Case Study: The Equifax Breach: Calculating the True Cost
"The breach was entirely preventable. Equifax failed to patch a known vulnerability for months, and 147 million Americans paid the price." — U.S. Senate Permanent Subcommittee on Investigations, 2019
Overview
On September 7, 2017, Equifax — one of the three major U.S. credit reporting agencies — disclosed that hackers had accessed the personal information of approximately 147 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers and credit card numbers. It was one of the largest and most consequential data breaches in history, not because of its scale alone but because of the nature of the data compromised and the identity of the company that lost it. This case study examines the breach through an economic lens, analyzing who bore the costs, how those costs were distributed, and what the Equifax case reveals about the structural economics of data security.
Skills Applied: - Analyzing breach costs using the direct/indirect cost framework from Section 11.3 - Identifying negative externalities in data security decisions - Evaluating the distribution of costs across stakeholders - Assessing whether market incentives are sufficient to produce adequate data security
The Breach: What Happened
The Vulnerability
The Equifax breach exploited a vulnerability in Apache Struts, an open-source web application framework used by Equifax's online dispute portal. The vulnerability (CVE-2017-5638) was publicly disclosed on March 7, 2017, and a patch was made available the same day. The U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) issued an alert about the vulnerability on March 8.
Equifax's internal security team was notified. The company's patch management process was supposed to apply the fix within 48 hours of notification for critical vulnerabilities. It did not. The vulnerability remained unpatched for over two months.
On May 13, 2017, hackers exploited the unpatched vulnerability and gained access to Equifax's systems. They moved laterally through the network, accessing databases containing consumer credit information. The intrusion continued, undetected, for 76 days — until July 29, 2017, when Equifax's security team discovered suspicious network traffic.
Equifax disclosed the breach publicly on September 7 — 41 days after discovering it internally.
The Data Compromised
The breach affected approximately 147.9 million U.S. consumers — nearly half the adult population. The compromised data included:
| Data Element | Number of Consumers Affected |
|---|---|
| Names | ~147.9 million |
| Social Security numbers | ~145.5 million |
| Birth dates | ~145.5 million |
| Addresses | ~145.5 million |
| Driver's license numbers | ~17.6 million |
| Credit card numbers | ~209,000 |
| Dispute documents (containing personal information) | ~182,000 |
Additionally, approximately 15.2 million UK consumers and 19,000 Canadian consumers were affected.
The severity of the compromise cannot be overstated. Social Security numbers do not expire and cannot be easily changed. They are the primary identifier in the U.S. financial system. A stolen SSN enables identity theft that can persist for decades — opening fraudulent credit accounts, filing false tax returns, and impersonating the victim in countless contexts.
The Economics of the Breach: A Cost Accounting
Direct Costs to Equifax
Equifax's direct financial costs from the breach have been extensively documented:
| Cost Category | Estimated Amount |
|---|---|
| Legal fees and settlements | ~$700 million (FTC settlement alone) |
| Technology and security remediation | ~$400 million |
| Free credit monitoring for consumers | ~$125 million (allocated in settlement) |
| State regulatory fines | ~$175 million |
| Customer notification costs | ~$50 million |
| Forensic investigation | ~$25 million |
| Insurance recovery | -$125 million (offset) |
| Total estimated direct costs | ~$1.4 billion |
The FTC settlement, reached in July 2019, required Equifax to pay up to $700 million — the largest data breach settlement in history at the time. This included up to $425 million in a fund for consumer restitution, a $175 million payment to state attorneys general, and a $100 million civil penalty to the Consumer Financial Protection Bureau.
Indirect Costs to Equifax
Beyond the direct financial costs, Equifax incurred significant indirect costs:
Executive turnover. Equifax's CEO (Richard Smith), CIO, and CISO all resigned within weeks of the disclosure. Executive turnover disrupts organizational continuity and imposes recruitment, transition, and reputational costs.
Stock price impact. Equifax's stock price dropped approximately 35% in the week following disclosure, erasing roughly $6 billion in market capitalization. While the stock eventually recovered (reaching pre-breach levels within about two years), the temporary loss represented a real cost to shareholders and signaled market skepticism about the company's governance.
Reputational damage. Public trust in Equifax declined sharply. A Harris Poll survey found that Equifax's reputation score dropped from 31.8 (average) to 1.3 (near the bottom of all U.S. companies) in the months following the breach. For a company whose business model depends on being trusted with sensitive financial data, this reputational damage had operational consequences.
Congressional and regulatory scrutiny. Equifax's CEO was summoned to testify before four congressional committees. The company faced multiple federal and state investigations, consuming executive attention and legal resources for years. The breach was cited in numerous legislative proposals for federal data protection law.
Operational disruption. Equifax diverted hundreds of employees to breach response, forensic investigation, and remediation efforts. This diverted resources from revenue-generating activities and delayed product development.
