Equifax Will Fork Up to $700 Million to Compensate for 2017 Data Breach

Piotr Swat/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Brandi Vincent By Brandi Vincent,
Defense Technology Correspondent

By Brandi Vincent

|

Those impacted by the breach may be eligible to receive up to $20,000 in cash payments.

Nearly two years after a catastrophic data breach compromised the sensitive personal information of more than 140 million people, credit reporting agency Equifax agreed to pay up to $700 million to help those consumers recover. 

Equifax struck a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories. The agreement is still subject to approval by a federal court, according to an FTC statement issued Monday.

“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” FTC Chairman Joe Simons said in a statement. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The FTC alleges that the company failed to implement basic security measures, which ultimately allowed bad actors to access a staggering amount of consumer data in 2017. In March of that year, Equifax was alerted to a critical security vulnerability in a specific database holding troves of personal credit information, but by July the database remained unpatched. Hackers were able to access an unsecured file with administrative credentials inside it, which then allowed them to retrieve customers’ personal information while operating undetected on the company’s networks for months. 

Once Equifax’s security team detected suspicious traffic within its network, it was too late. 

“[H]ackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates,” FTC said. 

According to the proposed settlement, the company has agreed to allocate at least $300 million, and up to $425 million, into a fund that will provide consumers impacted by the breach with credit monitoring services. It also aims to compensate individuals who bought their own monitoring services to protect themselves after the breach, offering to pay $125 to those who personally funded at least six months of such services. 

In a statement, Equifax Chief Executive Officer Mark Begor said the consumer fund “reinforces [the company’s] commitment to putting consumers first and safeguarding their data—and reflects the seriousness with which we take this matter.”

Those impacted by the breach may also be eligible to receive up to $20,000 in reimbursements for the time and money they spent to protect themselves or recover from identity theft, and for 25% of what they paid for Equifax credit monitoring or identity protection products they paid for during the year before the breach was announced.

While those affected cannot file a claim just yet, FTC said they can sign up for email alerts about the settlement to stay up to date on the latest information around how to proceed. The claims process will likely begin following court approval. 

Equifax also said it would pay $175 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the CFPB in civil penalties. And starting in January 2020, the company will offer all U.S. consumers six free credit reports each year for seven years. 

On top of providing financial relief, the company must also implement “a comprehensive information security program” through which it will designate an employee to oversee the information security program, conduct assessments of internal and external security risks, and implement safeguards to address potential threats and vulnerabilities, among other measures. 

And lawmakers from both chambers were quick to weigh in on the settlement—a few issuing harsh statements that it does not go far enough to make up for the lifelong detrimental impacts such breaches have on American consumers.  

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” Energy and Commerce Committee Chairman Rep. Frank Pallone, Jr., D-N.J., said in a statement. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

Sen. Mark Warner, D-Va., who is co-sponsoring a bill that would hold credit reporting agencies more accountable for data breaches, also called for steeper penalties on credit bureaus that fail to secure American’s sensitive personal data. 

“While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” Warner said in a statement. 

NEXT STORY: Protecting Election Systems Will Take Much More Federal Money, Report Says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.