Equifax could pay $700m in data breach deal
Written by Hannah McGrath
Credit reporting agency Equifax has agreed to pay up to $700 million to settle with the Federal Trade Commission (FTC) over a 2017 data breach which left the details of up to 150 million people exposed.
The deal reached with the US regulator, which will involve at least $575 million, will register as the largest ever payout to the FTC to settle a data breach case, following the $148 million paid by Uber last year.
The settlement includes $300 million fund towards costs incurred by the victims for identity theft services and other related expanses following the breach, rising to $425 million if needed.
The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.
The rest of the money ($275 million) will split between the US Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 US states and territories.
The breach occurred as hackers accessed the personal information, including social security numbers and home addresses of nearly 148 million people, from Equifax servers in an attack from May to July 2017.
The company was fined £500,000 in September last year by the Information Commissioner’s Office (ICO) after the data of 15 million Britons was left exposed in the breach.
The data breach occurred between 13 May and 30 July 2017 and affected information belonging to 146 million people worldwide.
The FTC complaint alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to the data breach, and further alleged that Equifax failed to patch its network after being alerted to a security breach in March 2017.
FTC chairman Joe Simons said: “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers – this settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
He added: “The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.”
In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive information security program including:
• Designating an employee to oversee the information security program;
• Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
• Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
• Testing and monitoring the effectiveness of the security safeguards; and
• Ensuring service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.