Equifax will finally have to pay for its 2017 data breach, which compromised up to 147 million users and exposed sensitive information like credit card numbers, social security numbers, names, birthdays and addresses. The Federal Trade Commission (FTC) has revealed Equifax has agreed to pay at least $575 million as part of a global settlement with the FTC, Consumer Financial Protection Bureau (CFPB) and 50 U.S. states and territories. The company has the potential to pay up to $700 million as part of the settlement.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
According to the FTC, Equifax failed to secure the massive amount of data on its network after it was alerted to a critical security vulnerability, and that is what led to the 2017 breach. The company was alerted in March 2017 and didn’t realize its database had gone unpatched until July 2017, the FTC explained. “A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months,” the FTC said in a statement.
Equifax will spend up to $425 million on those affected by the breach. This will include free credit monitoring or a $125 cash payment, reimbursement for time, cash payments up to $20,000, and free identity restoration services. In addition, starting next year, Equifax will provide U.S. consumers with six free credit reports a year for seven years. Other penalties include $174 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the CFPB in civil penalties, the FTC revealed.
“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority,” said Kathleen Kraninger, CFPB director.
Additionally, Equifax will be required to implement a comprehensive information security program that will include designating an employee to oversee the program, conducting annual assessments of internal and external security risks, obtaining annual certifications, and putting testing and monitoring capabilities in place to create security safeguards.
“The cloud over Equifax finally appears to be clearing, but at a staggering cost. Its global settlement offers important lessons for companies dealing in consumer data,” said Robert Cattanac, partner at the international law firm Dorsey & Whitney. “Companies need to re-think how and why they collect sensitive consumer information, as well as why and for how long they keep it. The financial benefits of monetizing consumer data come with a huge potential cost when it is compromised, and the Equifax settlement signals a determination by regulators to extract that cost.”