It was the biggest hack of private data in modern history, and now, two years later,
Equihacks Equifax has agreed to pay up to $700 million to resolve U.S. federal and state investigations into the 2017 hack that compromised the most sensitive information of 147 million people.
The resolution with the Federal Trade Commission, Consumer Financial Protection Bureau and 50 state attorneys-general draws a line under the hack, the largest-ever breach of consumer data. The credit scoring company has also settled with claimants in a class-action lawsuit.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said Joe Simons, FTC chairman, in a statement on Monday morning.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he added.
Equifax will also pay as much as $425 million to compensate consumers - which works out to about $3 per affected individual so don't spend it all at once - and will provide credit monitoring to those whose information was exposed. Equifax will separately pay $175 million to 48 states, the District of Columbia, and Puerto Rico, and an additional $100 million to the U.S. Consumer Financial Protection Bureau.
The agreement which is the largest data-security settlement by the agency, resolves a nearly two-year investigation by all 50 states and the FTC into the massive breach that compromised sensitive information like Social Security numbers and dates of birth, Bloomberg reported.
While the incident sparked outcries in Washington and among consumer advocates for more oversight of the three big consumer credit-rating companies: Equifax, TransUnion and Experian, culminating with a February hearing in which Democrats and Republicans on the House Financial Services Committee slammed the companies as Chairwoman Maxine Waters promised to tighten regulation of the industry, lawmakers have so far failed to act since the hack was disclosed.
In May 2017, hackers gained access to the Equifax network and attacked the company for 76 days, without the company being aware it was infiltrated. Equifax noticed “red flags” in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cybersecurity firm Mandiant. The company waited until September to inform the public of the breach.
As part of the hack, at least 147 million names and dates of birth, nearly 146 million Social Security numbers, and 209,000 payment card numbers and expiration dates were stolen, the FTC said, adding that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting a database that handles inquiries from consumers about their personal credit data. Equifax’s security team ordered that vulnerable systems be patched, there was no follow-up to ensure the order was carried out, the FTC said.
Under the FTC settlement, Equifax will pay up to $425 million into a fund that will provide affected consumers with credit monitoring. The fund will also compensate consumers who bought credit- or identity-monitoring services from Equifax and paid other expenses as a result of the breach, the FTC said. The company also will implement an information-security program that will require annual assessments of security risks, obtaining annual certifications from the board of directors that the company has complied with the settlement, and testing security safeguards.