Equifax has reached a deal with the Federal Trade Commission (FTC) to pay up to $700 million due to the data breach last July 2017. The data breach resulted in the leakage of personal information of 143 million Americans.
The credit reporting agency will set up a $300 to $425 million in compensation for the affected consumers. It may still increase depending on the number of users that continues to file claims. Another $175 million will be paid to the 48 states, including the district of Columbia and Puerto Rico, and $100 million will go to Consumer Financial Protection Bureau (CFPB).
Aside from the fines, Equifax will implement changes on how it handles its users’ data. Information security protocols will be revised in compliance with the FTC’s standards. There will also be an annual assessment of the company’s security risks that requires passing a board certification.
FTC Chairman Joe Simons emphasized the need for “extra responsibility” of securing personal data from companies that build businesses involving personal information. He said in a statement, “Equifax failed to take basic steps that may have prevented the breach.”
In July 2017, personal data such as names, addresses, credit card numbers, and social security numbers were hacked from Equifax’s systems.
Equifax is considered as one of the three largest credit-reporting companies that track the financial history of consumers. The company collects data on financial transactions such as loans, credit card payments, child support payments, rent and utility payment, and credit limits. Aside from financial records, additional personal data such as employment history and valid ID numbers are also collected. Using this data, the company computes each’s credit scores.
When the company shared about the incident on September 2017, they identified that 209,000 U.S. consumers had their credit card numbers stolen. About 182,000 people have already reported credit card disputes.
After a thorough investigation, it was found out that 143 million users were affected. Most of which were residents of the United States, the United Kingdom, and Canada.
Unfortunately, not all 143 million consumers know that their information was given to Equifax. The credit reporting company collects data from credit card companies, banks, stores, and lending agencies.
Since the incident, the company has mailed notices to identified affected consumers.
Aside from the notices, users can check if they were affected by the hack through a website set up by Equifax. In the website, a user can check their status by clicking the “Check Potential Impact” link and submit their name and the last six digits of their Social Security number.
The user will then receive an email notifying whether their information was included in the hack. Aside from the notification, Equifax is also offering a security option called Trusted ID Premier.
The user can enroll in the TrustedID Premier, which provides free credit file monitoring and identity theft protection for a whole year. Users had until January 31, 2018, to enroll themselves on the program.
Initially, anyone who enrolls may be limiting themselves to participate in class-action suits or any lawsuit against the company. However, due to the backlash, the company had to remove it from their terms and conditions.
Equifax learned about the hack on July 2017, but only disclosed to the public after three months. Their info-sharing with the affected people were also criticized. Instead of calming the consumers, the threat of possible identity theft grew as consumers are left clueless about what has happened.
Hackers were able to gain access to personal data through a security flaw in a tool for building web applications called Apache Struts. Equifax used this tool as a support for its online dispute portal.
Equifax has admitted that its security department was aware of the security flaw months before hackers targeted their apps. The company was working on patches for the security flaw but was not able to deploy it on time.
Aside from the lapse of judgment, when a data breach was discovered on July 29, the company waited a day before taking the web application offline. Based on the company’s statement, the delay was purposely done to “observe additional suspicious activity.”
The company outsourced the help of Mandiant, a cybersecurity firm, to assess the damage done by the hacking incident. It was then revealed that a series of data breaches have already occurred since May 13 until June 30.
Many criticized Equifax’s delayed responses to the vulnerability discovered months before the hacking incident happened. Jon Hendren, director of security firm UpGuard, said, “There’s really no excuse whether it’s a difficult patch or not, for an organization of that size with that kind of magnitude of data.”
Due to the breach and the disappointing crisis and public relations management, the company’s CEO Richard Smith retired last September 2017, effective immediately. The company also announced retirements of its top security and information executives during that time.