Equifax publicly announces the massive cybersecurity breach affecting 143 million Americans (later revised to 147.9 million), more than 40 days after discovering the breach on July 29, 2017. CEO Richard Smith issues a perfunctory apology stating 'I apologize to consumers and our business customers for the concern and frustration this causes,' while emphasizing the company's review of security operations. The delayed disclosure came only after executives had sold stock and the company had prepared legal defenses, demonstrating corporate prioritization of liability management over consumer protection.
The announcement exposes catastrophic regulatory capture and the inadequacy of the Consumer Financial Protection Bureau (CFPB). Under Trump-appointed Acting Director Mick Mulvaney, the CFPB shut down investigation of the breach, failing to seek subpoenas or obtain sworn testimony from Equifax executives, ending plans to test Equifax's security systems, and rejecting offers from state regulators to assist. This represents the CFPB abandoning its consumer protection mandate to shield a major credit bureau from accountability. The case reveals how credit reporting agencies—holding sensitive data on virtually all American adults—operate with minimal oversight and face no meaningful consequences for security failures. Equifax continued operating critical consumer credit infrastructure despite proven incompetence, while executives faced no criminal charges for the negligence that exposed half the U.S. population to identity theft.