Equifax will pay up to $700 million to settle with the U.S. and states over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people.
The settlement with the U.S. Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states and the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
The breach was one of the largest ever to threaten private information. The consumer reporting agency, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter,” said Equifax Chief Executive Mark Begor.
Affected consumers may be eligible to receive money by filing one or more claims for conditions including money spent purchasing credit monitoring or identity theft protection after the breach and the cost of freezing or unfreezing credit reports at any consumer reporting agency.
All impacted consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services, and, starting on Dec. 31 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.
“The Equifax breach of September 2017 was one of the largest data breaches with up to 145M users’ personal data compromised. We can be confident that a large number of the compromised users’ sensitive information from the Equifax breach is still actively in use in account takeover (ATO) attacks,” said Deepak Patel, security evangelist with PerimeterX. “Cybercriminals can combine data from different breaches – for example, name and address from one with the date of birth and password from another – to increase the success rate of credential stuffing. The Equifax data breach has key data like the last four digits of a social security number and date of birth. These could be used to take full control of user accounts without their knowledge. The Equifax data breach was particularly harmful to any online business since it possibly involved every U.S. consumer and their sensitive data all in one massive breach.
“When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist. But the FTC and GDPR are imposing meaningful fines to hold these large corporations accountable for breaches involving sensitive user data. It is imperative that businesses quickly review their security protocols and consider additional safeguards before they too are both compromised and fined,” Patel said.
Colin Bastable, chief executive at Lucy Security thinks more could be done to help consumers.
“ We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused U.S. consumers,” Bastable said. “And maybe we could rein in the credit reporting industry – if they did not collect and sell our personal financial data, we would not be in this mess.”