US regulators hit Equifax with $700m data breach fine

Equifax is the latest multinational to face record-breaking fines for data protection breaches after the credit rating specialist agreed to pay up to $700m (£563m) in a settlement with the US Federal Trade Commission (FTC)

As part of the agreement, Equifax will pay at least $575m (£462m), and potentially up to $700m (£563m), to settle a network breach that exposed the data of 147m people.

The UK's Information Commissioner's Office has already issued the company with a £500,000 fine (the maximum allowed under legislation at the time) for failing to protect the personal information of up to 15m UK citizens during the same attack.

The FTC, along with the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories, brought a complaint alleging that Equifax failed to secure sensitive personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses and other personal information that could lead to identity theft and fraud.

The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting the database which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees.

In fact, Equifax did not discover that its database was unpatched until July 2017, when its security team detected suspicious traffic on its network. A company investigation revealed that multiple hackers were able to exploit the vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months.

The hackers targeted Social Security numbers, dates of birth and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring or identity theft prevention services. It is believed that hackers stole at least 147m names and dates of birth, 145.5m Social Security numbers and 209,000 payment card numbers and expiration dates.

Hackers were able to access a ‘staggering amount’ of data, according to the FTC, because Equifax failed to implement basic security controls, despite the fact its privacy policy at the time stated that it limited access to consumers’ personal information and implemented ‘reasonable physical, technical and procedural safeguards’ to protect consumer data.

As part of the proposed settlement, Equifax will pay $300m to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the data breach.

Equifax will add up to $125m to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all US consumers with six free credit reports each year for seven years, on top of the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

The company also has agreed to pay $175m to 48 states, the District of Columbia and Puerto Rico, as well as $100m to the CFPB in civil penalties. In addition, it is required to undertake a comprehensive review of its information security programme and implement a number of new measures.

These include conducting annual assessments of internal and external security risks, obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order including its information security requirements and obtain third-party assessments of its information security programme every two years.

FTC chairman Joe Simons said: ‘The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.’

Pat Sweet | 23-07-2019

Be the first to vote