Equifax Data Breach Settlement Of Up To $700M Largest Ever
Equifax will pay up to $425 million into a victim’s compensation fund and $275 million in civil penalties to settle litigation around a 2017 data breach that affected 147 million consumers.
Equifax will pay up to $700 million to federal and state agencies to settle litigation around the 2017 data breach that affected 147 million people, according to the Federal Trade Commission (FTC).
The Atlanta-based credit reporting agency will pay $300 million to provide affected consumers with credit monitoring services and reimburse consumers that paid out-of-pocket for credit or identity monitoring services as a result of the 2017 data breach, the FTC said. Equifax will pay another $125 million if the initial amount isn't enough to compensate consumers for their losses.
Equifax has also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau (CPFB) in civil penalties, according to the FTC. The settlement is subject to court approval, and would be the largest ever paid by a company over a data breach.
"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers," FTC Chairman Joe Simons said in a statement. "This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."
The information security and technology program at Equifax will continue to be enhanced as part of the settlement, according to the company. Equifax said it has the financial capacity to both manage the settlement and continue with its $1.25 billion technology and security investment program.
"The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter," Equifax CEO Mark Begor said in a statement. "We are focused on the future of Equifax and returning to market leadership and growth."
The maximum settlement amount of $700 million is equivalent to 20.5 percent of the company's $3.41 billion in sales in 2018. Equifax's stock is up $1.08, or 0.79 percent, to $138.38 in trading Monday morning.
In addition to the monetary payout, the FTC said Equifax is required to implement a comprehensive information security program with a designated leader. The program must conduct annual assessments of internal and external security risks, implement safeguards to address potential risks, and test and monitor the effectiveness of said safeguards, according to the FTC.
Equifax must ensure that service providers who access personal information stored by the company also implement adequate safeguards to protect the data, the FTC said. The company's security program must be assessed by a third party once every two years who conducts independent sampling, employee interviews, and document reviews.
The FTC alleged in its complaint filing that Equifax's failure to secure the massive amounts of personal information stored on its network made it possible for hackers to steal at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment cards numbers and expiration dates.
Specifically, the FTC claimed the Equifax had no policy to ensure security vulnerabilities were patches, no database segmentation to block access to other parts of the network if a database was breached, and no robust intrusion detection protections for legacy databases. The FTC also said Equifax stored network credentials and passwords, Social Security numbers, and other sensitive information in plain text.
As a result, the FTC said Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability in its ACIS database, which handles inquiries from consumers about their personal credit data. In fact, Equifax didn't even discover that its ACIS database was unpatched until three months later, according to the FTC.
A company investigation found that multiple hackers were able to exploit the ACIS vulnerability to gain access to Equifax's network, where they procured an unsecured file that included administrative credentials stored in plain text, the FTC said. These credentials made it possible for the adversaries to access vast amounts of customer information and operate undetected on Equifax's network for months.
The FTC accused Equifax of violating prohibitions against unfair and deceptive practices as well as rules requiring financial institutions to develop, implement, and maintain a comprehensive information security program. Despite failing to implement basic security measures, the FTC said Equifax's privacy policy at the time claimed the company had reasonable safeguards in place to protect consumer data.