The Cost Per Record
Equifax's total direct costs of approximately $1.4 billion, divided by 147.9 million affected consumers, yield a per-record cost of approximately **$9.47 per consumer**.
For context, the average cost per compromised record across all industries in 2017, according to the IBM/Ponemon Cost of a Data Breach Study, was $141. Equifax's per-record cost was dramatically lower — reflecting the company's strong negotiating position, the limitations of U.S. federal privacy law, and the absence of a comprehensive data protection statute (like the GDPR) that might have imposed higher penalties.
Who Actually Paid: The Distributional Analysis
Equifax
Equifax's $1.4 billion in costs is a large number in absolute terms. But relative to the company's financial capacity, it was absorbable. Equifax's annual revenue in 2018 was approximately $3.4 billion, and the company returned to profitability within two years of the breach. The stock price recovered. The company continued to operate. No Equifax executive faced criminal charges.
Equifax also passed some costs to consumers indirectly: credit monitoring services — the primary form of "compensation" offered to affected consumers — were provided by Equifax's own subsidiary. Equifax was, in effect, paid to remediate its own failure.
Affected Consumers
The 147.9 million affected consumers bore substantial costs:
Direct financial loss. While the settlement allocated up to $425 million for consumer restitution, actual per-person payouts were far lower. Consumers who could document identity theft received up to $20,000 in documented losses. Consumers without documented losses were offered free credit monitoring or, alternatively, a cash payment of up to $125. In practice, the flood of claims reduced per-person cash payments to approximately $7-8. Most consumers received credit monitoring from an Equifax subsidiary — a service of limited value.
Time and effort. The Identity Theft Resource Center estimated that victims of identity theft spend an average of 7 hours resolving each incident. For the millions of consumers whose SSNs were compromised, the risk of identity theft extends indefinitely. The ongoing labor of monitoring credit reports, freezing and unfreezing credit, and disputing fraudulent accounts represents a significant uncompensated cost.
Anxiety and distress. The psychological costs of knowing that one's Social Security number, birth date, and address are in the hands of unknown parties are real but unquantified. Surveys consistently show that breach victims report elevated stress, anxiety, and loss of trust in financial institutions.
Ongoing risk. Unlike a credit card number, which can be changed, a Social Security number is permanent. The data stolen in the Equifax breach will be usable for identity theft for the lifetime of every affected individual. No settlement amount compensates for this indefinite exposure.
The Financial System
The Equifax breach imposed costs on the broader financial system:
Banks and credit card companies reissued millions of cards, implemented additional fraud detection measures, and absorbed some fraudulent charges. These costs were not borne by Equifax but were distributed across the financial system and ultimately passed to consumers through fees and interest rates.
Other credit bureaus (TransUnion and Experian) faced increased demand for credit freezes and monitoring services, straining their systems.
Government agencies spent resources on investigation, congressional hearings, and regulatory proceedings.
The Distributional Summary
| Stakeholder | Costs Borne | Duration |
|---|---|---|
| Equifax | ~$1.4B direct costs, reputational damage, executive turnover | 2-3 years to stabilize; company recovered |
| Consumers | $7-8 average settlement payment; ongoing identity monitoring labor; indefinite fraud risk; psychological distress | Indefinite (SSNs do not expire) |
| Financial system | Card reissuance, fraud absorption, increased monitoring costs | Ongoing |
| Taxpayers | Government investigation and enforcement costs | 2-3 years |
The asymmetry is stark: Equifax's costs were large but finite and absorbable. Consumers' costs are small individually but enormous in aggregate and indefinite in duration. The entity that caused the harm (by failing to patch a known vulnerability for two months) bore a fraction of the total cost; the individuals who had no role in the decision (and no ability to influence it) bore the rest.
The Economic Incentive Problem
Why Equifax Underinvested in Security
The Equifax breach was not the result of a sophisticated, unprecedented attack. It resulted from a failure to patch a known vulnerability in a timely manner — a basic security hygiene failure. Why did a company entrusted with the financial identities of nearly every American adult fail to perform this fundamental task?
The economic incentive structure provides a partial explanation:
The cost of the breach was externalized. Equifax bore approximately $9.47 per affected consumer in direct costs. The actual cost per consumer — including identity theft losses, monitoring labor, and indefinite fraud risk — is orders of magnitude higher. Because Equifax did not bear these costs, its economic incentive to prevent the breach was proportionally reduced.
Security is a cost center. As Ray Zhao notes in the chapter, security spending — like privacy spending — is coded as cost within corporate budgets. It does not generate revenue. It prevents hypothetical future losses, but those losses are probabilistic and uncertain. The CFO who approves a $50 million security upgrade cannot point to the breach that *didn't happen*; they can only point to $50 million in spending that reduced this quarter's earnings.
