Equifax’s 2017 data breach will cost firm at least $1.38bn
Equifax, one of the three largest consumer credit reporting agencies, has finally reached an agreement with a federal judge in Atlanta over a law suit brought against it after the agency failed to protect the personal information of up to 147 million US citizens during a cyber-attack in 2017.
It pledges to set aside a minimum of $380.5 million for breach compensation and spend another $1 billion on top of this to transform its information security over the next five years. The total comes to $1.38 billion.
US victims of the breach now have until 21 January 2020 to file a claim. The breach affected millions of customers globally too. The UK’s Information Commissioner’s Office (ICO) fined the agency £500,000 in 2018, after its UK arm also failed to protect up 15 million UK citizens’ data. The breach also affected 20,000 Canadians.
Equifax’s failure to patch a web application security flaw – which it was later revealed the agency knew about – has now forced the company to give consumers up to four years free credit monitoring, or if they already had this in place, up to $125 in a cash payment. The settlement does, however, include a $31 million cap for these cash payments.
The court estimated that Equifax would be losing a further $2 billion in market value of its free credit monitoring service if all 147 million US victims sign up.
Money from the $380.5 million compensation fund will also be used to pay up to $20,000 to each individual who can prove with documents any expenses they had to pay which were directly related to the breach. Individuals can also claim up to 20 hours – at a $25 per hour rate – for time lost over reconciling any repercussions from the breach.
The US District Court for the Northern District of Georgia granted final approval of the settlement between the Federal Trade Commission and Equifax, which has essentially remained the same since July last year.
“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” says chief judge Thomas W. Thrash Jr.
Equifax blamed a bug in the open-source Apache Struts framework, despite there being a patch available to check the software for security vulnerabilities at the time of the breach.
The open vulnerability allowed hackers to raid 48 databases, running around 9,000 queries on unencrypted personally identifiable information.
Seized information included names, addresses, email addresses, phone numbers, birth dates, driver’s license and passport numbers and financial data.