US fines Equifax $700m over 2017 breach
Financial and credit services firm Equifax has agreed to pay at least $575m, and potentially up to $700m (£614.4m) in a global settlement with the US Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 US states and territories, after its failure to secure its network saw more than 140 million customer records stolen in September 2017.
The breach of Equifax’s systems was the result of an unpatched website vulnerability that enabled the perpetrators to compromise records including dates of birth, social security numbers, home addresses, and other personal information.
Although it did not affect any systems in the UK, the attack did see the personal data of some UK consumers compromised in the form of 15.2 million UK records dating from between 2011 and 2016. The company was subsequently slapped with a £500,000 fine by the Information Commissioner’s Office (ICO) – the highest possible fine under pre-General Data Protection Regulation (GDPR) legislation.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Under the terms of the settlement, Equifax will pay $300m into a fund to pay for credit monitoring services for the affected consumers, and compensate any who bought credit or identity monitoring services from Equifax or paid other expenses because of the breach. Should the fund run dry, the settlement provides for a second payment of $125m.
Equifax will also be made to offer all US consumers six free credit reports a year for the next seven years, in addition to the one free annual check it already offers. It will also pay $175m to 48 states, the District of Columbia and Puerto Rico, and $100m to the CFPB in civil penalties.
CFPB director Kathleen Kraninger said the settlement was “not the end” of the organisation’s efforts to ensure consumers’ personal data was kept secure.
“The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers,” she said.
“Too much is at stake for the financial security of the American people to make these protections anything less than a top priority. We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements.”
The size of the fine, which dwarfs the FTC’s previous record fine levied on minicab firm Uber, reflects information that came to light after the breach. Investigators found that Equifax was alerted to the critical security vulnerability in March 2017 and was ordered to patch the vulnerable systems within 48 hours, but it did not follow up to ensure the order was carried out for four months, when its security team detected suspicious traffic on its network.
Hackers were able to exploit the vulnerability to enter Equifax’s network and access an unsecured file that included administrator credentials stored in plain text. From there, the attackers were easily able to access customer information, and may have done so without being spotted for several months.
Going forward, Equifax will now be made to implement a “comprehensives information security programme” that requires it to take several measures, including: assigning an information security overseer; conducting annual internal and external risk assessments and implementing safeguards to address them, including patch management; obtaining annual certifications from its board attesting that it has complied with these requirements; ongoing testing and monitoring of the effectiveness of its safeguards; and ensuring any third-party service providers that access personal information stored at Equifax – such as banks – have adequate security precautions themselves.
The firm will also have to obtain third-party assessments of its security programme every two years, with the assessor to be approved by the FTC.
Equifax CEO Mark Begor described the settlement as a positive step, both for the company and for US consumers.
“The consumer fund of up to $425m that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter,” said Begor.
“We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25bn EFX2020 technology and security investment programme. We are focused on the future of Equifax and returning to market leadership and growth.”