Equifax Breach: One Year Later

How to Protect Yourself Against ID Theft and Hold Equifax Accountable
Released by: CALPIRG Education Fund


One year after publicly announcing the worst data breach in history, Equifax still hasn’t paid a price or provided the information and tools consumers need to adequately protect themselves.

On September 7th, 2017, Equifax publicly announced a breach of its data belonging to approximately 143 million U.S. consumers. It later updated that number to 145.5 million and then to nearly 148 million affected consumers. By exposing sensitive personal information, including social security numbers and birthdates, and for some people, credit card numbers and driver’s license numbers, Equifax put consumers at risk of several types of identity theft and fraud.

The purpose of this report is to make sure consumers have the information they need to protect themselves as much as possible, review what has happened in the last year, and point out the need for Congressional action to prevent breaches as bad as this one from ever happening again.

Equifax’s Many Failures

Had Equifax not been so careless, the breach may never have happened. Four months before the hacking, Equifax could have fixed a known security vulnerability. The company also botched its response by: 

  • Delaying public notification for at least six weeks

  • Setting up an online search tool that provided faulty results to those who used it about whether they were affected by the breach

  • Initially understaffing its call center  

  • Initially including arbitration language that forced consumers to sign away their rights to a day in court

  • Directing consumers to a fake website

  • Failing to provide consumers full protection from new account identity theft -- which it still hasn’t done. (See Appendix A for a summary of Equifax’s offerings to consumers in response to the breach and how they fall short of protecting consumers.)

Recommended Steps to Prevent and/or Detect Identity Theft and Fraud

Conclusion and Recommendations

Ultimately, we are not the customers of Equifax or the other credit bureaus; we are their product. We did not ask or give them permission to collect or sell our personal information. Congressional action, state and federal agency enforcement and private rights of action are needed to provide both the necessary financial consequences and oversight that will help prevent anything like last year’s Equifax breach from happening again. Additionally, breached companies should be required to provide consumers with clear, complete, and concise information about what can be done to prevent, detect, and resolve most kinds of identity theft and fraud.

Support us

Your tax-deductible donation supports CALPIRG Education Fund’s work to educate consumers on the issues that matter, and the powerful interests that are blocking progress.

Learn More

You can also support CALPIRG Education Fund’s work through bequests, contributions from life insurance or retirement plans, securities contributions and vehicle donations. 




CALPIRG Education Fund is part of The Public Interest Network, which operates and supports organizations committed to a shared vision of a better world and a strategic approach to social change.