The massive data breach at the credit reporting firm Equifax in 2017 exposed the personal and financial information of 147 million Americans. The breach triggered a series of federal and state investigations to determine how the breach occurred, whether it could have been prevented, and whether Equifax had implemented sufficient security controls. The investigation has been completed and the subsequent data breach case has now been resolved.
The FTC investigated Equifax and found there had been security failures that, if addressed, would have prevented the breach. In the FTC’s complaint, Equifax is alleged to have failed to patch a software vulnerability that affected its ACIS database. The database is used for inquiries about credit data by consumers. Equifax received an alert about the vulnerability in March 2017.
Equifax’s IT security team was aware that systems were vulnerable and ordered the patch to be applied within 48 hours on all vulnerable systems. However, there was no follow up to ensure that the order had been carried out by the employees concerned. If the patch had been applied in the 48-hour time frame, or even several days later, the breach would have been avoided.
The vulnerability was exploited by several threat actors to gain access to the network. On the network was an unsecured file that contained a set of administrative credentials in plaintext. Those credentials were used to gain access to customer data.
FTC Chairman, Joe Simons, said “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
The Federal Trade Commission (FTC) announced this week that a settlement has been reached between the FTC, the Consumer Financial Protection Bureau (CFPB), and state attorneys general to resolve the case. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” said Simons.
Equifax has agreed to pay a financial penalty and set up a fund to cover claims for losses by the breach victims. All breach victims must also be given 7 years of additional credit monitoring services and free credit reports, and the company must invest in its security systems and significantly improve its security posture. The total cost of the settlement will be between $575 million and $700 million.
That figure is broken down as follows:
- $300 million fund to be set up to cover claims from affected consumers, up to a max of $20,000 per claimant.
- $125 million to be made available and added to the claims fund if the $300 million runs out
- $175 million to be split between the 48 states, D.C, and Puerto Rico.
- $100 million in civil penalties to be paid to CFPB.
In addition to the above financial penalty, Equifax was fined £500,000 by the UK Information Commissioner’s Office.
$700 million is a substantial financial penalty to pay, but the fund equates to less than $3 per breach victim. There has been considerable criticism about the amount of the fine, with many people believing it should have been substantially higher given the extent of the breach, Equifax’s failure to follow basic cybersecurity best practices, and the impact the breach has had on consumers.
Equifax has already spent approximately $1.4 billion remediating the breach and updating its computer systems. Its planned investment in IT and security was doubled following the breach.