Equifax to Pay up to $1-billion AUD Following 2017 Data Breach
Credit agency Equifax has reached a settlement with the U.S. Federal Trade Commission (FTC) following a data breach that eventuated in a hacker stealing sensitive data from as many as 150-million Americans.
The FTC confirmed in a press release earlier that it expected Equifax would pay “at least USD $575 million, and potentially up to USD $700 million, as part of a global settlement.”
The fine is in response to a data breach that hit Equifax back in 2017, where, as the FTC explains, “Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, social security numbers, physical addresses and other information that could lead to identity theft.”
The terms of the settlement stipulated that Equifax would pay USD $300-million to a fund set up to provide those impacted by the breach. “The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses,” the statement read.
According to the FTC’s statement, “Equifax failed to patch its network after being alerted in March 2017 to a critical vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data.”
“Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees.”
The settlement also stipulates that Equifax must improve the state of its data security moving into the future, including adding staff to join its information security program, and undergoing independent third-party assessments of its systems every 24-months.
FTC chairman, Joe Simons, said that ‘this settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” he continued.
Kathleen L. Kraninger of the Consumer Financial Protection Bureau added that “the incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.”
“Too much is at stake for the financial security of people to make these protections anything less than a top priority,” she said.
According to a report from Zack Whittaker, “the company came under fire by congressional committees and security experts alike after it was found that Equifax had not properly rolled out publicly released patches on its network months prior to the data breach.”
Richard Smith, Equifax’s former chief executive, who left the company in the aftermath of data breach blamed the lack of the patch’s roll out on a single employee.
Whittaker writes that “this marks the largest fine ever issued by the FTC following the USD $148-million fine handed to Uber following its own data breach. However, the fine amounts to as much as 20% of Equifax’s 2018 revenue, of USD $3.41 billion.”
U.S. Senator Mark Warner said that “while I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
The U.K. has already issued its maximum penalty under pre-GDPR legislation of around USD $624,000, however, had Equifax been hit with the GDPR’s fine of 4% of its global annual turnover.
Equifax’s new CEO, Mark Begor described the settlement as a “positive step” for the company, which would now pivot to focus on investments in technology and security internally.