Sensitive information on millions of customers was exposed during the 2017 Equifax data breach, including names addresses and payment card details
Credit reporting agency Equifax has agreed to pay up to $700m in a settlement deal with US regulators relating to large-scale data breach in 2017.
The agreement was reached with the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), which alleged the Atlanta, Georgia-based firm failed to adequately secure its IT network.
It led to a breach that exposed sensitive information about almost 150 million customers.
In September last year, the UK’s Information Commissioner’s Office handed Equifax’s UK division a £500,000 ($618,000) fine relating to the same incident, for failure to protect customer information.
Equifax has agreed to pay at least $575m – potentially rising to $700m – to settle the case brought against it by the FTC, representing the US regulator’s largest data breach settlement to date.
At least $300m of this figure will be paid into a fund that will provide affected consumers with credit monitoring services, although this could rise to $425m if the initial payment is not sufficient to compensate consumers for their losses.
FTC chairman Joe Simons said: “Companies that profit from personal information have an extra responsibility to protect and secure that data.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax will also pay $175m to 48 US states, the District of Colombia and Puerto Rico, as well as $100m to the CFPB in civil penalties.
Hackers were able to access ‘vast amounts’ of customer data during the 2017 Equifax data breach
The case against Equifax alleges the firm failed to respond to a security vulnerability flagged in March 2017 affecting a database containing information about customers and their credit data.
It was later discovered that hackers had been able to expose the vulnerability and access “vast amounts” of customer data, including 147 million names and dates of birth and 209,000 payment card numbers and expiry dates.
The FTC said the breach had been possible because Equifax had failed to implement “basic” cybersecurity measures and to patch the vulnerability when first alerted to it.
Consumer Financial Protection Bureau director Kathleen Kraninger said: “The incident at Equifax underscores the evolving cybersecurity threats confronting both private and government computer systems, and actions they must take to shield the personal information of consumers.
“Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.
“For consumers impacted by the Equifax breach, this settlement will make available up to $425m for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.
“We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements.”
Equifax hopes to ‘move forward’ from 2017 data breach following settlement
Equifax collects and aggregates financial data on millions of individual customers and businesses worldwide, and is one of the “big three” credit scoring agencies along with Experian and TransUnion.
Responding to the settlement, Equifax CEO Mark Begor said: “This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cyber security incident, and focus on our transformation investments in technology and security.
“The consumer fund of up to $425m reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter.
“We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25bn EFX2020 technology and security investment program.
“We are focused on the future of Equifax and returning to market leadership and growth.”
FTC settlement a warning to credit bureaus, but will have ‘little material impact’ on consumer security
Despite the size of Equifax’s settlement with US regulators, doubts remain over the extent to which it will compel other organisations storing sensitive consumer data to improve their security measures.
Tim Bedard, security product marketing director of cyber security firm OneSpan, said: “The Equifax settlement is a ‘warning shot across the bow’ to all the other credit bureaus, credit monitoring companies and any organisation which collects massive quantities of sensitive personal information.
“The real question is will the shot be heard?
“Some organisations will hear the warning and start to proactively revamp and retool their own security and data protection best practices.
“But, they are the minority. The vast majority of organisations will continue with business as usual until they are next news headline.
“Remember, it is not a matter of if you are breached, it is a question of when you are breached these days.
“So while the Equifax settlement of $700m is a great headline and will hurt the company financially and its reputation in the short term, it will have a very little material impact on the future of consumer security.”