Equifax to pay at least $818m over 2017 data breach
US credit rating agency Equifax has agreed to pay at least US$575 million ($818.6 million) in a settlement agreement over the major 2017 data breach that affected around 147 million people.
The company has agreed to pay up to US$700 million as part of a global settlement with the US Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 US states and territories.
The settlement resolves a complaint filed by the FTC alleging that Equifax failed to adequately secure the massive amount of personal information stored on its network.
An FTC investigation found that Equifax failed to patch its network after being alerted to a critical security vulnerability affecting the database which handles inquiries from consumers about their personal credit data in March 2017.
The company did not discover that its database was unpatched until July of that year, when the data breach was first discovered. Multiple attackers were able to exploit the vulnerability to gain access to the network.
Equifax was also found to have kept administrative credentials for its network left in an unsecured file in plain text, which the attackers were able to used to gain access to vast amounts of private customer data, remaining undetected on the network for months.
Equifax was also found to have committed other elementary errors such as failing to segment its database servers to block access to other parts of the network once one database was breached, and failing to install robust intrusion detection protections for its legacy databases.
As a result, Equifax fell victim to a major data breach in 2017 that led to the compromise of around 147 million people’s personal information, including potentially names, dates of birth, Social Security numbers, physical addresses and other sensitive personal information.
Under the proposed settlement, Equifax will pay US$300 million into a fund that will provide affected consumers with credit monitoring services and compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach.
Equifax will also add up to US$125 million to the fund if the initial US$300 million is deemed to be inadequate for compensating consumers for their losses, and provide all US consumers with six free credit reports per year for seven years in addition to the one free annual credit report that it already provides.
Finally, Equifax has agreed to pay US$175 million in compensation to 48 US states as well as the District of Columbia and Puerto Rico, and US$100 million to the CFPB in penalties.
Equifax has also committed to taking measures to improve its security posture, such as by designating an employee to oversee its information security program and conducting annual assessments of internal and external security risks.
Finally, the company has submitted to obtaining third-party assessments of its information security program every two years and providing an annual update to the FTC about the status of the consumer claims process.
Robert Cattanach, a partner at international law firm Dorsey & Witney, said the settlement agreement offers important lessons for companies dealing in consumer data.
“First, federal and state regulators have lost all patience with companies whose lax security measures have compromised extremely sensitive consumer information, and the Equifax settlement raises the bar considerably for any company suffering a similar hack in the future,” he said.
“Second, the top executives of companies must be significantly more engaged when it comes to cybersecurity. Equifax’s CEO was not the first to lose his job over a hack, and certainly won’t be the last. Finally, companies need to rethink how and why they collect sensitive consumer information, as well as why and for how long they keep it.
OVIC has found Public Transport Victoria to be in breach of the state's Privacy Act by...
The Association of IT Asset Management has urged the US government to act on a report finding...
The phishing filters used by various email service providers failed to detect a significant...