In 2017, the Atlanta-based credit bureau Equifax suffered a massive data breach that saw the personal information of 150 million people compromised. According to the company’s recent earnings release, the cost of the Equifax data breach has risen to $1.5 billion plus legal fees.
The Department of Homeland Security had warned Equifax about a software vulnerability a few months prior to the attack, which was exploited to gain access to consumer data between May and July of 2017.
In response to the breach, hundreds of class-action lawsuits were filed on behalf of consumers whose personal information was compromised. Lawsuits were also filed by shareholders and the company has also faced litigation from several states and cities. Equifax has settled many of the lawsuits, although a significant number are still active, and the company remains under investigation by federal and state regulators and foreign government agencies.
Equifax is attempting to move on from the breach and many settlements have been reached and are pending court approval. A single consumer redress fund has also been set up to consolidate redress requests. Regulatory fines will certainly be issued, and further settlements will be required to resolve outstanding lawsuits. The cost of the data breach is therefore likely to rise considerably.
In response to the breach, Equifax has undergone considerable restructuring and has improved its security protections; however, there is concern that the data breach has not yet resulted in greater oversight of the credit reporting industry.
This week, legislation has been re-introduced that seeks to improve government oversight of credit bureaus, ensure greater regulation of data security at credit reporting agencies, and is attempting to increase the mandatory penalties for data breaches at credit bureaus in the future.
“It’s been over a year and a half since Equifax opened the doors to hackers who stole the personal data of more than half the adults in the country,” said Senator Elizabeth Warren (D-MA) who re-introduced the legislation. The re-introduced bill “would hold companies like Equifax accountable for failing to protect consumer data, would compensate consumers injured by these breaches and help ensure that they never happen again.” The threat of increased penalties would help to ensure that credit reporting agencies prioritize the security of sensitive consumer information.