Outrage, lawsuits and justifiable anxiety exploded following disclosure of the 2017 Equifax breach. Authorities announced a record $650 million settlement of federal and state investigations, and class-action litigation.
The final price tag could grow to as much as $700 million for the Atlanta-based credit-reporting agency over the sensitive information exposure of an estimated 145-148 million Americans including Social Security numbers, birth dates and home addresses. Equifax admitted that hackers accessed certain files from mid-May through July 2017 but waited until Sept. 7, 2017, to warn consumers.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The largest settlement for a data breach settles numerous inquiries into Equifax by the Federal Trade Commission, the Consumer Financial Protection Bureau and almost every state attorney general. It also resolves pending class-action lawsuits against the company. “This company’s ineptitude, negligence and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James said in a statement.
The deal announced Monday, which still needs court approval, would require Equifax to put a minimum of $380.5 million into a consumer restitution fund for Americans filing claims showing they were financially harmed. The compensation fund could reach $425 million. Equifax also agreed to 10 years of free credit monitoring services to data exposure victims. The settlement assumes that around 7 million people will sign up for that service.
Equifax will pay an additional $50 million to the CFPB and $175 million in fines to end investigations by 50 attorneys general. Forty-eight states — all except Indiana and Massachusetts, which separately filed their own lawsuits against Equifax — are part of the deal, along with the District of Columbia and Puerto Rico.
This untethered information could still come back to haunt financial institutions and their customers in the form of account takeovers, fraudulent charges and other criminal uses involving identity theft.
President and CEO Dan Berger of the National Association of Federally Insured Credit Unions declared in a 2017 statement that it is credit unions and other financial institutions that help consumers after a merchant data breach. “It’s going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer’s checking account, or reissues the cards, and all those costs fall back on the financial institutions,” he said. “These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable.”
In response to the settlement news, several security experts provided reaction:
Adam Laub, chief marketing officer, STEALTHbits Technologies, said, “I’m far from an Equifax apologist, but the truth is it could have been anyone. It is not an excuse, but rather the reality we live in. The best outcome isn’t Equifax making the situation right — although that is important for all of those affected — it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place.” He added, “There’s no silver bullet. There is no one thing that mitigates the exposure.” Laub recommended a multilayered, multifaceted approach.
“The Equifax breach of September 2017 was one of the largest data breaches with up to 145 million users’ personal data compromised,” Deepak Patel, security evangelist with PerimeterX noted. “We can be confident that a large number of the compromised users’ sensitive information from the Equifax breach is still actively in use in account takeover attacks.” Patel suggested cybercriminals can combine data from different breaches to increase the success rate of credential stuffing. “The Equifax data breach has key data like the last four digits of a Social Security number and date of birth. The Equifax data breach was particularly harmful to any online business since it possibly involved every U.S. consumer and their sensitive data all in one massive breach.”
Patel added for financial and travel verticals, e-commerce, and any business with online user accounts or rewards programs, it is imperative to deploy advanced bot management to protect against account takeover attacks. “When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist. But the FTC and GDPR are imposing meaningful fines to hold these large corporations accountable for breaches involving sensitive user data. It is imperative that businesses quickly review their security protocols and consider additional safeguards before they too are both compromised and fined.”
Colin Bastable, CEO, Lucy Security, held, “We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused U.S. consumers. And maybe we could rein in the credit reporting industry — if they did not collect and sell our personal financial data, we would not be in this mess.”