Almost two years after a major data breach hit Equifax, the company has finally agreed to a global settlement with the US Federal Trade Commission (FTC).
As per the proposed terms of the deal, the consumer credit reporting agency will shell out as much as $700 million to settle with federal agencies and 50 US states and territories. Here are the details:
- $300 million to cover free credit monitoring services for impacted consumers. The company may need to cough up an additional $125 million if the original fine amount isn’t enough to compensate all consumers who make claims.
- $175 million, to be split up among the 50 attorneys general who filed suit, representing 48 states, Washington DC, and Puerto Rico
- $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB)
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax, which handles credit data of over 800 million customers and 88 million businesses worldwide, suffered a catastrophic security incident back in 2017 after its systems were breached through a critical security flaw (Apache Struts vulnerability CVE-2017-5638) between May and the end of July, resulting in the theft of 147 million US citizens’ records.
Even worse, the company failed to take corrective action after it was warned about the vulnerability in March 2017, four months before the hack took place.
The attackers made away with names, address, dates of birth, social security numbers, and even driving license information, making it one of the largest data breaches in history. The data scandal eventually led to the exit of its then-chief executive Richard Smith.
.@Equifax to pay $575M, potentially up to $700M as part of settlement w/ @FTC, @CFPB, and states related to 2017 data breach. Settlement includes fund to help consumers recover from data breach. Read more: https://t.co/9gyWfz4sV6 #EquifaxDataBreach pic.twitter.com/AXxhKtIAad
— FTC (@FTC) July 22, 2019
Victims of the breach will be able to claim up to 10 years of free credit monitoring and identity theft protection services for adults, and up to 18 years for victims who were minors in May 2017. Those who already have enrolled for credit monitoring can opt for a $125 payout.
Equifax will also pay up to $20,000 to compensate for expenses incurred as a result of the breach — including losses from unauthorized charges, associated fees, and overall time spent dealing with it.
Additionally, Equifax will offer free identity restoration services for at least seven years, as well as six additional free credit reports per year for all U.S. consumers effective 2020.
But to go about collecting the settlement, the FTC notes that “you must file a claim when the claims process begins.” The process is expected to start post court approvals, but you can sign up to receive updates right here.
Aside from all the payouts and services mentioned above, the settlement also requires that Equifax take corrective steps to improve its security practicies going forward, and avoid such incidents in the future.
Equifax CEO Mark W. Begor, in a statement, said the settlement was a positive step for US consumers and Equifax and would help the company move past the data breach to focus on its future.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter,” Begor added.
If the belated penalty appears too small for a breach of huge magnitude, it seems the decision was deliberate.
“We want to make sure we don’t bankrupt the company or have them go out of business,” said Maneesha Mithal, a data and privacy subject matter expert with the FTC, in a statement to Ars Technica. “We want to make sure they have the funds and resources to protect consumers going forward.”
The fines may be a mere slap on the wrist. But the incident serves as a cautionary tale for companies to up their data security and privacy protocols. One can only hope they are taking note.