Equifax could pay $700m in data breach deal

Credit reporting agency Equifax has agreed to pay up to $700 million to settle with the Federal Trade Commission (FTC) over a 2017 data breach which left the details of up to 150 million people exposed.

The deal reached with the US regulator, which will involve at least $575 million, will register as the largest ever payout to the FTC to settle a data breach case, following the $148 million paid by Uber last year.

The settlement includes $300 million fund towards costs incurred by the victims for identity theft services and other related expanses following the breach, rising to $425 million if needed.

The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.

The rest of the money ($275 million) will split between the US Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 US states and territories.

The breach occurred as hackers accessed the personal information, including social security numbers and home addresses of nearly 148 million people, from Equifax servers in an attack from May to July 2017.

The company was fined £500,000 in September last year by the Information Commissioner’s Office (ICO) after the data of 15 million Britons was left exposed in the breach.

The data breach occurred between 13 May and 30 July 2017 and affected information belonging to 146 million people worldwide.

The FTC complaint alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to the data breach, and further alleged that Equifax failed to patch its network after being alerted to a security breach in March 2017.

FTC chairman Joe Simons said: “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers – this settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

He added: “The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.”

In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive information security program including:

• Designating an employee to oversee the information security program;

• Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;

• Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;

• Testing and monitoring the effectiveness of the security safeguards; and

• Ensuring service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.

    Share Story:

Recent Stories

Safeguarding economies: DNFBPs' role in AML and CTF compliance explained
Join FStech editor Jonathan Easton, NICE Actimize's Adam McLaughlin and Graham Mackenzie of the Law Society of Scotland as they look at the role Designated Non-Financial Businesses and Professions (DNFBPs) play in the financial sector, and the challenges they face in complying with anti-money laundering and counter-terrorist financing regulations.

Ransomware and beyond: Enhancing cyber threat awareness in the financial sector
Join FStech editor Jonathan Easton and Proofpoint cybersecurity strategist Matt Cooke as they discuss the findings of the State of the Phish 2023 report, diving into key topics such as awareness of cyber threats, the sophisticated techniques being used by criminals to target the financial sector, and how financial institutions can take a proactive approach to educating both their employees and their customers.

Click here to read the 2023 State of the Phish report from Proofpoint.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.

Future of Planning, Budgeting, Forecasting, and Reporting
Sage Intacct is excited to present FSN The Modern Finance Forum’s “Future of Planning, Budgeting, Forecasting, and Reporting Global Survey 2022” results. With participation from 450 companies around the globe, the survey results highlight how organisations are developing their core financial processes by 2030.