Credit score agency Equifax will pay up to $700m as part of a settlement for a 2017 data breach in which some 127 million of its customers had their personal data stolen.
The Equifax data breach settlement brings to a close investigations by the Federal Trade Commission (FTC), the Consumer Financial Protection Board (CFPB) and attorney generals in almost every US state.
It is a record settlement figure for a data breach, equivalent to roughly 20% of Equifax’s 2017-18 revenue. That makes it five times more than the maximum permissible fine under Europe’s General Data Protection Regulation (GDPR).
Despite some 15 million UK customers having been affected by the breach, Equifax was fined just £500,000 by the UK’s data watchdog because the breach took place prior to GDPR’s implementation in 2018.
While the settlement is record-breaking, it is equivalent to a maximum of $5.50 for every customer that had their data stolen. And, being a settlement, Equifax has also avoided what would have likely been a larger fine had they not come to an agreement.
“Given that Equifax has an annual turnover of around $3.4bn I would imagine that a fine of $700 million will certainly encourage them to get their data protection house in order,” Brian Higgins, security specialist at Comparitech.com told Verdict.
“Given, however, that the ultimate penalty paid is described as a ‘settlement’ it would appear that they may have negotiated their way out of a more punitive arrangement which, if I were one of the victims of their mismanagement, would not necessarily convince me that justice has been done.”
Equifax data breach settlement: “Given the size of the breach, it is justified”
The Equifax data breach is often considered to be one of the worst in US history, both in its scale and in the sensitivity of the information that was stolen.
Compromised data included social security numbers, addresses, phone numbers and financial details – data that can be sold on to criminals to carry out crimes such as identity fraud and spear phishing.
“While the fine may be the largest issued, given the size of the breach, it is justified,” said Javvad Malik, security awareness advocate at KnowBe4, a cybersecurity awareness training firm.
“Unlike payment card information, one cannot reissue personal information, or change previous addresses, meaning these kinds of breaches can have a devastating impact on victims, if not immediately, then further down the line.”
New York Attorney General Letitia James said in a statement that Equifax’s “ineptitude, negligence, and lax security standards endangered the identities of half the US population”.
The State of Technology This Week
The Equifax data breach settlement will be broken down as such:
- $300m restitution fund for harmed consumers, possibly rising to $425m
- $175m to US states and territories
- $50m penalty to the CFPB
Affected customers will also be eligible for 10 years of free credit monitoring from Equifax.
“Penalties are important, but companies like Equifax will only treat them as the cost of doing business unless there are concrete steps that consumers can take that will actually affect their business,” said Brian Vecci, field CTO at cybersecurity firm Varonis.
“Regardless of the size of the fine, this highlights just how great of a need there is for a US Federal privacy law that protects the rights of individuals and mandates standards for how data, including behavioural data mined from social media, has to be protected.”
Mark Begor, Equifax chief executive, said: “This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident.”
In a statement, Joe Simons, FTC chairman, said: “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147m consumers.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax security failings
In July 2017 malicious hackers exploited a vulnerability that Equifax failed to patch. It had been made aware of this security flaw months before the data breach took place.
But Malik says it’s about more than the failure to patch a vulnerability.
“The crux of the fine boils down to not having appropriate security processes in place overall,” he said.
“This can be translated to mean that it was felt as if the company did not embrace a culture of security, where it is embedded throughout the company and reflected in the technology, processes, and the behaviours of the people. If that was the case, then an unpatched server alone would not have led to such a large breach.”
The company has agreed to improve its cybersecurity practices as part of the settlement.
Latest in string of fines
The Equifax data breach settlement follows a spate of large fines recently issued by regulators for privacy failings.
Facebook agreed to a $5bn fine from the FTC for mishandling users’ data in the Cambridge Analytica Scandal.
Hotel group Marriott faces a £99m GDPR fine from the ICO for falling victim to a four-year-long hack.
Meanwhile, British Airways faces a record £183m GDPR fine after hackers stole the payment data of some 380,000 customers.
Jake Moore, cybersecurity specialist at cybersecurity firm ESET said the Equifax data breach settlement “comes as no real surprise” against the backdrop of these recent fines.
“If anything, this, along with the latest British Airways and Marriott fines, will just echo the signal that nor the ICO, neither the US Federal Trade Commission and the Consumer Financial Protection Board are firing blanks.
“And truth be told, these huge amounts of money are not there to put them out of business, but remind them and other companies that they need to be watertight with their customers’ personal data.
“It needs to be of the most importance and handled with the best possible security. If they make mistakes and lose anyone’s identifiable information, then they need to be reminded that this is not acceptable and it seems the ICO has found a way to do this rather effectively.”