There’s been another page written in the ongoing story of the Equifax data breach.
If you haven’t been following the torrid tale, here’s a quick recap on who Equifax is.
Equifax – the credit reporting agency which you most likely are not a customer of… but which still holds personal information about you.
Equifax – the company which knew its systems were vulnerable months before the hack occurred, but failed to patch its online dispute web portal.
Equifax – the company which waited 40 days before revealing that approximately 143 million US consumers may have had their names, social security numbers, dates of birth, addresses, credit card details, and driving licences accessed by hackers. (And longer still to admit that 15.2 million Brits were also affected)
Equifax – the company whose CIO exercised share options before the hack was made public, and was later jailed for insider trading.
Yes, that Equifax.
Well, the latest development is that Equifax has agreed to pay at least US $575 million (rising to potentially as much as US $700 million) as part of a settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.
The FTC says that, as part of the settlement, at least US $300 million will be paid by Equifax into a fund to compensate consumers and provide them with credit monitoring services:
“Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.”
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The company has already been hit with a £500,000 fine in the UK from the Information Commissioner’s Office (ICO).
The size of FTC’s settlement with Equifax over the data breach easily tops the previous record – a US $148 million settlement with Uber after it exposed the personal information from 57 million user accounts in a 2016 data breach. A hack that Uber tried to keep secret.
I do hope that large fines will help teach big companies to take proper care of sensitive data. So far, nothing else seems to have worked.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.