Equifax shows why certificate visibility is a governance control

At a glance

What this is: This is DigiCert’s analysis of the Equifax breach, showing how expired certificate visibility failures helped create a 76-day leak of sensitive data.

Why it matters: It matters to IAM and security teams because certificate inventory, ownership, and lifecycle control sit inside broader identity governance for machine and workload identities.

By the numbers:

• Equifax’s data breach exposed highly sensitive information from more than 150 million affected Americans.
• The breach cost the company $575 million in FTC fines alone.

👉 Read DigiCert’s analysis of how certificate visibility failures shaped the Equifax breach

Context

Certificate lifecycle management is the discipline of discovering, tracking, renewing, and retiring certificates before they fail or fall out of policy. In this case, the primary failure was not the expiry itself, but the absence of centralized visibility into a certificate that protected a network tracking device, which prevented timely renewal and removed a control that could have supported scanning and detection.

For identity teams, the Equifax example sits squarely in NHI governance. Certificates are a form of non-human identity, and when ownership, inventory, and expiry status are fragmented across teams, the result is not just operational risk but a governance gap that can expand into breach exposure, outage risk, and audit failure.

Key questions

Q: What breaks when certificate visibility is not centralised?

A: When certificate visibility is fragmented, organisations lose reliable ownership, renewal timing, and policy enforcement. That turns expiry into an operational surprise and can also disable dependent controls such as scanning or secure communications. The practical risk is not only outage. It is that attackers can exploit the gap while defenders believe the control is still functioning.

Q: Why do expired certificates increase breach risk in enterprise environments?

A: Expired certificates increase breach risk because they can remove or weaken the control that authenticates a system or enables monitoring. If a security device can no longer function, the organisation may lose detection at exactly the point it needs it most. The broader problem is lifecycle failure, not the certificate date alone.

Q: How do security teams know if certificate lifecycle management is working?

A: Certificate lifecycle management is working when every certificate has a clear owner, renewal is automated or tightly managed, and expiry cannot occur without escalation. Teams should also verify that dependent controls keep operating during renewal events. If certificates still depend on ad hoc admin tracking, the process is not mature enough.

Q: Who is accountable when a certificate expires and enables a breach?

A: Accountability should sit with the team that owns certificate governance, not only with the administrator who notices the expiry. In mature programmes, PKI, identity governance, and the business system owner all share responsibility for inventory, renewal, and risk acceptance. If ownership is unclear, the control model has already failed.

Technical breakdown

Expired certificate visibility gap in PKI

A certificate is only useful if the organisation knows it exists, who owns it, where it is used, and when it expires. The Equifax case shows the failure mode of distributed certificate management: spreadsheets, manual checks, and isolated admin knowledge cannot reliably surface expiring certificates across business units. In PKI, expiry is not merely a maintenance event. It can disable dependent controls such as scanning, authentication, or secure communications, which turns a missed renewal into an access and detection failure.

Practical implication: maintain a central certificate inventory with ownership and renewal workflow tracking.

How certificate expiry can disable security controls

The article’s key technical point is that the expired certificate was used by a network tracking device, and the device’s inability to function meant vulnerability scanning could not run as intended. That creates a control cascade: the certificate fails first, then the dependent security function fails, then attackers gain an undetected entry path. In identity terms, the certificate is not a passive artifact. It is an operational credential that enables a control plane function, so its lifecycle directly affects defensive coverage.

Practical implication: map every certificate to the control or service it enables, not just to the host it sits on.

Centralised certificate lifecycle management versus manual tracking

Manual certificate governance breaks down when the estate reaches hundreds of thousands of certificates, as the article notes for Global 2000 environments. At that scale, human memory, email alerts, and ad hoc scripts do not create dependable lifecycle assurance. Centralised certificate lifecycle management changes the model by making discovery, expiry monitoring, replacement, and policy checks repeatable. That is why certificate governance belongs alongside identity lifecycle processes, not outside them as a separate infrastructure task.

Practical implication: treat certificate lifecycle management as part of identity governance and automate renewal workflows where possible.

Threat narrative

Attacker objective: The attackers aimed to exfiltrate sensitive personal information from multiple databases while remaining undetected.

1. Entry occurred after an expired certificate stopped the network tracking device from performing the vulnerability scanning that should have detected attacker activity.
2. Credential or control access was effectively lost when the certificate expiry removed the device’s ability to operate as a security control.
3. Escalation followed as attackers moved undetected through the environment and accessed multiple databases over an extended period.
4. Impact was a 76-day leak of sensitive personal data affecting more than 150 million people.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate visibility is an identity governance control, not an infrastructure nicety. The Equifax breach shows that once certificate inventory becomes fragmented, the organisation loses the ability to renew, revoke, or audit machine credentials reliably. That is a governance failure because the control premise is simple: you cannot manage what you cannot see. The implication is that certificate ownership and discovery must sit inside identity governance, not in isolated platform silos.

