Equifax data breach
Equifax disclosed in 2017 that attackers had accessed data concerning about 147 million people. The exposed records included names, dates of birth, Social Security numbers, addresses, and in some cases payment-card or dispute-document information.
The US Federal Trade Commission, Consumer Financial Protection Bureau, and states reached a settlement of at least USD 575 million in 2019. The enforcement record emphasized failure to patch a known vulnerability and inadequate detection and segmentation.
Unlike a password breach, the identifiers exposed here are difficult or impossible to rotate. The case therefore supports the Case for privacy and security argument for minimizing permanent identifiers, segmenting dossiers, and planning long-lived fraud response.