Equifax Pays Dearly for Failed Patch

Equifax has agreed to pay anywhere from $575 million to $700 million in its settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories.  In 2017, Equifax had one of the largest data breaches in US history when they failed to properly secure over 148 million records on their storage network—a vulnerability that was then exploited.  The breach exposed millions of names, dates of birth, Social Security numbers, physical addresses, and other personal information.

The cause of the breach was allegedly failure to apply a patch to the ACIS database to correct a vulnerability, despite Equifax Security Team orders to apply the patch.  A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability for several months before discovery.  The hackers accessed an unsecured file that included administrative credentials stored in plain text.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

Kathleen Kraninger, Director of the Consumer Financial Protection Bureau, said that this settlement is not the end.  “The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”

In addition to the monetary awards, the settlement requires several corrective security steps within Equifax including third-party assessments of security, security testing, and a designated information security officer.  Consumers affected by the breach are eligible for up to $20,000 in a cash settlement, depending on damages they can prove. Consumers can find out more about the settlement at ftc.gov/Equifax.