In September 2017, Equifax disclosed that attackers had accessed its systems and stolen personal data belonging to approximately 143 million Americans. The data included names, Social Security numbers, dates of birth, addresses, and in some cases driving licence and credit card numbers. The breach had begun in May, had not been discovered until July, and was not disclosed to the public until September.
The scale of the breach was large enough to be significant on its own. But what made the Equifax breach different from most large data breaches was the nature of the relationship between the company and the people whose data was compromised. Nobody had chosen to give Equifax their personal information. Equifax is a credit bureau. It collects data because lenders report it and because credit checks are a normal part of applying for loans, renting apartments, and various other transactions. The people whose data was stolen had no opt-in, no visibility into what was held, and no meaningful ability to remove themselves from the situation.
That asymmetry matters. When a breach happens at a social network, there is at least an argument that you chose to put your information there and accepted some implicit risk. When it happens at a credit bureau, the data was collected on you without any meaningful choice, making the argument about personal responsibility for data security largely irrelevant.
The immediate response from Equifax made things considerably worse. The company set up a website for affected consumers to check whether they were in the breach. The website had its own security problems. The initial guidance to affected consumers offered free credit monitoring through Equifax itself, a company that had just demonstrated it could not protect the data it already had. The compensation amounts eventually settled on were widely criticised as inadequate given the severity of the exposure.
What changed in the aftermath was the seriousness of the policy conversation around data brokers. Equifax and its peers collect and sell personal data at scale, mostly invisibly to the people involved. The breach made that invisible industry suddenly visible. It did not resolve the underlying questions about what obligations data brokers have, what oversight they should face, or what remedies should be available when things go wrong. But it made those questions harder to avoid.