Equifax has agreed to pay $575 million, and possibly up to $700 million, as part of a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 states and territories.
The settlement alleges that the credit reporting company’s failure to take steps to secure its network led to a data breach in 2017 that affected about 147 million people.
In its lawsuit, the FTC alleges that the Equifax data breach exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services.
The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other money as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the $300 million isn’t enough to compensate consumers for their losses.
In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven year — in addition to the one free annual credit report that Equifax and the two other credit reporting agencies provide.
The company also has agreed to pay $175 million to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to the CFPB for fines.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” Joe Simons, FTC chairman, said. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Company’s security failures
The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to security problems in its ACIS database, which handles inquiries from consumers about their personal credit data.
Even though Equifax’s security team ordered that each of the company’s problematic systems be patched within 48 hours after receiving the alert, Equifax didn’t follow up to ensure the order was carried out.
Equifax didn’t discover that its ACIS database was unpatched until July 2017, when its security team detected suspicious traffic on its network.
A company investigation showed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text.
These credentials allowed the hackers to gain access to consumers’ personal information and to operate undetected on Equifax’s network for months.
The hackers targeted personal information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.
Hackers were able to access huge amounts of data because Equifax failed to carry out basic security measures, according to the lawsuit.
The FTC alleges that Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, carry out, and maintain a information security program to protect the security, confidentiality, and integrity of customer information.
In addition to payments to consumers, Equifax is also required to carry out an information security program requiring the company to:
- Designate an employee to oversee the information security program.
- Conduct annual assessments of internal and external security risks and carry out safeguards to address potential risks.
- Obtain annual certifications from the Equifax board of directors or a subcommittee attesting that the company has complied with the order.
- Test and monitor the effectiveness of the security safeguards.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years.
In addition, the FTC encourages Equifax employees who believe the company is failing to adhere to its data security promises to email the FTC at email@example.com. Consumers can find out more about the settlement at ftc.gov/Equifax.