In a settlement with US regulators, credit reference agency Equifax has agreed to pay as much as $700 million in fines and compensation following its data breach in 2017.
The breach compromised up to 147 million consumers records, including those of 15.2 million consumers in the UK. The company originally claimed that just 400,000 British citizens were affected by the security breach.
US consumers affected by the breach will be able to claim up to $20,000 each from a compensation fund of up to $425 million set up by Equifax.
The amount takes into consideration the time and money spent by consumers to protect themselves from the potential threats of ID theft or dealing with actual ID theft, fees paid to accountants or lawyers, and dealing with any subsequent identity theft.
– Any cost of freezing or unfreezing credit reports at any consumer reporting agency, such as TransUnion or Experian, after the breach.
Costs that affected consumers could recover include:
-
Money spent buying credit monitoring or ID theft protection after the breach.
-
Up to 25% of the amount paid to Equifax for credit or identity monitoring subscription products between Sept. 7, 2016, and Sept, 7, 2017. That would reimburse some expenses before the breach was announced. Equifax first discovered evidence of cyber crime, the company said, on July 29, 2017. The company said the unauthorized access took place from mid-May through July 2017.
-
Any reimbursed costs, expenses, losses or charges you took on as a result of ID theft.
-
Miscellaneous expenses associated with ID theft-related issues, such as notary, fax, postage, mileage and telephone charges.
Increased Risk to Consumers
The breach has made it even more important than ever, for consumers to pay close attention to their credit reports, in order to spot any fraudulent activity.
The data breach exposed consumers key information, including Social Security numbers which could potentially be used by criminals looking to obtain credit in someone else’s name. The bulk of consumer information that was accessed also included birth dates, addresses, and in some cases, driver’s license numbers.
Anyone whose data was stolen will be able to claim a $125 one-off payment, and receive at least four-years of free credit monitoring, while Equifax will have to provide an additional six years of free monitoring of their Equifax credit report.
On top of the millions of dollars in compensation payments, Equifax has been fined $175 million, payable to 48 states across the nation, as well as the District of Columbia and Puerto Rico, plus a further $100 million to the US Consumer Financial Protection Bureau (CFPB). In total, this episode could easily cost the Atlanta-based company as much as $700 million – depending on the administration of the $425 million consumer compensation fund.
Failings in Security
And as if the magnitude of the compensation payouts and fines wasn’t enough, Equifax is also ordered to spend a minimum of $1 billion improving its data security arrangements. An official investigation into the security breach accused the company of an array of IT security control and process failings that facilitated the breach.
However, during the company’s own internal investigation, Equifax had blamed an unpatched Apache Struts server, which bosses claimed had left the the door open to the breach.
The settlement revealed this week is expected to provide redress for all outstanding claims in the US over the data breach, which, is believed to have been carried out by a group affiliated to Chinese intelligence.
New York attorney general Letitia James said:
Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk. This company’s ineptitude, negligence, and lax security standards endangered the identities of half the US population,
Sources: Detroit Free Press, Computer Weekly