Equifax
An unpatched Apache Struts server gave away the personal credit data of 147 million Americans, almost half the country.
Equifax does not have customers in the ordinary sense. The people whose data it holds did not opt in and cannot opt out. That is the company's entire business model: it aggregates the credit history of essentially every adult American and sells reports about them to banks, landlords, and employers.
A two-month head start
In March 2017, the Apache Software Foundation released an emergency patch for a flaw in Struts, a widely used Java web framework. Equifax's internal scans missed a public-facing application that ran on it. The vulnerability stayed open for roughly two months.
The attackers found it in May. They moved laterally inside Equifax's network, discovered an unencrypted file with administrative credentials, and used those credentials to query 51 internal databases. By the time the company noticed in late July, names, Social Security numbers, birth dates, addresses, and in many cases driver's license numbers for 147 million people had been exfiltrated.
A US indictment, briefly
The US Department of Justice eventually indicted four members of China's People's Liberation Army, claiming the intrusion was a state-directed intelligence collection operation rather than ordinary fraud. None of the stolen data ever surfaced for sale on criminal forums, which lent the theory weight.
What the chronicle remembers
Equifax is the canonical illustration of the agency problem in data brokerage. The victims of the breach had no contractual relationship with the company that lost their data, no way to remove themselves from its files, and no meaningful recourse beyond a settlement that worked out to a handful of dollars each.