Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.
The consumer credit reporting agency on Monday said it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said Federal Trade Commission (FTC) Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when it disclosed a data breach that impacted almost 150 million Americans. The attackers managed to access information containing Social Security numbers, birth dates, addresses, and some driver’s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company’s files for nearly 12 weeks.
After the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.
Lawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a critical security flaw (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.
As part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys’ fees and costs in the multi-district litigation.
In the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the FTC slapped a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were Marriott ($123 million) and British Airways ($230 million).
While opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.
“I’m far from an Equifax apologist, but the truth is it could have been anyone,” Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. “It’s not an excuse, but rather the reality we live in. The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it’s got to be from the ground up too. There’s no silver bullet.”
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More