Settlement includes creation of multimillion-dollar fund for impacted consumers

Equifax has agreed to pay at least $575 million – and potentially up to $700 million – as part of a settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories, it has been announced.

A press release issued today by the FTC outlines the allegations that the credit reporting agency failed to take “reasonable steps” to secure its network prior to a data breach in 2017 that affected approximately 147 million people worldwide.

In its complaint (PDF), the commission alleges that Atlanta-based Equifax failed to secure the “massive amount of personal information stored on its network”, leading to a breach that “exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud”.

The company will pay $275 million in civil penalties and other compensation to 48 US states, the District of Columbia, Puerto Rico, and the CFPB.

As part of the proposed settlement, Equifax will pay at least $300 million to a fund (PDF) that will provide affected consumers with credit monitoring services.

This fund will also compensate any consumers who purchased credit or identity monitoring services from Equifax in the wake of the breach, and will expand to a maximum of $425 million, if required. A website has been launched for impacted consumers to make their claim.

‘A staggering amount of data’

On September 7, 2017, Equifax announced that an unknown party had accessed its servers, making off with sensitive data and financial information.

Names, Social Security numbers, birth dates, addresses, driver’s licenses, and credit card numbers were taken in what has been regarded as one of the biggest data breaches in corporate history.

Though the incident was reported in September 2017, it later transpired that the security breach actually happened earlier in the year and wasn’t discovered until July.

The attackers were able to access a “staggering amount of data” because Equifax failed to implement “basic security measures”, according to the FTC’s complaint.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons.

“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

Discussing the settlement, Equifax chief executive Mark Begor said: “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter.”

RELATED Former Equifax exec charged with insider trading

Fittingly, the FTC’s announcement today was coupled with a blog post offering security advice and guidance for organizations.

“Patch your software. Segment your network. Monitor for intruders. According to tech experts, those are security basics for businesses of any size,” writes the FTC’s Lesley Fair.

“But when you’re industry giant Equifax – a company in possession of staggering amounts of highly confidential information about more than 200 million Americans – it’s almost unthinkable not to implement those fundamental protections.”

The age of the mega-breach

News of the Equifax settlement comes as regulators on both sides of the Atlantic continue to bare their teeth against breach-impacted organizations.

Earlier this month, the UK’s Information Commissioner’s Office (ICO) made headlines after it announced it would fine British Airways approximately $183 million ($229 million) for a GDPR-infringing data breach.

Back in the US, the Federal Trade Commission (FTC) was recently reported to have approved a record $5 billion settlement with Facebook – equivalent to one month’s revenue – over the infamous Cambridge Analytica data scandal.

If approved by the court, the Equifax settlement will become the FTC’s biggest-ever data breach settlement, eclipsing the $148 million penalty Uber agreed to pay last year.

Last year, the ICO issued Equifax with a fine of £500,000 (approximately $624,000) for its purported failure to protect the personal information of up to 15 million UK citizens.

RELATED Equifax a year on: Little has changed – at least for the billion-dollar company