Equifax is a private credit reporting company. The company trades information with credit card companies and banks in order to evaluate how much of a credit risk each individual consumer represents. The Equifax business model is to charge companies when it prepares a credit report on an individual and to rent out lists of consumers to people seeking to market products and services.
There are two issues with credit reporting companies. The first is that it is difficult to collect all of the relevant data and link it properly to the individual consumer. Sometimes, data is attached to the wrong individual, particularly if two different consumers have the same name. The second is that it is difficult to protect the large database against attack and unauthorized access. Because Equifax has a lot of valuable personal information about each consumer, including date of birth, Social Security Number, and credit card numbers, hackers could use the data for identity theft if they are successful in accessing it.
In July 2017, hackers accessed the Equifax records of about 143 million consumers. Among these are many people who have never dealt directly with Equifax, both within the U.S. and abroad.[1] The attackers gained access using a known vulnerability (CVE-2017-5638) in Apache Struts.[2] A patch for the issue had been available since March 2017, but not used by Equifax before this breach.[3]