The credit-reporting agency will pay millions to settle government allegations that it failed to take reasonable precautions to prevent the massive 2017 breach
Credit-reporting agency Equifax will pay at least $575 million, and potentially up to $700 million, as part of a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 US states and territories over allegations that the company failed to take reasonable precautions to prevent a 2017 data breach that exposed the personal information of about 147 million consumers.
The FTC alleged that Equifax had failed to secure the “massive amount” of personal information stored in its network. That information included names, dates of birth, Social Security numbers, and other data that could allow hackers to steal consumers’ identities.
As part of the settlement, Equifax will pay $300 million to a fund that will provide credit-monitoring services for affected consumers. The fund will also compensate consumers who bought credit or identity—monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. Equifax will add up to $125 million to the fund if the initial payment is insufficient to compensate consumers for their losses, the FTC said. Beginning in January, Equifax will also provide all US consumers with six free credit reports per year for seven years – in addition to the one free annual credit report currently required by law.
The company will also pay $175 million to 48 states, the District of Columbia and Puerto Rick, and $100 million in civil penalties to the CFPB.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected nearly 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
“The incident at Equifax underscores the evolving cybersecurity threats confronting both private and government computes systems and the actions they must take to shield the personal information of consumers,” said CFPB Director Kathy Kraninger. “Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”
The FTC alleges that Equifax failed to patch its network even after being alerted in March 2017 – months before the data breach – that a critical security vulnerability was affecting its database. Although Equifax’s security team ordered that each vulnerable system be patched within 48 hours of receiving the alert, the company did not follow up to ensure the order was carried out, the FTC said.
In fact, Equifax did not discover that its system hadn’t been patched until July of 2017, when the security team detected suspicious traffic on the company’s network. Hackers were able to steal “a staggering amount of data” because Equifax failed to implement basic security controls, the FTC said.
