Data Breach at Equifax
The case discusses the events leading up to the massive data breach at Equifax, one of the three U.S. credit reporting companies, the organizational and governance issues that contributed to the breach, and the consequences of the breach. The case supplement provides details of how Equifax recovered from the breach and changes the company made. On September 7, 2017, Equifax announced that the personal information of over 140 million consumers had been stolen from its network in a catastrophic data breach, including people's Social Security numbers, driver's license numbers, email addresses, and credit card information. The announcement sparked a massive backlash, as consumers and public officials questioned how a company that managed sensitive personal information about over 800 million individuals could have such insufficient security measures. It came to light that Equifax had been aware of critical faults in its cybersecurity infrastructure, policies, and procedures for years but had failed to address them. Equifax's public response also received criticism. CEO Richard Smith and numerous other executives resigned, and Equifax was left facing dozens of lawsuits, government investigations, and the potential for new regulation.