Equifax $575M Settlement
147.9 million records stolen over 80 days because one SSL certificate expired. Organizations die like organisms: not from lacking defenses, but from letting them degrade.
An expired SSL certificate—10 months overdue for renewal—let attackers exfiltrate 147.9 million Americans' data for 80 days undetected. This is immune system failure: Equifax had intrusion detection tools, but they couldn't inspect encrypted traffic without valid certificates. Like an organism whose alarm-call system goes silent, the detection machinery was present but non-functional. The breach exposed a cascade of redundancy failures: patch instructions sent but not enforced (65 days unpatched), admin credentials stored in plain text, network unsegmented so attackers could move laterally across 51 databases. The $575-700 million settlement—largest in data breach history—documents how organizations die the same way organisms do: not from lacking defenses, but from letting defensive systems degrade. Six weeks passed before public notification; executives sold stock before disclosure, triggering credibility-collapse that cost Equifax far more than the settlement.
Key Findings from FTC (2019)
- 147.9 million Americans' personal data compromised over 80-day attack period (May-July 2017)
- Expired SSL certificate (10 months overdue) prevented intrusion detection tools from inspecting traffic
- 65 days between patch notification (March 9) and breach start (May 13)—patch order sent but not enforced
- $575-700 million settlement: $300M consumer fund, $175M to states, $100M civil penalties
- Six weeks to public disclosure; executives sold $1.8M in stock before announcement