The credit checking agency Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700m, as part of a settlement in the United States with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories. The credit reporting company failed to take reasonable steps to secure its network led to a data breach that affected about 147 million people.
FTC Chairman Joe Simons said: “Companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
According to the Commission, Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to see the order was carried out.
Equifax failed to implement basic security measures, according to the complaint. This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases. In addition, the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.
Hackers targeted US Social Security numbers, dates of birth, and other sensitive data, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or (ironically) identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. The US authorities require Equifax to bring in comprehensive information security. More about the settlement at ftc.gov/Equifax.
A consumer restitution fund of up to $425 million will be available to pay for three-bureau credit monitoring for consumers affected, actual out-of-pocket losses related to the breach, and identity restoration services. Equifax has been providing free credit monitoring services to consumers since September 2017.
Comments
Equifax Chief Executive Officer, Mark W Begor said the consumer fund of up to $425m the company was announcing reinforced commitment to putting consumers first and safeguarding their data – and reflected the seriousness with which the firm took this. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”
More at www.equifaxbreachsettlement.com.
Saryu Nayyar, CEO of Gurucul said: “As Equifax is the current poster boy of bad information security, a fine of this magnitude isn’t surprising. This was the largest data breach of 2017 and it was much more severe than simple credit card information.”
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center, spoke of a pattern developing – data breaches are costly in many ways. “First up is the impact on brand reputation – something we saw play out with Equifax where its valuation dropped by a third in the days following its breach disclosure to the bankruptcy filing by AMCA following the loss of its major accounts following its breach in 2019. Brand management can become a significant impairment to future operations once trust is lost. Next up is the actual incident response costs themselves – things like forensics teams, legal guidance, law enforcement and regulatory involvement all play key roles in cost management. Then there’s the potential impact on innovation – while remedial measures are underway, what is the availability of resources to release new functionality. Lastly there is are the fines themselves.
“These fines dwarf the costs of having addressed security issues directly. Equifax lacked sufficient visibility into its operations to recognise that an open source vulnerability in a critical application was a risk. Facebook lacked sufficient controls to understand when data collected by its systems was being transferred to app developers. The Marriott technical due diligence process wasn’t sufficiently detailed enough to recognise data governance issues within its acquisition target Starwood. BA lacked sufficient software review practices to recognise that a key library was sending user data to malicious servers. As an industry we need to do better, and thankfully there is a ready template for us – GDPR. Can we with confidence state that we know precisely what data is collected, processed and retained by our organisations? This is the new test for any threat model – data access and controls. While the patch mantra is “you can’t patch what you don’t know you’re using”, the data mantra needs to be “if you don’t know you’re acting on some data, how can you protect it from malicious access?” Thankfully both of these are solvable problems given appropriate prioritisation, and with a cost far below that of recent regulatory fines.”
