Equifax to pay up to £561m to settle multiple data breach complaints
22 July 2019
US credit rating agency Equifax has reportedly agreed to pay up to $700m (£561m) to the Federal Trade Commission and state governments as a final settlement amount for the massive data breach it suffered in 2017 that compromised personal details of approximately 147 million people.
Earlier today, the US Federal Trade Commission (FTC) announced in a press release that Equifax has agreed to pay “at least $575 million, and potentially up to $700 million” as part of a final settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and fifty US states and territories.
The amount will be used to settle multiple lawsuits brought forward by the FTC and several state governments and consumer groups after Equifax suffered a massive data breach in 2017 that compromised personal and financial data of approximately 147 million people.
In February last year, Equifax announced that in addition to 693,665 Britons whose driving license numbers, Equifax usernames, passwords, email addresses and partial credit card details were compromised by the data breach, phone numbers of a further 167,431 British customers were also exposed to hackers behind the incident.
Equifax accepts responsibility, agrees to fund credit monitoring services for 147m customer
According to FTC, while Equifax will pay $175 million to 48 states, the District of Columbia and Puerto Rico, it will also pay $100 million to the Consumer Financial Protection Bureau (CFPB) in civil penalties.
In addition, the credit rating agency will also pay up to $300 million to fund credit monitoring services and other out-of-pocket expenses for millions of citizens whose personal details were compromised by the data breach. In case the amount is not enough to cover these expenses, the agency will pay an additional $125 million to ensure credit monitoring services are made available to every affected person and this will take the settlement amount to $700 million (£561 million).
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” said Joe Simons, chairman of FTC.
“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.
“For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach,” he added.
FTC has held Equifax squarely responsible for not trying to prevent the massive data breach in 2017 that involved hackers exploiting a critical security vulnerability in the agency’s ACIS database to gain access to personal and financial data belonging to nearly 150 million people.
It said that until June 2017, Equifax was not aware that the said database was vulnerable to unauthorised access and by then, hackers had exploited its flaws to gain access to an unsecured file that included administrative credentials stored in plain text.
Using these administrative credentials, the hackers then gained access to vast amounts of consumers’ personally identifiable information that included at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.
Equifax failed to implement basic security measures
FTC noted that Equifax failed to implement basic security measures such as failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases.
The fact that Equifax also stored vast amounts of information such as social security numbers, network credentials, passwords and other sensitive consumer information in plain text also ensured that hackers could easily gain access to such information.
In September last year, the Information Commissioner’s Office also issued a fine of £500,000 to Equifax for failing to safeguard personal details of up to 15 million UK citizens that were compromised by the massive data breach.
“The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures.
“Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer-facing portal was not appropriately patched,” it said.