The penalty structure was insufficient to change behavior. Equifax's $700 million FTC settlement represented approximately 20% of one year's revenue. For comparison, the GDPR — which was not yet in effect at the time of the breach — allows penalties of up to 4% of global annual revenue per violation, which for Equifax would have been approximately $136 million per violation, potentially exceeding the FTC settlement for a single infraction if multiple violations were found.
Consumers cannot choose their credit bureau. Unlike most markets, consumers do not choose to do business with Equifax. Equifax's customers are lenders, landlords, and employers who purchase credit reports. Consumers are the subjects of those reports, not the customers. This eliminates the competitive pressure that might otherwise motivate better security practices — consumers cannot take their business elsewhere because they never chose Equifax in the first place.
The Aftermath and Reforms
What Changed
The Equifax breach catalyzed several reforms:
- Credit freeze laws. All three major credit bureaus are now required to offer free credit freezes to all consumers (previously, many states charged fees for this service).
- Congressional hearings. The breach was cited in multiple congressional proposals for federal data protection legislation, though no comprehensive federal law has been enacted.
- Industry security standards. The breach prompted credit bureaus and financial institutions to adopt stronger minimum security standards, including faster patching requirements and enhanced network monitoring.
- CISO elevation. Equifax and other financial companies elevated the Chief Information Security Officer role, in some cases providing direct reporting lines to the CEO or board of directors.
What Did Not Change
Despite the reforms, the fundamental economic structure that produced the breach remains largely intact:
- Credit bureaus still collect and store sensitive data on hundreds of millions of consumers without those consumers' active consent or direct customer relationship.
- The penalty structure for breaches remains lower than the cost of comprehensive security investment for many companies.
- Consumers still bear the majority of long-term breach costs.
- No Equifax executive faced criminal prosecution.
Discussion Questions
-
The cost-benefit calculation. Equifax's total breach costs were approximately $1.4 billion. Its annual revenue is approximately $3.4 billion. If Equifax had invested $200 million per year in improved security (roughly 6% of revenue), would it have been economically rational to do so? How does the answer change depending on the estimated probability of a breach and the expected cost?
-
The externality problem. If Equifax bore the full cost of the breach — including all identity theft losses, monitoring costs, and psychological distress borne by 147 million consumers — how large would the total cost be? Would internalizing this cost have changed Equifax's security investment decisions?
-
The consumer relationship problem. Consumers do not choose to be in Equifax's database. They have no direct contractual relationship with Equifax and no ability to opt out. How does this absence of consumer choice affect the market dynamics that might otherwise incentivize better security? What regulatory or structural changes could address this problem?
-
Connecting to VitraMed. Mira's father's company, VitraMed, stores sensitive health data for thousands of clinic patients. Using the Equifax case as a cautionary example, what economic arguments could Mira make to her father about the level of security investment VitraMed should make — even if it reduces short-term profitability?
Your Turn: Mini-Project
Option A: Breach Cost Model. Using the IBM/Ponemon Cost of a Data Breach framework, build a simple cost model for a hypothetical data breach at an organization of your choice. Include direct costs (forensics, notification, legal, fines), indirect costs (reputation, customer churn, operational disruption), and external costs (costs borne by affected individuals and the broader system). Present your model in a table and write a one-page analysis comparing your estimates to the Equifax figures.
Option B: The Penalty Problem. Research data breach penalties under at least three different legal regimes (e.g., FTC enforcement, GDPR fines, HIPAA penalties, state attorney general actions). For each, identify the maximum penalty, the typical penalty actually imposed, and how the penalty compares to the breached company's revenue. Write a two-page analysis assessing whether current penalty structures create sufficient economic incentive for security investment.
Option C: The Consumer Perspective. Interview three people who have been affected by a data breach (or, if unavailable, research published accounts of breach victims' experiences). Document: (a) what they were told by the breached company, (b) what costs they incurred (time, money, anxiety), (c) what compensation they received, and (d) whether the experience changed their behavior. Write a one-page analysis connecting their experiences to the chapter's discussion of externalized costs.
References
-
Equifax Inc. "2017 Cybersecurity Incident & Important Consumer Information." Equifax, September 2017.
-
U.S. Government Accountability Office. "Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach." GAO-18-559, August 2018.
-
Federal Trade Commission. "Equifax Data Breach Settlement." July 2019. https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
-
U.S. Senate Permanent Subcommittee on Investigations. "How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach." Staff Report, February 2019.
-
Ponemon Institute / IBM Security. "Cost of a Data Breach Report." Annual reports, 2017-2024.
-
Zou, Yixin, and Florian Schaub. "Beyond 'Compliance vs. Ethics': An Empirical Study of Consumer Perceptions and Experiences After Data Breaches." In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM, 2019.
-
Riley, Michael, Jordan Robertson, and Anita Sharpe. "The Equifax Hack Has the Hallmarks of State-Sponsored Pros." Bloomberg, September 29, 2017.
-
Sweet, Ken. "Equifax Stock Plunges After Massive Data Breach." Associated Press, September 8, 2017.