Standing certificate exposure creates identity blast radius when dependent controls fail. The expired certificate did not merely represent outdated configuration; it removed a security function that should have detected the intrusion. That is the named failure mode here: identity blast radius, where one unmanaged certificate can suppress a downstream control and widen breach impact. Practitioners should treat certificate lifecycle as a containment boundary, not a housekeeping task.

Manual certificate administration does not scale to modern NHI estates. The article’s own scale point, with hundreds of thousands of certificates in large enterprises, explains why spreadsheet-led governance is structurally weak. As machine and workload identities multiply, certificate lifecycle becomes a continuous control problem involving discovery, ownership, expiry, and policy compliance. The practitioner conclusion is that lifecycle governance must be automated and centrally accountable before the estate outruns the process.

PKI failures expose the same governance pattern now seen across broader NHI risk. A certificate is one form of non-human identity, and the same visibility gap that broke Equifax also appears in secrets sprawl, orphaned service accounts, and unmanaged workload credentials. The disciplines differ, but the failure is consistent: identity artifacts outlive the processes meant to govern them. The implication is that mature identity programmes must unify human, machine, and certificate governance under one lifecycle model.

NIST’s emphasis on central visibility aligns with the core lesson of this breach. When discovery, replacement, and compliance are disconnected, expiry becomes a security event instead of a managed lifecycle state. The most durable takeaway is not to rely on alerts alone, but to build authoritative inventory and renewal control as a baseline governance capability. Practitioners should assume that any certificate without clear ownership is already a risk.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• From our research: Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For lifecycle depth, review NHI Lifecycle Management Guide for the governance pattern that prevents identity artifacts from outliving ownership.

What this signals

Certificate sprawl is now a programme-level governance issue. When certificate estates reach the scale described in the article, local administration stops being a control and becomes a liability. Teams should expect more pressure to prove authoritative inventory, clear ownership, and renewal automation across both infrastructure and identity programmes, especially where non-human identities are already expanding.

Identity programmes need a shared lifecycle model for human, machine, and certificate credentials. The same root cause that surfaces in expired certificates also appears in unmanaged service accounts and orphaned secrets. The governance signal is clear: if lifecycle processes are still split by platform or team, breach containment will remain inconsistent.

A practical next step is to align certificate governance with identity lifecycle controls and wider NHI guidance, including the 52 NHI Breaches Analysis and the OWASP Non-Human Identity Top 10. That gives practitioners a way to connect expiry management, ownership, and auditability into one operating model.

For practitioners

• Build a central certificate inventory Track every TLS and operational certificate with owner, system, expiry date, and renewal path in one authoritative register. Use it to identify certificates that have no named business owner or depend on local admin memory.
• Map certificates to dependent security functions Document which control each certificate enables, such as scanning, authentication, or encrypted communications, so expiry events can be prioritised by security impact rather than by certificate count alone.
• Automate expiry monitoring and renewal workflows Replace spreadsheet and email-based follow-up with policy-driven alerts, approval routing, and renewal runbooks that can act before the certificate reaches expiry.
• Fold certificate governance into NHI lifecycle reviews Include certificates in access reviews, offboarding, and inventory attestations so that machine identity controls are governed with the same discipline as service accounts and other non-human identities.

Key takeaways

• The Equifax case shows that an expired certificate can become a breach enabler when organisations lack central visibility and ownership.
• The scale of impact was severe, including 76 days of undetected exfiltration, 150 million affected Americans, and $575 million in FTC fines.
• The control that matters most is authoritative certificate lifecycle management with inventory, ownership, and renewal automation.

Key terms

• Certificate lifecycle management: Certificate lifecycle management is the process of discovering, issuing, tracking, renewing, and retiring digital certificates before they fail or fall out of policy. In practice, it links ownership, expiry monitoring, and renewal automation so certificates remain visible and trustworthy throughout their useful life.
• Central certificate inventory: A central certificate inventory is an authoritative register of all certificates used across an environment, including owners, systems, expiry dates, and policy status. It reduces the chance that hidden or orphaned certificates expire unnoticed and create outages, blind spots, or control failures.
• Non-human identity: A non-human identity is any digital identity used by software rather than a person, including certificates, service accounts, tokens, API keys, and workload credentials. These identities still need ownership, lifecycle control, and governance because they can outlive teams, systems, and assumptions.
• Identity blast radius: Identity blast radius is the amount of damage that can spread when one identity artifact is overexposed, unmanaged, or allowed to fail. In certificate governance, a single missed expiry can disable a control, widen detection gaps, and increase the scope of compromise.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert covering the Equifax data breach: Lessons from the Equifax data breach. Read the original.