Equifax Settles 2017 Data Breach
Equifax will pay $700 million to settle federal and state investigations for the 2017 breach, which exposed the data of almost 150 million customers. The consumer credit reporting agency will pay $300 million to cover free credit monitoring services for customers whose data was breached, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau. If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.
According to Federal Trade Commission (FTC) Chairman Joe Simons, companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.
Equifax handles data associated with more than 820 million customers and 91 million businesses worldwide. They have been under public scrutiny since September 2017 when it disclosed a data breach that affected almost 150 million Americans. The hackers managed to access information containing Social Security numbers, birth dates, addresses, and some driver’s license numbers. Hackers had access to the company's files for nearly 12 weeks before it was discovered.
After the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states. Lawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a critical security flaw. The flaw was an Apache Struts vulnerability, CVE-2017-5638, in its Equifax Automated Consumer Interview System database. This vulnerability was exploited by hackers which led to the data breach.
As part of the agreement, Equifax will also take steps to enhance its information security and technology program. Equifax will make payments amounting to about $290 million to state and federal regulatory agencies to pay attorneys' fees and costs in the multi-district litigation.
In the past month, fines and penalties have been imposed for privacy and data breach incidents. Earlier in July, the FTC fined Facebook $5 billion for privacy violations for its Cambridge Analytica incident. Also hit with security-related fines in July were Marriott ( $125 million ) and British Airways ( $230 million ). While opinions are mixed about the appropriate penalty for these companies, security experts hope that other companies will remember the fines when it comes to data security and privacy.