoring through the Initial Claims Period. Up to an additional $125M was reserved if the initial $300M was insufficient to cover all valid out-of-pocket claims, with the cap on total consumer-redress payments set at $425M.

The structure was unusual because the FTC predicted relatively low per-consumer claim volume and offered consumers a choice between $125 alternative compensation or four years of credit monitoring. When claim volume vastly exceeded predictions, the FTC publicly cautioned consumers that the $125 cash payment was likely to be heavily reduced if everyone claimed it. The actual distributed amount was approximately $5-$10 per consumer for those who selected the cash option, while the credit-monitoring option retained its full four-year value. The case has since been studied as a worked example of why per-class-member compensation predictions in breach class-actions are difficult and frequently produce post-settlement controversy.

The FTC also imposed material structural requirements on Equifax beyond the monetary component: a written information-security programme with annual third-party assessment, retention of a Chief Information Security Officer, board-level oversight of information security, and ongoing FTC compliance reporting through 2039.

Equifax CIO Dave Webb retired effective September 2017. Equifax CSO Susan Mauldin retired effective September 2017. Equifax CEO Richard Smith retired effective September 2017 with disputed treatment of his retirement benefits. The DOJ indicted four members of China's People's Liberation Army 54th Research Institute in February 2020 for the attack itself, though none have been arrested.

Three Equifax executives sold $1.8M of Equifax stock in the period between the breach detection and the public disclosure. The SEC charged former CIO of US Information Solutions Jun Ying with insider trading; Ying was convicted in June 2019, sentenced to four months in prison, and fined approximately $117K. A second executive, Sudhakar Reddy Bonthu, pleaded guilty in 2018. The case set a precedent that material non-public information about an undisclosed breach is subject to standard insider-trading enforcement.

Equifax produced more policy change than any other breach in US history. Direct legislative outcomes include the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (which entitled consumers to free credit freezes nationwide), state-level reforms expanding breach-notification thresholds in at least 12 states, and the CFPB's extended supervisory engagement with all three credit bureaus through the mid-2020s. The case also accelerated bipartisan interest in a federal data-privacy statute, though as of mid-2026 no comprehensive bill has cleared both chambers.

For the breach-cost evidence base specifically, Equifax established the "multi-billion-dollar single breach" precedent and shifted regulator expectations about the appropriate scale of penalty for systemic security-control failures. The $700M FTC settlement was the largest in agency history at the time; it would be exceeded only by the $5B Facebook settlement two years later.