Equifax, a credit score company, has agreed to pay at least $565m as a settlement to a data breach in 2017.
The fine, which could increase up to $700m, is being made with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB) and 50 US states and territories. It was fined on the allegation that it failed to take reasonable steps to secure its network and was hit by a data breach which impacted 147 million people.
Information exposed included names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
As part of the settlement, Equifax will pay $300m into a fund which will provide affected consumers with credit monitoring services. It will also compensate consumers who bought credit or identity monitoring services from Equifax and had to pay expenses due to the data breach.
If the initial fund does not compensate the losses, the company will add a further $125m to the fund.
Furthermore, as of January 2020, Equifax will give all US consumers six free credit reports each year, for seven years, as well as a free annual credit report.
The company has also agreed to pay $175m to 48 states, the District of Columbia and Puerto Rico, and $100m to the CFRB in civil penalties.
Consumer Financial Protection Bureau director Kathleen Kraninger said, “The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.
“Too much is at stake for the financial security of the American people to make these protections anything less than a top priority. For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach. We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements.”
The alleged failure was that Equifax did not patch its network after being alerted of a critical security vulnerability in its database which holds customers’ personal credit data. The security team recommended a patch, but none were made. Equifax only realised it had not been fixed when the security team identified suspicious activity months later.
After an internal investigation, it found multiple hackers had exploited the vulnerability and accessed the information of 147 million people. OF this, 145.7 million social security numbers and 209,000 payment card details were compromised.
The FTC believes the breach occurred due to Equifax not taking simple prevention measures. These include ensuring vulnerabilities are patched, database servers are segmented to block access across multiple datasets after one is breached and failing to implement robust detection measures.
In response to the announcement, Equifax CEO Mark Begor said, “This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter. We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”
In addition to the monetary settlements, the company has been required to take several steps in boosting its security. Equifax will now need a designated employee to oversee the information security program, and annual assessments of internal and external security risks must be made.
Copyright © 2018 RegTech Analyst